Changes to the default WebSEAL configuration for OAuth Authentication

Answer

Several changes are made to the default WebSEAL configuration for OAuth Authentication. The stanza entries set by the Point of Contact automatic configuration tool have the following settings:
 
[oauth-eas]
eas-enabled = false (previously set to true)
 
[oauth]
oauth-auth = https (previously set to both)
 
OAuth EAS is an authorization mechanism, whereas OAuth Authentication performs both authorization and authentication. Enabling OAuth Authentication rather than EAS results in a WebSEAL session, which can be used for subsequent requests.
 
[session-http-headers]
Authorization = https
 
[session]
require-mpa = no (previously set to yes)
 
The session-http-headers entry configures the session to be identified by the Authorization header, rather than by a cookie. Keying the session off the Authorization header only works if require-mpa is set to no. This is especially useful in mobile applications, when it is not reasonable to maintain cookies. If cookies are required instead, remove the Authorization = https entry and set require-mpa to yes. 
       
[acnt-mgt]
single-signoff-uri = /mga/sps/oauth/oauth20/logout
 
A new logout endpoint was introduced to allow users to revoke access tokens. Setting single-signoff-uri to this endpoint ensures that when pkmslogout is called or when the WebSEAL session times out because of inactivity, the access token is revoked. If this functionality is not desired, the single-signoff-uri entry must be unset.
 
The final change to the default OAuth Authentication functionality is to override the WebSEAL configuration parameter session lifetime timeout, which is normally controlled by the timeout entry in the [session] stanza of the WebSEAL configuration file. Instead when OAuth Authentication is enabled, the session lifetime is set to the OAuth token expiry time.