Oracle Adaptive Access Manager (OAAM) is an optional product that can screen Mobile OAuth Services transactions using a provided security plug-in.
Together, OAAM and the plug-in provide mobile-client fraud detection, knowledge-based authentication (for two-factor authentication after user name and password authentication), and one time password functionality. If the Oracle Mobile Security Suite is deployed, the Mobile Security Manager plug-in gathers additional mobile device data for OAAM to screen.
To use OAAM with Mobile OAuth Services, the Adaptive Access security plug-in must be installed. This plug-in can add value during app registration when client tokens or user tokens are being validated or refreshed, and during token exchange.
OAAM rules and policies are defined in Oracle Adaptive Access Manager. The following is a brief description of the OAAM and Adaptive Access Plug-in features.
The Adaptive Access Plug-in enhances security by screening mobile app registration requests for both 2-legged and 3-legged flows. The plug-in runs fraud detection and risk analysis policy checks.
Knowledge-based authentication (KBA) and one time password authentication (OTA) can also be integrated into the mobile app registration process. The OAuth Service REST API flows include sample challenge requests and responses that a developer will need to implement in your app(s).
Following registration, the Adaptive Access Plug-in screens user tokens for security violations instead of simply checking if the user token is valid. The result of this screening is either allowed or denied.
Using the Mobile Security Manager Plug-in Together With the Adaptive Access Plug-in
The Mobile Security Manager Plug-in is for use with Oracle Mobile Security Suite (OMSS). The Mobile Security Manager (MSM) component (part of OMSS) collects a rich set of mobile device data and passes it to the Adaptive Access Plug-in for use by OAAM. If Oracle Mobile Security Suite is not available, the Adaptive Access plug-in uses mobile device attribute values that the Mobile OAuth Services server obtains during mobile app requests.
Note:
The Mobile Security Manager plug-in requires special configuration before it can be used. See Configuring the Mobile Security Manager Plug-in for details.
If the Mobile Security Manager Plug-in is active, it runs first and sends its data to the Adaptive Access Plug-in, which runs second. The Adaptive Access Plug-in checks the results of the MSM compliance policy that reports the compliance status of the device. If the compliance policy response is negative, the Adaptive Access Plug-in denies the mobile app request; If the response is positive, the Adaptive Access Plug-in passes the device data to Oracle Adaptive Access Manager for stronger authentication checks and risk evaluation. The Mobile Security Manager plug-in gets device info and checks the MSM compliance policy in the following cases:
During the app registration flow following user authentication.
As part of the client token and user token validation process.
For more information:
See "Understanding OAuth Services Authorization for Mobile Clients" for a detailed look at when in the Mobile OAuth Services flow OAAM interacts with mobile apps.
See Plug-Ins - Identity Federation and OAuth Services for summary information about the various OAuth Services plug-ins.
See Configuring Plug-Ins for information about configuring the adaptive-access plug-in.