OAuth2 Server Access Tokens

This administrative utility allows for the maintenance of OAuth2 authentication tokens on the server running the utility. 

The key purpose of OAuth2 authentication is to provide additional security when accessing remote sites, without the need to pass authentication credentials such as your user name and password with each and every request for data.  The authentication is performed once, and a token is provided to the calling application to use for subsequent calls.  Each token is expected to have a lifetime defined on the remote server.  This provides for automatic expiration of the tokens.  Following expiration, action must be taken by the calling user or program to reauthenticate and receive a fresh token.

Before configuring the feature, please make sure your Apache Tomcat application server configuration file has the appropriate mount points for the OAuth2 connection.  These will be similar to these entries with your instance's <instance name> and <tomcat service name>:

JkMount /<instance name>/OAuth2 <tomcat service name>

JkMount /<instance name>/OAuth2/* <tomcat service name>

 

You enter the utility via the Server Access Tokens which is under the Advanced administration tab..

You will see a list of existing tokens and their expiry time.

Note that expired tokens show with their expiration date in red, while valid tokens appear in green.

One point to be aware of is that the OAuth2 protocol is only specified to work with https connections, not with http.  However, if you or your users want to take advantage of a redirect configured within the web server, from http to https, then this is allowable, as long as the remainder of the address is the same.  For security reasons, ExtraView will not allow a redirect from an address on one domain to a different domain.

Also on this screen is a button with the title Delete Expired Tokens.  This allows the administrator to delete all the expired tokens from the database.  Tokens have no purpose once they have expired, and this option simply cleans up the database entries for the expired tokens.

The administrator may also use the delete button by each active token to immediately expire the token to which it refers.

When a site is being used as a server to provide tokens to client users who connect to the site, you should ensure the behavior setting named AUTO_SIGNOFF_ON_USER_EXIT is set to YES.  If you do not do this, the user's tokens that have been granted and are still valid will still allow a user to access the server site until their session expires, even if the user's account is disabled.  For security, it is good practice to cut off a user's access immediately if their access is disabled.