Hello IAM developers,
Let's keep talking about OAuth Services in OAM(Oracle Access Manager).
OAM-OAuth has four authentication endpoints that receive and respond to HTTPS requests on 3Legged Authorization flow: The token endpoint, the authorization endpoint, the push endpoint, and the user consent revocation endpoint. Each endpoint is a URL that clients use to make requests.
Fig1: Understanding OAuth 3-Legged Authorization
The authentication endpoints are:
Token Endpoint – The client application interacts with the Token Endpoint to exchange an authorization code grant for an access token. It is also used for Client Credentials grant type and resource owner credentials grant type to get an access token. The client uses a Refresh token to obtain a new access token. The URI for this endpoint always ends in a token. For example:
HTTP(s)://<host>:<port>/ms_oauth/oauth2/endpoints/<yourOauthServiceName>/token
Authorization Endpoint – The client uses the Authorization Endpoint to get authorization from the resource owner to access the demanded resources. The client application initiates the Authorization Endpoint request by sending its identifier, a requested scope defining the resource to which it wants to access, and a redirection URI to which OAuth Services will direct the web browser once access is granted or denied. This endpoint admits the HTTPS request. The URI for this endpoint always ends in authorize. For example:
HTTP(s)://<host>:<port>/ms_oauth/oauth2/endpoints/<yourOauthServiceName>/authorize
Push Endpoint – Mobile OAuth Services client apps interact with the push endpoint to obtain (depending on configuration) part of the authorization codes, and/or part of the client tokens, access tokens, and refresh tokens that are sent through either the Apple Push Notification Service (APNS) or the Google Cloud Messaging (GCM) service. It can also be used for Mobile Client Verification code, Authorization Code, and Client Tokens. For example, the endpoint for requesting data from APNS is:
HTTP(s)://<host>:<port>/ms_oauth/oauth2/endpoints/oauthservice/push
User Consent Revocation Endpoint - Resource owners (end-users), who authenticate and authorize client applications using the browser-based authorization endpoint flow, use this endpoint to revoke their consent to client applications. For example:
HTTP(s)://<host>:<port>/ms_oauth/oauth2/ui/<yourOauthServiceName>/showrevokeconsent
When configuring clients with authorization code grant in the OAuth server, you also need to provide at least one client redirect URI where the server can return authorization credentials to the client.
Client Redirect URIs – The OAuth Services server returns authorization credentials to the client using the URI specified in the request provided that it exactly matches a URI configured in the client profile.
Next article - part3 - I am going to show step-by-step all these OAM 12c processes in action, stay tuned.
More articles related:
Part1- OAM using OAuth2 Services - Proposed architecture, related flows, and how to configure
I hope it helps and happy coding,
Thiago Leoncio.
No comments:
Post a Comment