You can configure instances of the OAuth2 Resources connector in one of the following ways:
An instance of the connector per OAuth client application. This is the simplest method conceptually and matches how SAML connectors are used.
Multiple OAuth client applications all configured within a single instance of the OAuth2 Resources connector. This means that all OAuth2 client applications would use the same schema (OpenID Connect or native), and would use the same Client ID and Client Secret. This configuration is simple to configure and maintain, but care should be taken to include only clients of the same trust level in a connector instance. Because all clients share the same client ID and secret, if one of the clients is compromised in any way, they are all compromised. Any of them could also masquerade as another client in some cases.
(Optional) For each OAuth client application, you can manually create appmarks so the CloudAccess landing page shows an icon for connection to the OAuth2 client application. Appmarks should be configured to point to the URL of the OAuth2 client application that will start the OAuth2 authentication process.
Log in as an administrator to the CloudAccess administration console:
https://appliance_dns_name/appliance/index.html
Drag and drop the OAuth Resources connector from the Applications palette to the Applications panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.
On the Configuration tab, provide the following information:
Display name: Clearly identify the connector on the Admin page of the console.
Schema: Specify whether the attributes that CloudAccess sends to the OAuth client follow OpenID Connect standard naming or use the Native schema names defined internally on the appliance.
Allowed OAuth Client URI(s): Specify the whole path or just the host name for the OAuth2 client application. Using only the host name allows all paths on that domain. Since OAuth2 depends on SSL as one of its core security mechanisms, HTTPS should always be specified. For more information about configuring redirect URIs, see the following document: http://tools.ietf.org/html/rfc6749#section-10.6.
OAuth Details (Client ID and Client Secret): Use this information to configure the OAuth2 client application.
OAuth Endpoints (Auth URL, Token URL, and Profile URL): Use this information to configure the OAuth2 client application.
Click the Appmarks tab, then review and edit the default settings for the appmark.
Click OK to save the configuration.
On the Admin page, click Apply to commit the changes to the appliance.
Wait until the configuration changes have been applied on each node of the CloudAccess cluster.
(Conditional) If Public access is disabled, click Policy in the toolbar, then perform policy mapping to specify entitlements for identity source roles (groups).
For more information, see Mapping Authorizations
in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.
After the OAuth2 Resources connector and OAuth client application have been configured, end users can access the protected resource by browsing to the URL of the OAuth client application (by entering the URL directly into the browser, using a bookmark or the landing page appmark, and so forth). If the user is not already authenticated to the CloudAccess appliance, the browser is redirected to the CloudAccess login page and the user is prompted for login credentials. After a successful authentication or if the user is already authenticated to the appliance and is authorized to access the protected resource, the user gains access to the resource.