OAM 12C - Understanding the Authorization and Authentication Endpoints - part 2

Hello IAM developers,

Let's keep talking about OAuth Services in OAM(Oracle Access Manager).

OAM-OAuth has four authentication endpoints that receive and respond to HTTPS requests on 3Legged Authorization flow: The token endpoint, the authorization endpoint,  the push endpoint, and the user consent revocation endpoint. Each endpoint is a URL that clients use to make requests.

Fig1:  Understanding OAuth 3-Legged Authorization

The authentication endpoints are:

Token Endpoint – The client application interacts with the Token Endpoint to exchange an authorization code grant for an access token. It is also used for Client Credentials grant type and resource owner credentials grant type to get an access token. The client uses a Refresh token to obtain a new access token. The URI for this endpoint always ends in a token. For example:

HTTP(s)://<host>:<port>/ms_oauth/oauth2/endpoints/<yourOauthServiceName>/token

Authorization Endpoint – The client uses the Authorization Endpoint to get authorization from the resource owner to access the demanded resources. The client application initiates the Authorization Endpoint request by sending its identifier, a requested scope defining the resource to which it wants to access, and a redirection URI to which OAuth Services will direct the web browser once access is granted or denied. This endpoint admits the HTTPS request. The URI for this endpoint always ends in authorize. For example:

HTTP(s)://<host>:<port>/ms_oauth/oauth2/endpoints/<yourOauthServiceName>/authorize

Push Endpoint – Mobile OAuth Services client apps interact with the push endpoint to obtain (depending on configuration) part of the authorization codes, and/or part of the client tokens, access tokens, and refresh tokens that are sent through either the Apple Push Notification Service (APNS) or the Google Cloud Messaging (GCM) service. It can also be used for Mobile Client Verification code, Authorization Code, and Client Tokens. For example, the endpoint for requesting data from APNS is:

HTTP(s)://<host>:<port>/ms_oauth/oauth2/endpoints/oauthservice/push

User Consent Revocation Endpoint - Resource owners (end-users), who authenticate and authorize client applications using the browser-based authorization endpoint flow, use this endpoint to revoke their consent to client applications. For example:

HTTP(s)://<host>:<port>/ms_oauth/oauth2/ui/<yourOauthServiceName>/showrevokeconsent

When configuring clients with authorization code grant in the OAuth server, you also need to provide at least one client redirect URI where the server can return authorization credentials to the client.

Client Redirect URIs – The OAuth Services server returns authorization credentials to the client using the URI specified in the request provided that it exactly matches a URI configured in the client profile.

Next article - part3 -  I am going to show step-by-step all these OAM 12c processes in action, stay tuned.

More articles related:

Part1- OAM using OAuth2 Services - Proposed architecture, related flows, and how to configure


I hope it helps and happy coding,
Thiago Leoncio.

OAM using OAuth2 Services - Proposed architecture, related flows, and how to configure

Hello everybody,

  I would like to share - as part of our series of OAuth articles - how OAuth architecture will look like using Oracle Access Manager 12c. Where and how OAM players(WebGate and AccessServer) will fit with OAuth key features(Resource Server, Resource Owner, and Authorization Server).

Let's start with some particularities of Oracle Access Manager 12c PS3:

In OAM R2PS3, you require deploying a Webgate in front of your OAM servers to use the OAuth 3-legged flow. That means you have another component in our OAuth flow.

So, this happens mainly because the Webgate is obligated to protect the OAuth consent page. Otherwise, you will get an error when attempting to follow the 3-legged OAuth flow.

So, this picture will show the interaction between them:

Let's talk about what do they mean first.

ResourceServer: Those are RESTful Webservices that reproduce the protected resources owned by the end user. So, having said that, these will need a valid OAuth token to serve information back to the ClientWebApp(picture above).

Client WebApplication: The applications execute the role of OAuth Clients.  By the end user(thru resources owned) the applications will request access.

OAM/OAuth Server: This guy is responsible for authenticating the end user and for issuing and confirming OAuth Tokens.

Configuration on OAM/WebGate side:

• WebGate configuration:

Following Oracle documentation, deploy and register a Webserver/Webgate and configure the following resources in your application domain. Details here.

/ms_oauth/img/* – Excluded

/ms_oauth/style/* – Excluded

/ms_oauth/oauth2/endpoints/** – Excluded

/ms_oauth/oauth2/ui/** – Protected

/ms_oauth/oauth2/oammsui/** – Excluded

/oam/** – Excluded

In your Webserver create a new conf file with the following directives.

<Location /ms_oauth>

SetHandler weblogic-handler

WLProxySSL ON

WLProxySSLPassThrough ON

WLCookieName OAM_JSESSIONID

WebLogicCluster thiagoserver1:port1, thiagoserver2:port2

</Location>

<Location /oam>

SetHandler weblogic-handler

WLProxySSL ON

WLProxySSLPassThrough ON

WLCookieName OAM_JSESSIONID

WebLogicCluster thiagoserver1:port1, thiagoserver2:port2

</Location>

• Setup your OAuth2 Service in order to create the resources server described above.

• Resource Server tab.

• Go to OAuth client registration.

• Configure Scope - Using allow access to all scope option for this use case. As discussed in previous articles, the scope is one of the most important pieces of architecture and use-cases definitions that you need be aware.

• Access Token which is a JWT e.g. -

Establishing the Trust 

Again, in this article, you see three primary domains of trust on OAM and OAuth solution that was mentioned in architecture reference picture. Client, Resouce and OAuth Server.

What are the Trust key points in here?:

1) Trust between OAuth2 server and client

To verify the OWSM client (signed) request for Access Token OAuth2 service should have the public key certificate corresponding to the private key used to sign the request in its keystore.

OAuth2 server responds with a signed access token.

2) Trust between OAuth2 server and Service

The service must also trust the Access Token (signed) sent from OAuth2 server. To set up trust between OAuth2 server and service import the OAuth2 server signing certificate into resource server keystore.


SSO Session Linking for OAuth Tokens

In deployment situations where a few resources are protected by OAM while some might be obtained with OAuth, to achieve seamless SSO between the different mixes of applications, it is vital to link the SSO session with the Access Token. SSO Session Linking for OAuth Tokens supports vital OAuth deployments requiring two legged flows requiring native mobile apps and Synchronization of OAuth Tokens with SSO tokens.

Summary

        The intention here is to explain and guide who is trying to work with Oracle OAM using OAuth protocol. I will add more articles about OAuth with all the vendors we can work on.

I hope you liked.

Happy coding,

Thiago Leoncio.

Reference: OAM 12c PS3 documentation

OIM: How to Rollback a Published Sandbox

 

Problem:

A sandbox has been published with some UI changes. And users saw a blank screen after login.

Solution:

The problem is with the published sandbox, we can follow the below steps to rollback the published sandbox in OIM 11gR2 + versions

1. log in to Enterprise Manager

 2. In Application Deployments click o oracle.iam.console.identity.self-service.ear

 3. Right-click on Application Deployment and select MDS Configuration from the drop-down.

 4. Click on “Runtime MBean Browser” under the Advanced Configuration.

 5. Click on the “Operations” tab. Scroll down and find the MBean operation “listMetadataLabels” with parameters=0 click on it.

 6. Click on Invoke in the top right.

 7. In the list, copy the sandbox value, which will be like Creation_IdM_XXXXXXXXX (UI changes will be restored before this sandbox). Click on Return.

 8. Scroll down and find the MBean operation “promoteMetadataLabel” (the first one in the list) and click.

 9. Paste the value in the textbox, which is copied in Step 7, and click on Invoke.

 10. Restart OIM.

 

 Steps one-by-one:

 

 1-Login in http://YOURWLSHOSTFOROIM:PORT/EM

2- Expand OIM SELF and click on MDS Configuration

3-Runtime MBean Browser option as below

 

4-Click on Operations tab as below

 

5-listMetadataLabels and invoke. Then you will find the label you would like to be under.

 

6-Go back and select the promoteMetadataLabel operation in order to apply the label you just copied above.

7-Click Invoke and you should get this:

8-Restart OIM Server and you are now on the sandbox version you just invoked. Congratulations!

I hope this helps,

Thiago

How to import a Java project to Oracle Forms 11G

Hello everyone,

  Today's session, I would like to show you how to work with Java - Maven project , Oracle Forms and WebLogic features all together.

• At this project the idea is not use DB jvm for forms. Instead of that create a library in forms(PLL) that imports the java project, based on the Maven project that generates a deployment(.jar) file. 

1. So, first action is setup your libraries PLL and Jar files to avoid any kind of dependency issues.

     Eg:  FRM-10102: Cannot attach PL/SQL library XXX. This library attachment will be lost if the module is saved.

     

    So, to avoid that, please setup properly where your library is going to be. For example: 

FORMS_PATH=C:\Oracle\Middleware\Oracle_FRHome1\forms;C:\Oracle\Middleware\asinst_1\FormsComponent\forms

LD_LIBRARY_PATH=C:\Oracle\Middleware\Oracle_FRHome1\lib

   2. Second action is setup where your jar file is going to be. You have to define that on FORMS_BUILDER_CLASSPATH environment variable. If you are setting up for development you can use REGEDIT tool, but if you are configuring it in WebLogic, you will have to change your .env classpath variable in order to allow WLS_FORMS managed server to see it properly. Please, note - You must bounce the service for the second option here.

• Once you have all the dependencies setup, you can start coding as I am going to show below:

1.  Your Java class must have the constructor to be initialized if you are looking to have 'getters' and 'setters' in your java class. 
   
2. Please, also make sure you have a toString method to send and convert all the parameters at one shoot, as needed during the process.
   
3. Once you have all your java code deployed(in my case I've used Maven to generate the .jar file), you can copy your jar file to the folder you defined above as your FORMS_BUILDER_CLASSPATH. Another key point here is - In this example, I am doing a development on Forms library and then later calling this library from Oracle Forms. So, from high level design perspective, I have two libraries(PLL and Java) and one Forms file.
4. Import your Java code to your PLL file.
   
   
   
   
     
   
5.  Once you have them imported, they should look like this in your PLL file. 
   
6. Now, you have all your code automatically generated by the import tool and based on your java code previously developed.
   
   
   
   
   
7. You can see the constructor generated have the same number of records that the java code showed on the first and second picture above have.
   
8. In order to instantiate your java from Oracle forms you have to execute them like this command line below. Eg: something.new; or something.new(''.'','')
   
9. The picture below shows you how to use the get and set features that were created in your java class.
   

I hope this helps you to work easily with Oracle Forms and Java - all together. Please, shoot me a question if you have any. Otherwise, have fun.

Happy coding ,

Thiago Leoncio.