OpenAM Authentication with OAuth 2.0

2.2.14. Hints For the OAuth 2.0 Authentication Module

The OAuth 2.0 authentication module lets OpenAM authenticate clients of OAuth resource servers. References in this section are to the Internet-Draft The OAuth 2.0 Authorization Protocol.

ssoadm service name: sunAMAuthOAuthService

Client ID
OAuth client_id as described in section 2.1 of the Internet-Draft.

ssoadm attribute: iplanet-am-auth-oauth-client-id

Client Secret
OAuth client_secret as described in section 2.1 of the Internet-Draft.

ssoadm attribute: iplanet-am-auth-oauth-client-secret

Authentication Endpoint URL
URL to the end point handling OAuth authentication.

ssoadm attribute: iplanet-am-auth-oauth-auth-service

Access Token Endpoint URL
URL to the end point handling access tokens as described in section 3.2 of the Internet-Draft.

ssoadm attribute: iplanet-am-auth-oauth-token-service

User Profile Service URL
User profile URL that returns profile information in JSON format.

ssoadm attribute: iplanet-am-auth-oauth-user-profile-service

Scope
Comma separated list of user profile attributes that the application requires.

ssoadm attribute: iplanet-am-auth-oauth-scope

Proxy URL
URL to the oauthproxy.jsp file, by default part of OpenAM.

ssoadm attribute: iplanet-am-auth-oauth-sso-proxy-url

Account Mapper
Class implementing account mapping. Default: org.forgerock.openam.authentication.modules.oauth2.DefaultAccountMapper

ssoadm attribute: org-forgerock-auth-oauth-account-mapper

Account Mapper Configuration
Map of OAuth Provider user account attributes used to find the local profile of the authenticated user, with values in the form provider-attr=local-attr.

ssoadm attribute: org-forgerock-auth-oauth-account-mapper-configuration

Attribute Mapper
Class implementing attribute mapping. Default: org.forgerock.openam.authentication.modules.oauth2.DefaultAttributeMapper

ssoadm attribute: org-forgerock-auth-oauth-attribute-mapper

Attribute Mapper Configuration
Map of OAuth Provider user account attributes to local user profile attributes, with values in the form provider-attr=local-attr.

ssoadm attribute: org-forgerock-auth-oauth-attribute-mapper-configuration

Save attributes in the session
When enabled, add the mapped attributes to the session saved.

ssoadm attribute: org-forgerock-auth-oauth-save-attributes-to-session-flag

Email attribute in OAuth2 Response
Specifies the attribute identifying email address in the response from the profile service in the OAuth provider. This setting is used to send an email address with an activation code for accounts created dynamically.

ssoadm attribute: org-forgerock-auth-oauth-mail-attribute

Create account if it does not exist
When enabled, if the user profile does not exist, optionally retrieve a password and activation code from the user, and then create the profile.

ssoadm attribute: org-forgerock-auth-oauth-createaccount-flag

Prompt for password setting and activation code
When enabled, the user sets a password, receives an activation code by email. The user must correctly set both in order for the account to be created.

ssoadm attribute: org-forgerock-auth-oauth-prompt-password-flag

Map to anonymous user
When enabled, map the OAuth authenticated user to the anoymous user you specify. No account is created, even if Create account if it does not exist is enabled.

ssoadm attribute: org-forgerock-auth-oauth-map-to-anonymous-flag

Anonymous User
Specifies an anonymous user that exists in the current realm.

ssoadm attribute: org-forgerock-auth-oauth-anonymous-user

OAuth 2.0 Provider logout service
Specifies the optional URL of the OAuth Provider.

ssoadm attribute: org-forgerock-auth-oauth-logout-service-url

Logout options
Specifies whether not to log the user out without prompting from the OAuth Provider on logout, to log the user out without prompting, or to prompt the user regarding whether to logout from the OAuth provider.

ssoadm attribute: org-forgerock-auth-oauth-logout-behaviour

SMTP Gateway Implementation class
Class to interact with the mail server. Default: org.forgerock. openam.authentication.modules.oauth2.DefaultEmailGatewayImpl

ssoadm attribute: org-forgerock-auth-oauth-email-gwy-impl

SMTP host
Host name of the mail server.

ssoadm attribute: org-forgerock-auth-oauth-smtp-hostname

SMTP port
SMTP port number for the mail server.

ssoadm attribute: org-forgerock-auth-oauth-smtp-port

SMTP User Name
If the mail server requires authentication to send mail, specifies the user name.

ssoadm attribute: org-forgerock-auth-oauth-smtp-username

SMTP User Password
If the mail server requires authentication to send mail, specifies the password.

ssoadm attribute: org-forgerock-auth-oauth-smtp-password

SMTP SSL Enabled
When enabled, connect to the mail server over SSL. OpenAM must be able to trust the SMTP server certificate.

ssoadm attribute: org-forgerock-auth-oauth-smtp-ssl_enabled

SMTP From address
Specifies the message sender address, such as no-reply@example.com.

ssoadm attribute: org-forgerock-auth-oauth-smtp-email-from

Authentication Level
ssoadm attribute: iplanet-am-auth-oauth-auth-level

Leave a Reply

Your email address will not be published. Required fields are marked *