Installing and enabling OAuth TAI
You need to install and enable the OAuth TAI in HCL Connections.
Procedure
- Before installing HCL Connections, be sure to install the supported version of IBM WebSphere Application Server.
- Optional: Export customizable OAuth provider
properties using the import/export commands
AdminTask.exportOAuthProps providerName fileName
andAdminTask.importOAuthProps providerName fileName
.Additional properties can be configured but properties should not be customized unless required: authOnly is used to indicate whether a client request should fail if no Oauth token or authentication could be performed with other available authentication methods.Table 1. OAuth provider properties Property names with their default values and descriptions
Property Default value Description oauthjdbc.CleanupInterval 3600 (1h) Interval in seconds after which expired tokens are cleared from the database. This time elapses from the startup of the provider application. oauth20.max.authorization.grant.lifetime.seconds 15768000 (6mo) Max lifetime of authorization grant. Provides a maximum limit to the lifetime of all tokens. oauth20.code.lifetime.seconds 60 (1m) Lifetime of authorization code. For security reasons, this value must not exceed a few minutes. oauth20.code.length 30 Length of authorization code (max is 2048). oauth20.token.lifetime.seconds 43200 (12h) Lifetime of access token. When an access token expires, a client must request a new access token by exchanging the refresh token. oauth20.access.token.length 40 Length of access token (max is 2048). oauth20.issue.refresh.token true If set to true, clients will receive a refresh token. If set to false, clients must request authorization when the access token expires. oauth20.refresh.token.length 50 Length of refresh token (max is 2048). oauth20.allow.public.clients false *FUTURE USE* If set to true, public clients are allowed. oauth20.authorization.form.template {oauthSvcUrl}/authorize *DO NOT EDIT* Authorization template URL oauth20.authorization.error.template {oauthSvcUrl}/error *DO NOT EDIT* Error page template URL oauth20.authorization.loginURL {oauthSvcUrl}/authenticate *DO NOT EDIT* Authentication URL - Optional: You can modify the TAI filter for
Connections applications by enabling WebSphere® global security, including Application
security, as follows:Note: TAI filter rules should be modified only when the context root for components is changed. The default rule is set by the Connections Installer.
- Optional: (SPNEGO) Add OAuth Protected API
Endpoints to the ignore list.This SPNEGO criterion must be appended as one of the exclusive SPNEGO filters for a SPNEGO -related environment: request-url!=/oauth.Refer to Configuring SPNEGO on WebSphere Application Server.
Table 3. OAuth API endpoints for HCL Connections components A list of OAuth API endpoints associated with each Connections component
Note: The SPNEGO criterion request-url!=/oauth should be appended as one of the exclusive SPNEGO filters for SPNEGO-related environments.Component OAuth API Endpoint Activities /activities/oauth Blogs /blogs/oauth Bookmarks /dogear/oauth Calendar /communities/calendar/oauth
Communities /communities/oauth /communities/service/atom/oauth
/communities/service/html/oauth
Related Communities /communities/recomm/oauth /communities/service/opensocial/oauth
CRE /connections/opensocial/oauth /connections/core/oauth/
Files /files/oauth Forums /forums/oauth Homepage /homepage/oauth Libraries /dm/atom/oauth Microblogging N/A (Located in News and Common ear) Metrics /metrics/service/oauth Mobile /mobile/oauth
/mobileAdmin/oauth
/connections/filesync/oauth
/connections/filediff/oauth
Moderation /moderation/oauth News /news/oauth /news/follow/oauth
Profiles /profiles/oauth Wikis /wikis/oauth Search /search/oauth Surveys /surveys-oauth