Configuring persistent OAuth 2.0 services

WebSphere Liberty supports persisting OAuth 2.0 local clients and tokens to a database. With persistent OAuth 2.0, an authorized local client can continue to access OAuth 2.0 services after a restart.

Before you begin

SAF security is a common use-case in CICS, and this procedure uses SAF in the examples.
  • Gain the necessary access to create tables and read/write to these tables in a database and configure it in the Liberty server.xml.
  • Grant access to the SAF EJBROLE BBGZDFLT.com.ibm.ws.security.oauth20.clientManager to an administrator user to control OAuth 2.0 local clients.
  • Create an OAuth 2.0 provider in the Liberty server.xml. For more information, see Authorization using OAuth 2.0.

About this task

The following steps create a persistent OAuth 2.0 local client. This local client is used to grant OAuth 2.0 tokens.

Restriction: Db2® JDBC type 2 connectivity is not supported for persistent OAuth 2.0 services.

Procedure

  1. Create the necessary tables using IBM Db2 for persistent OAuth services as a guide.
  2. Create a persistent local client by sending a POST request to the URL: 
    https://hostname:port/oauth2/endpoint/provider_name/registration

    Use the JSON document which is described in the first table in Configuring an OpenID Connect Provider to accept client registration requests; for example:

    {  
    "client_id": "client_id",
    "client_secret": "client_secret",
    "grant_types": [ "authorization_code", "refresh_token" ],
    "redirect_uris": [ "https://client.example.ibm.com/webApp/redirect" ]
}

Results

A persistent OAuth 2.0 local client is created. When this local client is used to produce tokens, the tokens are persisted to the database. If the server restarts, the persistent local client and tokens remain valid.