IBM Tivoli Federated Identity Manager, Version 6.2.2

Client authentication considerations at the OAuth 2.0 token endpoint

The OAuth 2.0 token endpoint is used for direct communications between an OAuth client and the authorization server.

The token endpoint is used to obtain an OAuth token. The client type, whether public or confidential, determines the authentication requirements of the OAuth 2.0 token endpoint.

OAuth 2.0 workflows for confidential clients that require client authentication at the token endpoint, can be configured in one of the following ways:

  1. The Tivoli® Federated Identity Manager point of contact requires authentication at the token endpoint:
    • The point of contact is responsible for authenticating the client.
    • The Allow public clients to access the token endpoint check box from the Federation properties panel is not relevant. A client_secret parameter must not be sent in the token endpoint request.
    • If a client_id parameter is sent in the request, it must match the identity of the client that is authenticated by the point of contact.
  2. The Tivoli Federated Identity Manager point of contact permits unauthenticated access to the token endpoint:
    • The client_id parameter in the token endpoint request is used to identify the client.
    • The federation partner, also known as the client, must be enabled in order for it to be identified.
    • The Allow public clients to access the token endpoint check box from the Federation properties panel determines whether a client_secret parameter is required in the token endpoint request. A client secret is required for confidential clients only.
Note: When enforcing client authentication at the token endpoint, the point of contact must contain the client ID and client secret within its user registry. The point of contact must be able to map the authenticated user credential to the client_id parameter sent in the OAuth 2.0 token endpoint request.

Based on this information, the following configurations are supported:

Table 1. Configurations supported
Client types Configurations WebSEAL point of contact token endpoint URI considerations WebSphere® Application Server point of contact token endpoint URI considerations Check box setting for the "Allow public clients to access the token endpoint" parameter
Confidential clients The point of contact performs client authentication.
  • Authenticated ACL on token endpoint is required.
  • Token endpoint port must match WebSEAL port.
  • Token endpoint port must match Tivoli Federated Identity Manager SOAP port.
  • OAuth Client must be in the FIMSoapClient role.
 N/A
Confidential clients The client_id and client_secret parameters in the token endpoint request are used to perform client authentication.
  • Unauthenticated ACL on token endpoint is required.
  • Token endpoint port must match WebSEAL port.
 Token endpoint must use the same point-of-contact host name and port as the authorize and clients manager endpoints. Must be set to false.
Public clients The client_id parameter is used to perform client validation.
  • Unauthenticated ACL on token endpoint is required.
  • Token endpoint port must match the WebSEAL port.
 Token endpoint must use the same point-of-contact host name and port as the authorize and clients manager endpoints. Must be set to true.

Using WebSphere Application Server as the point of contact at the token endpoint

When enforcing authentication at the token endpoint for a WebSphere Application Server point of contact, the token endpoint URL must use the Tivoli Federated Identity Manager SOAP port. This condition ensures that authorization is enforced by the FIMSoapClient role. The Tivoli Federated Identity Manager SOAP endpoint can then be configured for the appropriate client authentication mechanisms, such as Basic Authentication or client certificate. See Configuring the SOAP endpoint authentication settings for more details.

Note: You must manually set the TFIM.SOAP.Port and SOAP.AuthType runtime custom properties when using WebSphere Application Server in the following manner:
  • As the point of contact server in a cluster
  • To enforce authentication for the OAuth 2.0 token endpoint

The Allow public clients to access the token endpoint check box from the Federation properties panel has no influence on request processing when the point of contact is enforcing authentication.

The token endpoint URL must use the same point of contact host name and port as the authorize and clients manager endpoints when the following conditions apply:
  • WebSphere Application Server is used as the point of contact.
  • Unauthenticated access to the token endpoint is accepted.
In this case, the FIMUnauthenticated role is used. Additional authorization is based on whether the client is currently enabled. The Allow public clients to access the token endpoint check box from the Federation properties panel determines whether the client_secret parameter is required in the token endpoint request. A public client is not required to provide a client_secret parameter.

Using Tivoli Access Manager WebSEAL as the point of contact at the token endpoint

You can use the Tivoli Federated Identity Manager tfimcfg utility to configure WebSEAL as a point of contact for an OAuth 2.0 federation.

When enforcing authentication at WebSEAL for the token endpoint, use separate WebSEAL instances for the token and authorization endpoints. This condition makes it possible for clients to authenticate with authentication mechanisms, such as Basic Authentication and client certificates at the token endpoint. At the same time, users can still authenticate by using forms authentication at the authorize and clients manager endpoints. In this case, the token endpoint configuration within the OAuth 2.0 federation must match the host name and port of the appropriate token endpoint WebSEAL. For more details on how to use the tfimcfg utility to configure WebSEAL as a point of contact for an OAuth 2.0 federation, see Configuring a WebSEAL point of contact server for the OAuth federation.

Parent topic: OAuth 2.0 workflow

Feedback