OAuth is an open standard for delegated authorization. With the OAuth authorization framework, a user can grant a third-party application access to their information stored with another HTTP service without sharing their access permissions or the full extent of their data.

In OAuth, the client, or third-party application, requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. Instead of using the credentials of the resource owner to access protected resources, the client obtains an access token, which is a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.

OAuth 2.0 is not compatible with OAuth 1.0. OAuth 2.0 provides ease of use for client application developers, and authorization flows for different types of client applications.

WebSphere® Application Server supports OAuth 2.0, and can be used as an OAuth service provider endpoint and an OAuth protected resource enforcement endpoint.

WebSphere Application Server supports the following OAuth standard specifications:
  • The OAuth 2.0 Authorization Framework
  • The OAuth 2.0 Authorization Framework: Bearer Token Usage
The following list shows a summary of features within WebSphere Application Server OAuth 2.0 services.
  • WebSphere Application Server acts as an OAuth Service Provider (SP) to handle OAuth 2.0 protocol requests.
  • WebSphere Application Server acts as protected resource enforcement endpoint to authorize or deny requests for deployed web resources.
  • Allow multiple service providers to co-exist.
  • Allow administrator to revoke access tokens.
  • Allow client to revoke its authorization given by a user.
  • Optionally provide a Subject for a resource application to make an authenticated downstream call or perform programmatic J2EE security.
  • Support 4 typical OAuth 2.0 flows as defined in the protocol.
  • Support persistent OAuth services.