Defining an OAuth service provider
The OAuth service provider is defined with a provider configuration file. You can define an OAuth service provider by editing the OAuthSampleConfig.xml file.
The OauthSampleConfig.xml is in the properties directory under your WebSphere® Application Server installation. You can copy and edit this file to define an OAuth service provider.
Each parameter has either a customizable value of true, meaning that this
variable is meant for modification by users or a customizable value of false,
meaning that this variable is typically not updated by users. Customizable parameters are exported
by using the exportOAuthProps
wsadmin task and can be imported by using the importOAuthProps
wsadmin task. Otherwise the customizable attribute has no effect on the
parameters. The customizable parameter value can be updated as needed depending on your
environment.
避免困難: The parameter type of wsor cc
is used internally and can be ignored when updating parameters.gotcha

Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.client.provider.classname | Client provider implementation class | For the in-memory client store, use the value com.ibm.ws.security.oauth20.plugins.BaseClientProvider. | False |
oauth20.token.cache.classname | Token cache implementation class | For the in-memory token store, use the value com.ibm.ws.security.oauth20.plugins.BaseCache. | False |
oauth20.token.cache.jndi.tokens | Java™ Naming and Directory Interface (JNDI) name of the dynamic cache object for tokens indexed by ID | Default value is Services/cache/OAuth20MemTokenCache. See the dynamic caching configuration section for usage details. | False |
oauth20.token.cache.jndi.users | JNDI name of the dynamic cache object for tokens indexed by user | Default value is Services/cache/OAuth20MemTokenOwnerCache. See the dynamic caching configuration section for usage details. | False |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.client.provider.classname | Client provider implementation class name | For the JDBC-based client store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider. See the DB Table section for details on database configuration. | False |
oauth20.token.cache.classname | Token cache implementation class name | For the JDBC-based token store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore. See the DB Table section for details on database configuration. | False |
oauthjdbc.JDBCProvider | JDBC provider name | Set this value to match your JDBC provider, for example jdbc/oauthProvider. | False |
oauthjdbc.client.table | Table name used for the OAuth clients | Set this value to match your database table name, for example OAuthDBSchema.OAUTH20CLIENTCONFIG. | False |
oauthjdbc.token.table | Table name used for the OAuth tokens | Set this value to match your database table name, for example OAuthDBSchema.OAUTH20CACHE. | False |
oauthjdbc.CleanupInterval | Expired token cleanup interval in seconds | Delay time in seconds between cleanup of expired tokens in the database token table. | True |
oauthjdbc.LimitRefreshToken | unused | unused | True |
oauth20.db.token.cache.jndi.tokens | JNDI name of the dynamic cache object for tokens | The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBTokenCache. See the dynamic caching configuration section for usage details. | False |
oauth20.db.token.cache.jndi.client | JNDI name of the dynamic cache object for clients | The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBClientCache. See the dynamic caching configuration section for usage details. | False |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.max.authorization.grant.lifetime.seconds | Authorization grant lifetime, in seconds | Duration in seconds that an authorization grant is valid, for example 604800. | True |
oauth20.code.lifetime.seconds | Authorization code lifetime, in seconds | Duration in seconds that the authorization code is valid during the OAuth dance, for example 60. | True |
oauth20.code.length | integer | Length of the generated OAuth authorization codes | True |
oauth20.token.lifetime.seconds | integer | Time in seconds that the OAuth access token is valid, a commonly customized value | True |
oauth20.access.token.length | integer | Length of the generated OAuth access tokens | True |
oauth20.issue.refresh.token | true or false | A value of false disables use and generation of refresh tokens in the OAuth provider | True |
oauth20.refresh.token.length | Value can range from 50 | Default value is 50. | True |
oauth20.access.tokentypehandler.classname | Any OAuth20 Token handler can be specified. | Default value is com.ibm.ws.security.oauth20.plugins.BaseTokenHandler. Type is cc. | False |
oauth20.mediator.classnames | Optional class name of the OAuth mediator | See the OAuth mediator section for details. | False |
oauth20.allow.public.clients | true or false | A value of false disables access of public clients as detailed in the OAuth specification. | True |
oauth20.grant.types.allowed | Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit | List of enabled OAuth flows, as detailed in the OAuth specification. | False |
oauth20.authorization.form.template | Optional URL to the customized authorization template | If using a customized authorization form, specify the template location. | True |
oauth20.authorization.error.template | Optional URL to the customized authorization error page template | If using a customized authorization form error page, specify the template location. | True |
oauth20.authorization.loginURL | Optional URL to the customized login page | If using a customized login page, specify the login URL. | True |
oauth20.audithandler.classname | Class name of the OAuth audit handler | Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler. | True |
oauth20.template.lifetime.seconds | Template lifetime, in seconds. The default is 600. | The time that a template should remain in the template
cache. oauth20.template.lifetime.seconds will override any setting on the existing JVM System property called com.ibm.ws.security.oauth20.util.defaultTemplateLifetime . |
|
oauth20.template.waitTime | Template wait time, in seconds. The default is 120. | The time to wait to load a template from a remote server. | |
oauth20.template.connectTime | Template connect time, in seconds. The default is 120. | The time to wait for a server connection for loading a template. | |
oauth20.template.readTime | Template read time, in seconds. The default is 120. | The time allowed for reading a template document from a remote server to complete. | |
oauth20.template.count | Template count. The default is 3. | The number of templates to obtain simultaneously. | |
oauth20.grant.type.password.skip.validation | true or false, the default is false | A value of true disables the resource owner validation for the password grant type. | |
xmlFileAuditHandler.filename | File name | Name of the file that corresponds with the default audit handler. | True |
Parameter name | Value | Description | Customizable |
---|---|---|---|
Filter | Any filter condition can be used | See TAI configuration parameters and syntax for details | True |
oauthOnly | true or false | An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). See the TAI configuration parameters for details. | True |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.autoauthorize.param | Any string | To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true. | False |
oauth20.autoauthorize.clients | List of registered client IDs | Clients in this list are able to participate in autoauthorization. | True |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.client.uri.substitutions | unused | unused | False |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.scope.preAuthorized | any string | A list of scopes given to all clients | True |