Defining an OAuth service provider

The OAuth service provider is defined with a provider configuration file. You can define an OAuth service provider by editing the OAuthSampleConfig.xml file.

The OauthSampleConfig.xml is in the properties directory under your WebSphere® Application Server installation. You can copy and edit this file to define an OAuth service provider.

Each parameter has either a customizable value of true, meaning that this variable is meant for modification by users or a customizable value of false, meaning that this variable is typically not updated by users. Customizable parameters are exported by using the exportOAuthProps wsadmin task and can be imported by using the importOAuthProps wsadmin task. Otherwise the customizable attribute has no effect on the parameters. The customizable parameter value can be updated as needed depending on your environment.
Avoid trouble: The parameter type of ws or cc is used internally and can be ignored when updating parameters.
Table 1. Active parameters for in-memory clients and token stores
Parameter name Value Description Customizable
oauth20.client.provider.classname Client provider implementation class For the in-memory client store, use the value com.ibm.ws.security.oauth20.plugins.BaseClientProvider. False
oauth20.token.cache.classname Token cache implementation class For the in-memory token store, use the value com.ibm.ws.security.oauth20.plugins.BaseCache. False
oauth20.token.cache.jndi.tokens Java™ Naming and Directory Interface (JNDI) name of the dynamic cache object for tokens indexed by ID Default value is Services/cache/OAuth20MemTokenCache. See the dynamic caching configuration section for usage details. False
oauth20.token.cache.jndi.users JNDI name of the dynamic cache object for tokens indexed by user Default value is Services/cache/OAuth20MemTokenOwnerCache. See the dynamic caching configuration section for usage details. False
Table 2. Parameters for Java Database Connectivity (JDBC) Database Stores
Parameter name Value Description Customizable

oauth20.client.distributed.cache.seconds

Number of seconds the client exists in the cache. The number of seconds that a client can be in the cache after it is loaded from the database. Setting this property to zero (0) disables the cache.  
oauth20.client.provider.classname Client provider implementation class name For the JDBC-based client store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider. See the DB Table section for details on database configuration. False
oauth20.token.cache.classname Token cache implementation class name For the JDBC-based token store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore. See the DB Table section for details on database configuration. False
oauthjdbc.JDBCProvider JDBC provider name Set this value to match your JDBC provider, for example jdbc/oauthProvider. False
oauthjdbc.client.table Table name used for the OAuth clients Set this value to match your database table name, for example OAuthDBSchema.OAUTH20CLIENTCONFIG. False
oauthjdbc.token.table Table name used for the OAuth tokens Set this value to match your database table name, for example OAuthDBSchema.OAUTH20CACHE. False
oauthjdbc.CleanupInterval Expired token cleanup interval in seconds Delay time in seconds between cleanup of expired tokens in the database token table. True
oauthjdbc.LimitRefreshToken unused unused True
oauth20.db.token.cache.jndi.tokens JNDI name of the dynamic cache object for tokens The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBTokenCache. See the dynamic caching configuration section for usage details. False
oauth20.db.token.cache.jndi.client JNDI name of the dynamic cache object for clients The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBClientCache. See the dynamic caching configuration section for usage details. False

oauthjdbc.AlternateSelectCountQuery

true or false The default is false. Set this value to true if the OAuth trust association interceptor (TAI) emits a java.sql.SQLException error when attempting to access the database.  
Table 3. OAuth Access Time Lengths. Depending on level of authorization, access time is allotted to a client.
Parameter name Value Description Customizable
oauth20.max.authorization.grant.lifetime.seconds Authorization grant lifetime, in seconds Duration in seconds that an authorization grant is valid, for example 604800. True
oauth20.code.lifetime.seconds Authorization code lifetime, in seconds Duration in seconds that the authorization code is valid during the OAuth dance, for example 60. True
oauth20.code.length integer Length of the generated OAuth authorization codes True
oauth20.token.lifetime.seconds integer Time in seconds that the OAuth access token is valid, a commonly customized value True
oauth20.access.token.length integer Length of the generated OAuth access tokens True
oauth20.issue.refresh.token true or false A value of false disables use and generation of refresh tokens in the OAuth provider True
oauth20.refresh.token.length Value can range from 50 Default value is 50. True
oauth20.access.tokentypehandler.classname Any OAuth20 Token handler can be specified. Default value is com.ibm.ws.security.oauth20.plugins.BaseTokenHandler. Type is cc. False
oauth20.mediator.classnames Optional class name of the OAuth mediator See the OAuth mediator section for details. False
oauth20.allow.public.clients true or false A value of false disables access of public clients as detailed in the OAuth specification. True
oauth20.grant.types.allowed Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit List of enabled OAuth flows, as detailed in the OAuth specification. False
oauth20.authorization.form.template Optional URL to the customized authorization template If using a customized authorization form, specify the template location. True
oauth20.authorization.error.template Optional URL to the customized authorization error page template If using a customized authorization form error page, specify the template location. True
oauth20.authorization.loginURL Optional URL to the customized login page If using a customized login page, specify the login URL. True
oauth20.audithandler.classname Class name of the OAuth audit handler Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler. True
oauth20.template.lifetime.seconds Template lifetime, in seconds. The default is 600. The time that a template should remain in the template cache.

oauth20.template.lifetime.seconds will override any setting on the existing JVM System property called com.ibm.ws.security.oauth20.util.defaultTemplateLifetime .

 
oauth20.template.waitTime Template wait time, in seconds. The default is 120. The time to wait to load a template from a remote server.  
oauth20.template.connectTime Template connect time, in seconds. The default is 120. The time to wait for a server connection for loading a template.  
oauth20.template.readTime Template read time, in seconds. The default is 120. The time allowed for reading a template document from a remote server to complete.  
oauth20.template.count Template count. The default is 3. The number of templates to obtain simultaneously.  
oauth20.grant.type.password.skip.validation true or false, the default is false A value of true disables the resource owner validation for the password grant type.  
xmlFileAuditHandler.filename File name Name of the file that corresponds with the default audit handler. True
Table 4. Parameters for TAI Configuration. These parameters can optionally be added as TAI Custom properties instead, which gives more flexibility. Additional custom TAI properties can be added as parameters by specifying type="tai"
Parameter name Value Description Customizable
Filter Any filter condition can be used See TAI configuration parameters and syntax for details True
oauthOnly true or false An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). See the TAI configuration parameters for details. True
Table 5. Autoauthorize parameters. Optional endpoint parameter and client allowlist to skip the authorization step for privileged clients.
Parameter name Value Description Customizable
oauth20.autoauthorize.param Any string To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true. False
oauth20.autoauthorize.clients List of registered client IDs Clients in this list are able to participate in autoauthorization. True
Table 6. Optional values to replace client URI strings, for dynamic host names. Variables must use the '${VAR_NAME}' syntax.
Parameter name Value Description Customizable
oauth20.client.uri.substitutions unused unused False
Table 7. Optional values to configure server's default scope. Values are space delimited strings.
Parameter name Value Description Customizable
oauth20.scope.preAuthorized any string A list of scopes given to all clients True