Configuring a reverse proxy for OAuth and an OIDC Connect provider

Edit online

Use a wizard to perform automated configuration of a reverse proxy appliance for OAuth and an OIDC Connect provider.

Before you begin

The reverse proxy server that you want to use for your OAuth or OIDC Connect provider must already be configured. See Configuring an instance.

Procedure

  1. From the local management interface, select Web > Manage > Reverse Proxy.
    A list of reverse proxy instances displays.
  2. Select the reverse proxy instance name from the list.
  3. Select Manage > OAuth and OIDC provider Configuration. A window opens where you can select the OIDC Provider.
  4. Select AAC and Federation Runtime based provider or IVIA OIDC Container based provider. A windows opens where you provide configuration details.
  5. For AAC and Federation Runtime based provider, Enter the configuration details.

    The OAuth modes section lists supported modes. You can select more than one mode.

    The modes are options that extend a basic OAuth configuration. A basic configuration sets up the junction, loads the runtime certificate, and provides access to the API Protection endpoints: /token, /userinfo, /introspect, /revoke, /metadata, and /jwks. The base configuration is sufficient if you are doing only a resource or password credentials flow. In this case, you cannot do any API enforcement, but you can get tokens issued. In this scenario, you do not need to select either of the OAuth modes.

    If you want to use of the authorization code flow, or implicit flows, which go via a user agent, or if you want to get a user session using the /session endpoint, then you must select Configure for browser interaction. If you want this reverse proxy to protect resources with access tokens you must select Configure for API protection. The two options are not mutually exclusive; you can select both.

    Table 1. OAuth modes
    Mode Description
    Configure for browser interaction When configured for browser interaction, the /authorize and /session endpoints are accessible. Also, EAI authentication is enabled for /session. This configuration option is required for the authorize or implicit code flows.
    Configure for API Protection When this option is selected, an access token can be presented to WebSEAL, and an authenticated session retrieved. The use of cookies is not required; the authorization header is used as the session index. Selecting this option configures oauth-auth and oauth-cluster in the [oauth] stanza in the WebSEAL configuration file.
    Note: If you select Configure for API protection and do not select Configure for browser interaction, the configuration parameter forms-auth is disabled.
    Table 2. Reverse proxy instance
    Parameter Description
    Host name The host name or IP address of the runtime server. This field is required.
    Port The SSL port number of the runtime server. This field is required.
    User name The user name that is used to authenticate with the runtime server. This field is required.
    Password The password that is used to authenticate with the runtime server. This field is required.
    Junction The junction for the reverse proxy instance. The default is /mga.

    The Reuse Actions section indicates reuse of existing access control lists (ACLs) and certificates.

    Table 3. Reuse configuration
    Parameter Description
    Reuse Certificates Select to reuse the SSL certificate if it was already saved. If this check box is not selected, the certificate is overwritten.
    Reuse ACLs Select to reuse any existing ACLs with the same name. If this check box is not selected, the ACLs are replaced.
  6. Click Finish.
  7. When prompted, deploy the pending changes.
  8. Restart the reverse proxy.
  9. For IVIA OIDC Container based provider, Enter the following details
    Table 4. Reverse proxy instance
    Parameter Description
    Host name The host name or IP address of the IVIA OIDC provider server. This field is required.
    Port The SSL port number of the IVIA OIDC provider server. This field is required. The default is 8436.
    Junction The junction for the reverse proxy instance. The default is /isvaop.

    The Reuse Actions section indicates reuse of existing access control lists (ACLs) and certificates.

    Table 5. Reuse configuration
    Parameter Description
    Reuse Certificates Select to reuse the SSL certificate if it was already saved. If this check box is not selected, the certificate is overwritten.
    Reuse ACLs Select to reuse any existing ACLs with the same name. If this check box is not selected, the ACLs are replaced.
  10. Click Finish.
  11. When prompted, deploy the pending changes.
  12. Restart the reverse proxy.

What to do next

You can examine a log file to view the results of the auto-configuration. See Viewing a reverse proxy log for an automated configuration