Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Integrating OAM users with OSB for OAuth

3670970Jul 22 2018 — edited Jul 23 2018

We have implemented OAuth on OAM (12c) and OSB (the Resource Server) using the steps outlined in Oracle Fusion Middleware Developing Services with Oracle Service Bus: 52.3 Securing Services with REST Endpoints Using OAuth

On OSB we have applied the OWSM policy oracle/http_jwt_token_client_policy and have added our OAuth client credentials (client id & secret) as a user in the WebLogic console.


The Standard 2 Legged OAuth flow works exactly as expected and we are able to request and use a JWT Access Token and OSB can correctly decode, verify and provide access to the policy protected service.

In the 2 Legged Flow the prn (user id) in the JWT is the OAuth client_id we created in OAM and have added to the OSB’s WebLogic users.

For the 3 Legged Flow we are able to retrieve an access token however the prn (user id - 123456) value in the JWT now refers to the individual user (resource owner). OSB has no knowledge of this user and is denying access with the following error:

[oracle.wsm.policy.name: oracle/http_jwt_token_service_policy] The jwt token found in the request, [[

Encoded token: [ eyJhbGc… ]

Decoded token: [ JWT:-

   Header Segment:- {

"alg":"###",

"typ":"JWT",

"x5t":"#####",

"kid":"#####"

   }

   Claim Segment:-{

"sub":"#######",

"oracle.oauth.user_origin_id_type":"LDAP_UID",

"oracle.oauth.user_origin_id":"123456",

"iss":"example.domain.com",

"oracle.oauth.svc_p_n":"OAuthServiceProfile",

"iat":1531967652,

"oracle.oauth.prn.id_type":"LDAP_UID",

"oracle.oauth.tk_context":"resource_access_tk",

"exp":1531971252,

"prn":"123456",

"jti":"#######-####-####-####-#########",

"oracle.oauth.client_origin_id":"ClientID",

"oracle.oauth.scope":"scope.ALL",

"user.tenant.name":"DefaultDomain",

"oracle.oauth.id_d_id":"12345678-1234-1234-1234-123456789012"

   }

] is invalid and token authentication failed

[Security:090938] Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied.

We know a solution would be to add all our OAM user’s to OSB however with thousands of users which changes regularly this is not feasible. Also, from a security perspective we might not want all the users to have access to the OSB services.

If anyone has implemented a similar flow, what other solutions are there to make OSB aware of OAM users?

Is there a way to make OSB look for "oracle.oauth.client_origin_id":"ClientID" instead of prn (User id)?

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 20 2018
Added on Jul 22 2018
#identity, #identity-management, #identity-manager, #oam, #oid, #osb
1 comment
994 views