OAuth trust association interceptor (TAI) custom properties
The following tables list the custom properties for the OAuth TAI. You can define these properties in the custom properties panel for the OAuth TAI by using the administrative console.
To assign unique property names that identify each possible OAuth provider, a provider_<id> is embedded in the property name and used to group the properties that are associated with each provider. The provider_<id>s are numbered sequentially for each service provider.
The following table describes the OAuth TAI custom properties:
Property name | Values | Description |
---|---|---|
provider_<id>.name | You can specify any string value. | This property specifies the name of the OAuth provider. This value must be the same as the name of the provider configuration file, without the .xml file extension. |
provider_<id>.filter | This property does not have a default value. | This property is used to specify a condition, that is checked against the HTTP request, to determine whether the HTTP request is selected for processing by the OAuth service provider. |
provider_<id>.oauthOnly | You can specify one of the following values:
|
If a client request does not contain the OAuth credentials, such as an access token, this property specifies whether a resource protected by OAuth TAI is allowed to be started by other authentication mechanisms like basic authentication. |
OAuth TAI filter property
The provider_<id>.filter OAuth TAI filter property is a required property that is used to specify resources that are protected by the OAuth provider.
- input required - the input element usually specifies an HTTP header name, but request-url and remote-address can also be used as special elements
- operator - the operator element specifies one of the following values: ==, !=, %=, ^=, <, and >
- comparison value - this element usually specifies a string, but IP address ranges are also allowed
The conditions are evaluated from left to right, as specified by the comparison value. If all the filter conditions specified by an OAuth provider are met in an HTTP request, the OAuth provider is selected for the HTTP request.
The input element identifies an HTTP request header field to extract from the request and its value is compared with the value that is specified in the filter property. If the header field that is identified by the input element is not present in the HTTP request, the condition is treated as not being met. Any of the standard HTTP request header fields can be used as the input element in the filter condition. See the HTTP specification for the list of valid headers.
- request-url - the comparison value of this input is compared against the URL address that is used by the client application to make the request
- request-uri - this element is similar to request-url, but the query string contained in the request URL address is not used in the comparison
- remote-address - the comparison value of this input is compared against the TCP/IP address of the client application that sent the HTTP request
Examples
provider_1.filter=From==oauthuser@xyz.com
In
this case, if a client request contains an HTTP header field From with
a value of oauthuser@xyz.com, the OAuth TAI selects
the provider of this provider_1 filter for processing
the client request.provider_2.filter=request-url%=ivtlanding.jsp
In
this case, if the URL of the protected application started by the
client contains the string ivtlanding.jsp, the OAuth
TAI selects the provider of this provider_2 filter
for processing the client request.provider_3.filter=applicationNames==DefaultApplication
In
this case, if the name of the target application started by the client
application is DefaultApplication, the OAuth TAI
selects the provider of this provider_3 filter for
processing the client request.Operator | Condition | Example |
---|---|---|
== | This operator specifies an exact match. The input element must be equal to the comparison value. | From==jones@my.company.com |
%= | This operator specifies a partial match. The input element contains the comparison value. | user-agent%=IE 6 |
^= | The input element contains one of the comparison values. | request-url^=urlApp1|urlApp2| urlApp3 |
!= | The input element does not contain the comparison value. | request-url!=SPNEGO |
> | The input element is greater than the comparison value. | remote-address>192.168.255.130 |
< | The input element is less than the comparison value. | remote-address<192.168.255.135 |