25.8 Configuring Success and Failure URLs for Authorization Policies

When an Authorization Success or Failure redirect URL is set, the target URL for which the end user is seeking access should be passed along as a parameter.

The following information has relevance when configuring an Authorization policy Success or Failure URL.

  • The original resource location will be URL encoded and added as a value to the oam_res query parameter before redirecting to the success or failure URL. The following rules are relevant to building the oam_res value; during an authorization call, only the HostIdentifier is passed so building the URL with a fully qualified host and port is slightly more involved. Here are two examples.

    Using the HostIdentifier, we find the first fully qualified host:port entry and construct the URL with it. The rest of the entries are then added as query parameters to the resource URL. For example:

    HostList = [Host hostName:="adc00oyf.us.example.com", port=7777",
    Host hostName:="11gAgent", port=null",
    Host hostName:="adc00oyf.us.example.com", port=80"] ,
    HostIdentifier = 11gAgent

    The resource URL built will be:


    In this second example:

    HostList =[Host hostName:="adc00oyf.us.example.com", port=7777",
    Host hostName:="11gAgent", port=null] ,
    HostIdentifier = 11gAgent

    The resource URL built will be:

  • To send a Hashed value of the resource URL for security reasons, run the displayAuthZCallBackKey() WLST command. This will return a Base64 encoded string value of the AES 128 key which is generated. This key can be used by the OAM server and the receiving app. It is stored in the oam-config.xml. The entry in oam-config.xml is found under /DeployedComponent/Server/NGAMServer/Profile.

    <Setting Name="AuthZCallBack" Type="htf:map">
    <Setting Name="AuthZHashKey" 
    <Setting Name="AuthZCallBackEnabled" Type="xsd:boolean">true</Setting>


    See Access Manager WLST Commands for details on the displayAuthZCallBackKey() WLST command.

  • If WLST in step 2 is enabled, we also send a hashed value of the original resource URL as a value of the oam_res_hash query parameter. For example: