53.5 Configuring a WebGate to Protect OAuth Services

You can configure a WebGate for use with OAuth Services. The WebGate protects the OAuth Services consent page and serves as a proxy so that client authorization and token endpoint requests access the WebGate rather than the Oracle Access Management server directly.

WebGates cannot be used to protect OAuth Services Resource Servers. These steps are for WebLogic environments only.

Note:

A WebGate proxy is required to use the 3-legged authorization scenario with an external LDAP directory server.

1. Install the Oracle HTTP Server 11g Webgate for OAM using the instructions in Installing Webgates for Oracle Access Manager.

2. Configure the WebGate by defining the following resource and creating an authentication policy and authorization policy.

   1. In the Oracle Access Management console, click Application Security at the top of the window.

   2. Under Access Manager, click Application Domains, then click Search to view the Application Domains on the Search Application Domains page.

   3. Click the target domain to open it for editing.

   4. Select the Resources tab.

   5. Create the following resource. If you are using the existing IAMSuiteAgent Host Identifier, the resource is already present and can be searched on using the Resource URL field.

      /ms_oauth/oauth2/ui/**
      

      Click to select the resource, then click the Edit button.

   6. Under the Protection heading, choose the following options from the menus and click Apply:

      Protection Level - Protected

      Authentication Policy - Protected HigherLevel Policy

      Authorization Policy - Protected Resource Policy

      These settings allow the Webgate to perform user authentication and user authorization.

   7. Add the following resources and set the Protection Level to Excluded:

      /ms_oauth/oauth2/endpoints/**
      /ms_oauth/oauth2/oammsui/**
      /ms_oauth/style/**
      /ms_oauth/img/**
      /oam/**
      

      The Webgate does not protect Excluded resources and allows them to be accessed.

3. Add the following lines to the mod_wl_ohs.conf file and restart the Webgate. For WebLogicPort, be sure to add the managed port details for your environment.

   # the following directive proxies all the OAuth requests
   <IfModule weblogic_module>
         WebLogicHost host123.us.example.com
         WebLogicPort 17100
         Debug ON
         WLLogFile /tmp/weblogic.log
         MatchExpression /ms_oauth/*
   </IfModule>
   # the following directive proxies all the OAM managed server requests. 
    
   <IfModule weblogic_module>
         WebLogicHost host123.us.example.com
         WebLogicPort 17100
         Debug ON
         WLLogFile /tmp/weblogic.log
         MatchExpression /oam/*
   </IfModule>
   

4. Update the Access Manager Load Balancing settings as follows:

   1. In the Oracle Access Management console, click Configuration at the top of the window.

   2. Select Access Manager from the View menu in the Settings section.

   3. In the Load Balancing section, change the OAM Server Host and the OAM Server Port settings to the Webgate's host and port settings.

   4. Click Apply.