13.2. Configuring the OAuth 2.0 Authorization Service

You configure the OAuth 2.0 authorization service for a particular realm, starting from the Common Tasks page of the OpenAM console. This process also protects the authorization endpoint using a standard policy.

Procedure 13.1. To Set Up the OAuth 2.0 Authorization Service

Follow these steps.

  1. In the OpenAM console, select Common Tasks > Configure OAuth2.

  2. On the Configure OAuth2 page, enter the Realm for the authorization service.

  3. If necessary, adjust the lifetimes for authorization codes (10 minutes is the recommended setting in RFC 6749), access tokens, and refresh tokens.

  4. Select Issue Refresh Tokens unless you do not want the authorization service to supply a refresh token when returning an access token.

  5. Select Issue Refresh Tokens on Refreshing Access Tokens unless you do not want the authorization service to supply a refresh token when refreshing an access token.

  6. If you want to use the default scope implementation, whereby scopes are taken to be resource owner profile attribute names, then keep the default setting.

    If you have a custom scope implementation, put it on the OpenAM classpath, and provide the class name as Scope Implementation Class.

  7. Click Create to complete the process.

    In addition to setting up an OAuth 2.0 authorization server for the realm, OpenAM sets up a policy to protect the authorization endpoint. The policy appears in the list of policies for the realm. Its name is OAuth2ProviderPolicy.

  8. If your provider has plugins for custom response types, add the custom response types and the corresponding plugin class names to the list of Response Type Plugins.

  9. If resource owners log in with a user name that is not their user ID, but instead their mail address or some other profile attribute, then add the profile attribute name to the list that can be used for authentication.

    To make the change, browse to Access Control > Realm Name > Services > OAuth2 Provider, add the profile attributes to the list titled User Profile Attribute(s) the Resource Owner is Authenticated On.

  10. Set a multi-valued profile attribute where OpenAM can store a resource owner's decisions to authorize clients without further interaction in the Shared Consent Attribute Name field.

    If no profile attribute is available for this purpose, you can add an attribute as described in Customizing Profile Attributes in the Developer's Guide.

  11. Save your changes.

You can further adjust the authorization server configuration after you create it in the OpenAM console under Access Control > Realm Name > Services > OAuth2 Provider.

You can adjust global defaults in the OpenAM console under Configuration > Global > OAuth2 Provider.