Extending a User Store for OAuth 2.0 Authorization Grant Information

Access Manager OAuth 2.0 implementation stores the client application information, which a user authorizes to access attributes and resources. This information is unique per user. Store it as part of a user object in the user store. If you already have an attribute, use it in Authorization Grant LDAP Attribute while defining Global Settings.

If a free attribute is unavailable, then extend the User Object schema to add a new single-valued binary (LDAP) or stream (eDirectory) attribute with a name. Access Manager stores an XML object in this attribute for each user authorization.

NOTE:The LDAP super administrator must have write access to this user attribute to allow saving the token information. Access Manager uses this attribute to revoke refresh tokens.

An example for extending the schema of a User Object in eDirectory

  1. Click to Roles and Tasks > Schema > Create Attribute.

  2. Specify Attribute Name as nidsOAuthGrant.

  3. Click Next.

  4. Select Stream under Syntax.

  5. Click Next.

  6. Select Single Valued.

  7. Click Next > Finish.

  8. Go to Roles and Tasks > Schema > Add Attribute.

  9. Select Person under Available Classes.

  10. Click OK.

  11. Move nidsOAuthGrant from Available optional attributes to Optional attributes.

  12. Click OK.

An example for extending the schema of a user object in Active Directory

  1. In Windows, Start > Run > mmc.

  2. Click File > Add/Remove Snap-in.

  3. Select Active Directory Schema and click Add.

  4. Expand Active Directory schema, then right click Attributes > Create Attribute.

  5. In Create New Attribute, specify the following:

    • Common Name: nidsOAuthGrant

    • LDAP Name: nidsOAuthGrant

    • Unique X500 Object ID: 1.3.6.1.4.1.1466.115.121.1.5

  6. Select Syntax as Octet string. Ensure that Multi-Valued is deselected.

  7. Click OK.

  8. Expand Active Directory schema, then click Classes > person.

  9. Right click person, then click Properties.

  10. Click the Attribute tab, then click Add.

  11. Select the attribute that you created (nidsOAuthGrant), then click OK.

  12. Click OK to close all property windows, then add the attribute to person class.

Sample: Extending the schema of a user object in Active Directory Lightweight Directory Services

  1. Go to Active Directory Lightweight Directory Services (AD LDS) schema.

  2. Right-click the schema name, then click New > Object.

  3. Select attributeSchema and click Next.

  4. Specify a common-name and click Next.

  5. Specify 4 for the oMSyntax attribute and click Next.

  6. Specify a LDAP-Display-Name and click Next. This value must be same as the common-name.

  7. Specify True for the isSingleValued attribute and click Next.

  8. Specify 2.5.5.10 for the attributeSyntax attribute and click Next.

  9. Specify 1.2.840.113556.1.9000.50.1 for the attributeID attribute and click Next.

  10. Click Finish.

  11. Navigate to cn=Person class, double-click to edit an attribute.

  12. Select mayContain attribute and click Edit.

  13. Specify the attribute name (common-name) and click Add > OK > Apply > OK.

  14. Right-click the Schema > Update Schema Now.

    NOTE:While creating a new user, the msDS-UserAccountDisabled attribute is set to true by default. Change the value to false.