IBM DB2 for persistent OAuth services

IBM® DB2® can be used for persistent OAuth services. For convenience and reference purposes, this topic documents the steps you need to configure DB2 for OAuth persistent service.

To configure DB2 for persistent OAuth services, complete the following steps:
  1. Create a database and tables.
    Edit and run the following SQL statement to create an OAuth database and table:
    -- Change oauth2db to the name you want for the database

CREATE DATABASE oauth2db USING CODESET UTF8 TERRITORY US;
CONNECT TO oauth2db;

---- CREATE TABLES ----
CREATE TABLE OAuthDBSchema.OAUTH20CACHE
(
  LOOKUPKEY VARCHAR(256) NOT NULL,
  UNIQUEID VARCHAR(128) NOT NULL,
  COMPONENTID VARCHAR(256) NOT NULL,
  TYPE VARCHAR(64) NOT NULL,
  SUBTYPE VARCHAR(64),
  CREATEDAT BIGINT,
  LIFETIME INT,
  EXPIRES BIGINT,
  TOKENSTRING VARCHAR(2048) NOT NULL,
  CLIENTID VARCHAR(64) NOT NULL,
  USERNAME VARCHAR(64) NOT NULL,
  SCOPE VARCHAR(512) NOT NULL,
  REDIRECTURI VARCHAR(2048),
  STATEID VARCHAR(64) NOT NULL,
  EXTENDEDFIELDS CLOB NOT NULL
);

CREATE TABLE OAuthDBSchema.OAUTH20CLIENTCONFIG
(
  COMPONENTID VARCHAR(256) NOT NULL,
  CLIENTID VARCHAR(256) NOT NULL,
  CLIENTSECRET VARCHAR(256),
  DISPLAYNAME VARCHAR(256) NOT NULL,
  REDIRECTURI VARCHAR(2048),
  ENABLED INT,
  CLIENTMETADATA CLOB NOT NULL
);

CREATE TABLE OAuthDBSchema.OAUTH20CONSENTCACHE (
  CLIENTID VARCHAR(256) NOT NULL,
  USERID VARCHAR(256),
  PROVIDERID VARCHAR(256) NOT NULL,
  SCOPE VARCHAR(1024) NOT NULL,
  EXPIRES BIGINT,
  EXTENDEDFIELDS CLOB NOT NULL DEFAULT '{}'
);

---- ADD CONSTRAINTS ----
ALTER TABLE OAuthDBSchema.OAUTH20CACHE
  ADD CONSTRAINT PK_LOOKUPKEY PRIMARY KEY (LOOKUPKEY);

ALTER TABLE OAuthDBSchema.OAUTH20CLIENTCONFIG
  ADD CONSTRAINT PK_COMPIDCLIENTID PRIMARY KEY (COMPONENTID,CLIENTID);

---- CREATE INDEXES ----
CREATE INDEX OAUTH20CACHE_EXPIRES ON OAUTHDBSCHEMA.OAUTH20CACHE (EXPIRES ASC);

---- GRANT PRIVILEGES ----
---- UNCOMMENT THE FOLLOWING IF YOU USE AN ACCOUNT OTHER THAN ADMINISTRATOR FOR DB ACCESS ----

-- Change dbuser to the account you want to use to access your database
-- GRANT ALL ON OAuthDBSchema.OAUTH20CACHE TO USER dbuser;
-- GRANT ALL ON OAuthDBSchema.OAUTH20CLIENTCONFIG TO USER dbuser;

---- END OF GRANT PRIVILIGES ----

DISCONNECT CURRENT;
    The default DB2 listening port is 50000. If you want to find it, run the following command and find the value of the SVCENAME parameter. If it is a number, then it is the port number. If it is a name, look for the name in the /etc/services file or the Windows equivalent if you are using Windows.
    Linux/Unix: db2 get dbm cfg | grep SVCENAME
Windows:    db2 get dbm cfg | findstr SVCENAME
    You can create a database and tables in DB2 by running the following statement:
    db2 -tvf createTables.sql
  2. Configure the Liberty server.
    The following example is a sample server.xml file for an OAuth provider that uses a DB2 store:
    <server>
  <featureManager>
    <feature>oauth-2.0</feature>
    <feature>transportSecurity-1.0</feature>
    <feature>jdbc-4.0</feature>
    <feature>jndi-1.0</feature>
  </featureManager>

  <keyStore password="keyspass" />

  <oauth-roles>
    <authenticated>
      <user>testuser</user>
    </authenticated>
  </oauth-roles>

  <oauthProvider id="DBOAuth20Provider" oauthOnly="true"
                 filter="request-url%=AnnuityOAuthWeb/index.jsp">
    <databaseStore dataSourceRef="OAUTH2DBDS" />
  </oauthProvider>

  <jdbcDriver id="db2Universal" libraryRef="DB2JCC4LIB" />

  <library apiTypeVisibility="spec,ibm-api, stable, third-party" filesetRef="db2jcc4"
           id="DB2JCC4LIB" />

  <fileset dir="${shared.resource.dir}/db2" id="db2jcc4"
           includes="db2jcc4.jar db2jcc_license_cu.jar" />

  <dataSource id="OAUTH2DBDS" jdbcDriverRef="db2Universal"
             jndiName="jdbc/oauthProvider">
    <properties.db2.jcc databaseName="OAUTH2DB" driverType="4"
                        user="bob" password="abcdefg="
                        portNumber="50000"
                        serverName="db2.server.mycompany.com" />
  </dataSource>

  <webAppSecurity allowFailOverToBasicAuth="true" />

  <basicRegistry id="basic" realm="BasicRealm">
    <user name="testuser" password="testuserpwd" />
  </basicRegistry>
</server
The following example adds a client to DB2:
INSERT INTO OAuthDBSchema.OAUTH20CLIENTCONFIG
(
  COMPONENTID,
  CLIENTID,
  CLIENTSECRET,
  DISPLAYNAME,
  REDIRECTURI,
  ENABLED
)
VALUES
(
  'DBOAuth20Provider',
  'key',
  'secret',
  'My Client',
  'https://localhost:9443/oauth/redirect.jsp',
  1
)
Note: The Componentid must be the same as the id of the oauthProvider element in the server.xml file.

After you configure the database, you can register clients with the database to populate it with information. For more information, see Configuring an OpenID Connect Provider to accept client registration requests .