OAuth Authentication

Security Access Manager supports OAuth 2.0 authentication. The implementation of OAuth in Security Access Manager strictly follows the OAuth standards.

OAuth is an HTTP-based authorization protocol. It provides third-party applications with scoped access to a protected resource on behalf of the resource owner. It provides scoped access by creating an approval interaction between the resource owner, the client, and the resource server. Users receive the ability to share their private resources between sites without providing user names and passwords.

WebSEAL provides two different mechanisms by which it can validate OAuth tokens:

ws-trust authentication: Authentication details are passed to a server for verification by using the ws-trust protocol. This is the legacy mechanism that is supported by IBM Security Access Manager and is previously known as oauth-auth.
OAuth introspection: Authentication details are passed to a server for verification by using an OAuth introspection endpoint.

For a complete description of the OAuth specifications, see the OAuth website: http://www.oauth.net

For more general information about OAuth support in Security Access Manager, see OAuth 2.0 and OIDC support.