I would like to share - as part of our series of OAuth articles - how OAuth architecture will look like using Oracle Access Manager 12c. Where and how OAM players(WebGate and AccessServer) will fit with OAuth key features(Resource Server, Resource Owner, and Authorization Server).
Let's start with some particularities of Oracle Access Manager 12c PS3:
In OAM R2PS3, you require deploying a Webgate in front of your OAM servers to use the OAuth 3-legged flow. That means you have another component in our OAuth flow.
So, this happens mainly because the Webgate is obligated to protect the OAuth consent page. Otherwise, you will get an error when attempting to follow the 3-legged OAuth flow.
So, this picture will show the interaction between them:
Let's talk about what do they mean first.
ResourceServer: Those are RESTful Webservices that reproduce the protected resources owned by the end user. So, having said that, these will need a valid OAuth token to serve information back to the ClientWebApp(picture above).
Client WebApplication: The applications execute the role of OAuth Clients. By the end user(thru resources owned) the applications will request access.
OAM/OAuth Server: This guy is responsible for authenticating the end user and for issuing and confirming OAuth Tokens.
Configuration on OAM/WebGate side:
- WebGate configuration:
Following Oracle documentation, deploy and register a Webserver/Webgate and configure the following resources in your application domain. Details here.
/ms_oauth/img/* – Excluded
/ms_oauth/style/* – Excluded
/ms_oauth/oauth2/endpoints/** – Excluded
/ms_oauth/oauth2/ui/** – Protected
/ms_oauth/oauth2/oammsui/** – Excluded
/oam/** – Excluded
In your Webserver create a new conf file with the following directives.
<Location /ms_oauth>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAM_JSESSIONID
WebLogicCluster thiagoserver1:port1, thiagoserver2:port2
</Location>
<Location /oam>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAM_JSESSIONID
WebLogicCluster thiagoserver1:port1, thiagoserver2:port2
</Location>
- Setup your OAuth2 Service in order to create the resources server described above.
- Resource Server tab.
- Go to OAuth client registration.
- Configure Scope - Using allow access to all scope option for this use case. As discussed in previous articles, the scope is one of the most important pieces of architecture and use-cases definitions that you need be aware.
- Access Token which is a JWT e.g. -
Establishing the Trust
Again, in this article, you see three primary domains of trust on OAM and OAuth solution that was mentioned in architecture reference picture. Client, Resouce and OAuth Server.
What are the Trust key points in here?:
1) Trust between OAuth2 server and client
To verify the OWSM client (signed) request for Access Token OAuth2 service should have the public key certificate corresponding to the private key used to sign the request in its keystore.
OAuth2 server responds with a signed access token.
2) Trust between OAuth2 server and Service
The service must also trust the Access Token (signed) sent from OAuth2 server. To set up trust between OAuth2 server and service import the OAuth2 server signing certificate into resource server keystore.
SSO Session Linking for OAuth Tokens
In deployment situations where a few resources are protected by OAM while some might be obtained with OAuth, to achieve seamless SSO between the different mixes of applications, it is vital to link the SSO session with the Access Token. SSO Session Linking for OAuth Tokens supports vital OAuth deployments requiring two legged flows requiring native mobile apps and Synchronization of OAuth Tokens with SSO tokens.
Summary
The intention here is to explain and guide who is trying to work with Oracle OAM using OAuth protocol. I will add more articles about OAuth with all the vendors we can work on.
SSO Session Linking for OAuth Tokens
In deployment situations where a few resources are protected by OAM while some might be obtained with OAuth, to achieve seamless SSO between the different mixes of applications, it is vital to link the SSO session with the Access Token. SSO Session Linking for OAuth Tokens supports vital OAuth deployments requiring two legged flows requiring native mobile apps and Synchronization of OAuth Tokens with SSO tokens.
Summary
The intention here is to explain and guide who is trying to work with Oracle OAM using OAuth protocol. I will add more articles about OAuth with all the vendors we can work on.
I hope you liked.
Happy coding,
Thiago Leoncio.
Reference: OAM 12c PS3 documentation
No comments:
Post a Comment