The user-identity-attribute stanza entry

OAuth authentication must create a user credential. To do this, OAuth authentication must be provided with a user identity to use when creating this credential. The appliance's implementation of OAuth authentication provides the definition of the user identity through an attribute that is returned by the OAuth server.

The user-identity-attribute entry in the [oauth] stanza defines the name of the attribute that is returned by the OAuth server. This stanza entry's value is the user identity that is used when creating a credential for the OAuth authentication. By default, this entry has a value of username. What that tells the appliance is to take the value of the username attribute from the OAuth server response and use that as the user identity for the credential that will be created. By default, the username value in the OAuth server response is the client ID of the API protection client. That client ID must exist as an Verify Identity Access user for OAuth authentication to be able to create a valid credential.

You can modify the OAuth server to provide the user identity in a different attribute, that is, something other than the username attribute. If you do that, modify the user-identity-attribute entry in the [oauth] stanza of the webseald.conf file, to provide that attribute name.

For more information, see the [oauth] stanza documentation in the IBM Knowledge Center.