The OAuth 2.0 token endpoint is used for direct communications between an OAuth client and the authorization server.
The token endpoint is used to obtain an OAuth token. The client type, whether public or confidential, determines the authentication requirements of the OAuth 2.0 token endpoint.
OAuth 2.0 workflows for confidential clients that require client authentication at the token endpoint, can be configured in one of the following ways:
Based on this information, the following configurations are supported:
Client types | Configurations | WebSEAL point of contact token endpoint URI considerations | WebSphere® Application Server point of contact token endpoint URI considerations | Check box setting for the "Allow public clients to access the token endpoint" parameter |
---|---|---|---|---|
Confidential clients | The point of contact performs client authentication. |
|
|
N/A |
Confidential clients | The client_id and client_secret parameters in the token endpoint request are used to perform client authentication. |
|
Token endpoint must use the same point-of-contact host name and port as the authorize and clients manager endpoints. | Must be set to false. |
Public clients | The client_id parameter is used to perform client validation. |
|
Token endpoint must use the same point-of-contact host name and port as the authorize and clients manager endpoints. | Must be set to true. |
When enforcing authentication at the token endpoint for a WebSphere Application Server point of contact, the token endpoint URL must use the Tivoli Federated Identity Manager SOAP port. This condition ensures that authorization is enforced by the FIMSoapClient role. The Tivoli Federated Identity Manager SOAP endpoint can then be configured for the appropriate client authentication mechanisms, such as Basic Authentication or client certificate. See Configuring the SOAP endpoint authentication settings for more details.
The Allow public clients to access the token endpoint check box from the Federation properties panel has no influence on request processing when the point of contact is enforcing authentication.
You can use the Tivoli Federated Identity Manager tfimcfg utility to configure WebSEAL as a point of contact for an OAuth 2.0 federation.
When enforcing authentication at WebSEAL for the token endpoint, use separate WebSEAL instances for the token and authorization endpoints. This condition makes it possible for clients to authenticate with authentication mechanisms, such as Basic Authentication and client certificates at the token endpoint. At the same time, users can still authenticate by using forms authentication at the authorize and clients manager endpoints. In this case, the token endpoint configuration within the OAuth 2.0 federation must match the host name and port of the appropriate token endpoint WebSEAL. For more details on how to use the tfimcfg utility to configure WebSEAL as a point of contact for an OAuth 2.0 federation, see Configuring a WebSEAL point of contact server for the OAuth federation.