OAuth Services has many components that must be configured before the authorization protocol can be used.
Descriptions of the OAuth Services components and how they work together can be found in Understanding the OAuth Services Components. This section includes information on configuring the OAuth Services components using the Oracle Access Management Console only. It contains the following topics:
See Configuring OAuth Services Components in an Identity Domain for introductory information about Identity Domains. The following section describes how to use the user interface to configure an Identity Domain. It includes the following topics:
You can create an Identity Domain using single step or using a wizard flow.
To create:
You can view, edit, and delete an OAuth Identity Domain.
To edit an OAuth Identity Domain:
When you view an existing identity domain or create a new one, the Identity Domain Configuration Summary tab displays form fields such as Identity Domain, Identity Domain UUID, and Allow Multiple Resource Servers.
This section describes the form fields on the Identity Domain Configuration Summary tab when viewing an existing identity domain or creating a new one.
Identity Domain - The name of the identity domain. If creating or editing an identity domain, type a unique name without spaces.
Description - (Optional) A short description to help you or another administrator identify this identity domain in the future.
Identity Domain UUID - The identification code that uniquely identifies this identity domain on the Internet. Click Generate to populate this field with a universal unique identifier code.
Allow Multiple Resource Servers - Select this option if the identity domain supports more than one resource server.
Note:
Selecting multiple resources requires that scopes are prefixed with the Resource Server name. For example, if you add PhotoService as a Resource Server, the scopes must be prefixed with PhotoService. This is done automatically while adding scopes in the Resource Server. The prefix can be changed to something different but unique.
The fields listed below appear on the Create Identity Domain page.
Service Profile
(Service Profile) Name - The name of the identity domain's service profile. Each identity domain requires at least one service profile. See Service Profiles - Identity Federation and OAuth Services for more information.
(Service Profile) Endpoint - The URL where the OAuth authorization service for this identity domain responds to authorization requests.
User Profile Service
(User Profile Service) Name - The name of the identity domain's user profile service. A user profile service is created automatically for each identity domain. See Resource Servers - Identity Federation and OAuth Services for more information.
(User Profile Service) Endpoint - The URL where the User Profile Service receives and responds to create, read, update, and delete requests.
Consent Management Service
(Consent Management Service) Name - The name of the identity domain's consent management service. Each identity domain must have a consent management service, which stores and retrieves consent records, and performs consent validation and consent revocation operations. See Plug-Ins - Identity Federation and OAuth Services for more information.
(Consent Management Service) Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests.
You understand the form fields on the create OAuth Identity Domain Wizard Flow Page before creating Wizard Flow.
Refer to the following sections for details on the form fields available in the Create OAuth Identity Domain wizard flow page:
Information - For help, see Identity Domain Configuration Page - Summary Tab.
Service Profile - For help, see Service Profile Configuration Page.
Mobile Service - For help, see "Mobile Service Settings" in Service Profile Configuration Page.
Tokens - For help, see "Tokens (Token Settings)" in Service Profile Configuration Page.
Summary - Review your settings and click Finish to create the identity domain.
You can configure a service profile using user interface.
See Service Profiles - Identity Federation and OAuth Services for introductory information about Service Profiles. The following section describes how to use the user interface to configure a Service Profile. It includes the following topics:
You can create a service profile using Service Profiles tab.
You can edit or delete a service profile from the Service Profile tab.
Identity Domain - The name of the identity domain to which this service profile applies. (Read-only)
Name - The name of this service profile.
Description - (Optional) A short description to help you or another administrator identify this service profile in the future.
Service Enabled - Select to activate the service profile, or clear the option box to inactivate it.
Service Provider - The name of the OAuth Service Provider that corresponds with this OAuth Service Profile.
Service Endpoint - The URL where the OAuth authorization service responds to authorization requests.
User Store
User Authenticator - For user authentication, choose OAM to use the Oracle Access Management token provider, or choose IDS to use the Identity Directory Service token provider. Only choose IDS authentication if the OAM token is not used at all (for example, if only the JWT token is used). If both OAM and JWT tokens are used, choose OAM authentication to avoid duplicated authentication attempts sent by both IDS and OAM.
Identity Store Name - The name of the identity store when IDS is configured as the user authenticator.
User Profile Service
(User Profile Service) Name - The name of the identity domain's user profile service. A user profile service is created automatically for each identity domain. See User Profile Services for more information.
(User Profile Service) Endpoint - The URL where the User Profile Service receives and responds to create, read, update, and delete requests.
Consent Management Service
(Consent Management Service) Name - The name of the identity domain's consent management service. Each identity domain must have a consent management service, which stores and retrieves consent records, and performs consent validation and consent revocation operations. See Consent Management Services for more information.
(Consent Management Service) Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests.
Plug-Ins
Choose available plug-ins from the menus in the following categories. See Plug-Ins - Identity Federation and OAuth Services for more information.
Adaptive Access - Runs Oracle Adaptive Access Manager (OAAM) fraud detection and risk analysis policy checks, enhancing authenticity and the trust level of a user.
Mobile Security Manager - Gathers mobile device data from the Mobile Security Manager (MSM) component (part of Oracle Mobile Security Suite) and sends it, as well as the MSM compliance status, to the Adaptive Access Plug-in for stronger authentication checks and risk evaluation.
Custom Token Attributes - Defines security policy around the token service provider. See OAuth Services Access Tokens for more information.
Client - Delegates the following to an external security module: confidential client authentication, client authorization, and client profile reading.
Resource Server Profile - Delegates the following to an external security module: confidential resource server authentication, resource server authorization, and resource server profile reading.
Authorization & Consent Service - Defines security policy around interactions where authorization and user consent are granted. This plug-in can influence claims in a generated token as well.
Attributes
Add or delete service profile attributes and their values to further configure the OAuth service profile.
For JWT token generation and validation, configure the following parameters:
jwt.cert.alias
jwt.trusted.issuer.size
jwt.trusted.issuer.1
jwt.trusted.issuer.2
Note:
For details, see Configuring OAuth Services for Third-Party JWT Bearer Assertions.
Table 53-1 OAuth Service Profile Configuration Attributes
Name | Value | Notes |
---|---|---|
|
Private key alias name for the signing certificate in the keystore. The default alias will be used if this attribute is not specified. |
|
|
|
The cryptographic algorithm used to sign the contents of the JWT token. The default value is |
|
|
This issuer of the tokens (that is, the |
|
2 |
The number of trusted issuers. The value can be any number of trusted issuers. For example, if the number is 2, the following matching params need to be specified. |
|
The alias name for the public key of the first trusted issuer in the key store. See |
|
|
The alias name for the public key of the second trusted issuer in the key store. See |
|
|
|
If set to true, the current OAuth Services profile is created automatically as part of domain creation. Otherwise, it's created manually. |
|
|
If set to true, a client ID and secret (password) can be used as credentials to interact with OAuth Services for token validation and termination requests. If set to false, only a JWT/SAML client assertion can be used as client credentials to interact with OAuth Services for token validation and termination requests. |
|
|
The tenant claim name in the tokens issued by OAuth Services. By default this is set using the identity domain name. |
|
Value to be specified |
By default this is set with the value of the |
|
Value in seconds to be specified |
The default value is |
|
|
This attribute applies to mobile clients using the JWT SSO authentication mechanism. It is used with 2-legged flows only. (For 3-legged flows, the browser manages the session.) true - The user must authenticate for each app registration. (Mobile apps are not registered using the server-side JWT user token.) OAuth Services shows a login page for the user to submit credentials. false - Mobile apps are registered using the server-side JWT user token. By default |
Mobile Service Settings
Supported Platforms - Choose iOS, Android, and/or Others:
iOS - The authorization server accepts requests from iOS clients if selected.
Android - The authorization server accepts requests from Android clients if selected.
Others - The authorization server accepts requests from clients other than iOS or Android if selected.
iOS Security Level - Choose Advanced or Standard:
Advanced - All client registrations and token acquisitions are done using both push notification and HTTP(S).
Standard - All client registrations and token acquisitions are done using HTTP(S)
Android Security Level - Choose Advanced or Standard:
Advanced - All client registrations and token acquisitions are done using both push notification and HTTP(S).
Standard - All client registrations and token acquisitions are done using HTTP(S)
Android Sender ID - Enter the GCM sender ID that is required for Android push notification.
Android API Key - Enter the API key required for Android push notification.
Consent Service Protection - Authorization requests are routed to the consent service, which requires the user to log in and give consent. Select OAM or Third-Party Access Management, JWT Authentication, or Social Authentication.
OAM or Third-Party Access Management - Use either Oracle Access Management or a third-party option for consent page protection.
JWT Authentication - Use the OAuth server itself for consent page protection. If using the OAuth server for consent page protection, the authentication flow is determined by the User Store setting.
Social Authentication - Use the Social Identity service for consent page protection.
Require User Consent for Client Registration - Select this option to require the user to give authorization before registering each Mobile OAuth application installation instance on a mobile device.
Enable Server-Side Single Sign-On - Determines if the server will provide single sign-on among multiple apps on the same device or if it is the client responsibility. Single sign-on is either achieved by storing a JWT user token or an OAM user token in the Server-Side Device Store, or by returning the user token to the client to manage. Server-side SSO applies to 2-legged Mobile OAuth flows only. If this option is selected, after registering the first app the server stores the user token and does not return it to the mobile device. If this option is not selected, the tokens are sent to the mobile device and are not stored in the Server Device Store. For more information, see Understanding Mobile OAuth Services Server-Side Single Sign-on.
Preferred Hardware IDs - Use the list to prioritize the hardware ID attributes that should be used to uniquely identify mobile devices. The first available hardware ID from the list will be used.
Mobile Client Attributes - Add or delete mobile client attributes and their values as needed if the server requires additional attributes.
Configuration Settings
Clients
Allow access to all clients - Select if all clients in the identity domain should use this service profile. Clear this option to select which clients will be able to access the service profile.
Client Table - Add to the table the clients that should be able to access the service profile. Click Browse Clients, then select the clients to add to the table. To assign a client to a different service profile, click the box to the left of the client name and click Remove.
Tokens (Token Settings)
Use this tab to configure token settings, as well as settings for custom attribute that OAuth Services should embed in access tokens.
Tokens
Token Name - The name of the token.
Expires - The length of time in minutes after which the token is no longer valid.
Refresh Token Enabled - Select this option to allow a refresh token to be used. A refresh token cannot be used with a client verification code or an authorization code. See About OAuth Services Tokens for more information.
Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.
Life Cycle Enabled - Select this option if OAuth Services should cache a token and save it in the database until the token expires.
Custom Attributes
Use this section to define custom attributes that OAuth Services embeds in the access tokens. See OAuth Services Access Tokens for more information about custom attributes.
Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1
.
Dynamic Attributes - User-profile specific attributes.
Resource Servers (Custom Resource Servers)
Use this tab to choose which custom resource servers clients should have access to. A custom resource server is any resource server that is not the User Profile and Consent Management resource servers that are included with OAuth Services.
Allow clients access to all resource servers - Select to allow clients to access all resource servers configured in the identity domain. Clear this option to select which resource servers clients will be able to access.
Available Servers / Selected Servers - Use the arrows to move the resource servers that clients should be able to access from the Available Servers box to the Selected Servers box. (This option is only available if the Allow clients access to all resource servers option is not selected.)
System Resource Servers
Use this tab to configure if clients should have access to the user profile service and/or consent management service.
User Profile Services -Use the arrows to move the user profile server that clients should be able to access from the Available Servers box to the Selected Servers box. Services listed in the Selected Servers box are active services.
Consent Management Services - Use the arrows to move the consent management server that clients should be able to access from the Available Servers box to the Selected Servers box. Services listed in the Selected Servers box are active services.
Trusted Issuers
Use this tab to add certificate issuers who can be used to validate tokens. Click Add to add a record to the table; select a row and click Remove to delete a record from the table.
Certificate Alias -The alias name.
Trusted Issuer - The name of the trusted certificate issuer.
Certificate Thumb Print - x5t - The base64url encoded digest of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign certificates.
Key identifier - kid - The key ID value that indicates which key is used to secure certificates.
See Clients - Identity Federation and OAuth Services for introductory information about OAuth Services Clients. The following section describes how to use the user interface to configure a Web client and a mobile client. It includes the following topics:
When you view an existing Web client or create a new one, the OAuth Web Clients Configuration Page displays the form fields such as Identity Domain, Client ID, and Client Secret.
The form fields on the Web Client Configuration page are as follows:
Identity Domain - The name of the identity domain in which this OAuth Web client is registered. (Read-only)
Name - The name of this OAuth client.
Description - (Optional) A short description to help you or another administrator identify this OAuth Web client in the future.
Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.
Client ID - The unique ID that the authorization server created for this client during registration. (Read-only).
Client Secret - A secret value known to the OAuth authorization service and the client. The authorization service checks the client secret and the client ID when it receives token endpoint requests from the client.
HTTP Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied.
Privileges
Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting.
Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations.
Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope.
Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with the OAuth service for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services:
Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token.
Resource Owner Credentials - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible.
Client Credentials - This grant type is used for 2-legged flows. The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server.
In addition to the grant types defined in the OAuth 2.0 standard, the following options are also available:
Refresh Token - Select this option to return a refresh token together with an access token in the token response. See About OAuth Services Tokens for more information.
JWT Bearer - Allows a JWT assertion to be used to request an OAuth access token.
SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth access token.
OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth access token.
Attributes
Add or delete custom attributes that the authorization server returns to the client along with the scope settings.
Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence.
Table 53-2 Web Client Attributes Names and Values
Name | Value | Notes |
---|---|---|
|
Space separated values. |
Used when the OAuth server generates a client assertion and a user assertion. The |
When you view an existing Web client or create a new one, the Web Client Configuration page displays the form fields such as Identity Domain, Client ID, and HTTP Redirect URIs.
The form fields on the Web Client Configuration page are as follows:
Identity Domain - The name of the identity domain in which this OAuth Web client is registered. (Read-only)
Name - The name of this OAuth client.
Description - (Optional) A short description to help you or another administrator identify this OAuth Web client in the future.
Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.
Client ID - The unique ID that the authorization server created for this client during registration. (Read-only).
HTTP Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied.
Privileges
Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting.
Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations.
Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope.
Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with the OAuth service for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services:
Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token.
Implicit - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible.
Attributes
Add or delete custom attributes that the authorization server returns to the client along with the scope settings.
Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence.
When you view an existing Mobile client or creating a new one, the Mobile Client Configuration page displays form fields such as Identity Domain, Client ID, and Jailbreaking Detection.
This section describes the form fields on the Mobile Client Configuration page when viewing an existing Mobile client or creating a new one. The OAuth Web Client Configuration page is described in the previous section.
Identity Domain - The name of the identity domain in which this OAuth mobile client is registered. (Read-only)
Name - The name of this OAuth client.
Description - (Optional) A short description to help you or another administrator identify this OAuth mobile client in the future.
Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.
Client ID - The unique ID that the authorization server created for this client during registration. (Read-only).
Jailbreaking Detection - Select to enable jail breaking detection for mobile devices. See Jailbreak Detection Policy - OAuth Services for more information.
Mobile Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied.
Privileges
Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting.
Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations.
Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope.
Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with OAuth Services for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services:
Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token.
Resource Owner Credentials - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible.
Client Credentials - This grant type is used for 2-legged flows. The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server.
Refresh Token - Select this option to return a refresh token together with an access token in the token response. See About OAuth Services Tokens for more information.
JWT Bearer - Allows a JWT assertion to be used to request an OAuth access token.
SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth access token.
OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth access token.
Client Verification Code - Used by mobile clients to request a pre-verification code from OAuth server, which subsequently gets used mobile client flows.
Apple Push Notification
Applies to iOS devices only. The OAuth authorization server can restrict token delivery to a specific app installed on a specific mobile device by sending part of the client registration handle through HTTPS, and sending the other part through push notification using the Apple Push Notification Service (APNS). Use the following fields to configure how the OAuth server connects to APNS for this specific client app.
Connection Settings - Select Enabled to send a portion of security codes and tokens to the mobile client app using APNS. (The portions not sent using APNS are sent using HTTPS.) Clear this option if you do not want to use APNS for this mobile client app.
Minimum Connection Pool Size - Specifies the minimum number of connections in the connection pool.
Maximum Connection Pool Size - Specifies the maximum number of connections in the connection pool.
Keep Alive - The Apple Push Notification keep alive value in seconds.
Certificate for APNS Communication Setup - Choose Development to use the Apple development environment for initial development and testing of the application; choose Production to use Apple's production environment.
SSL/TLS Certificate for Development - Click Browse to navigate to the development SSL/TLS certificate issued by Apple for the Apple Push Notification Service.
Development Certificate Password - Type the development password for the Apple Push Notification certificate.
SSL/TLS Certificate for Production - Click Browse to navigate to the production SSL/TLS certificate issued by Apple for the Apple Push Notification Service.
Production Certificate Password - Type the production password for the Apple Push Notification certificate.
Google Application Settings
Applies to Android devices only. The OAuth authorization server can restrict token delivery to a specific app installed on a specific mobile device by sending part of the client registration handle through HTTPS, and sending the other part through push notification using Google Cloud Messaging (GCM) for Android. Use the following fields to configure how the OAuth server connects to the GCM service for this specific client app.
Restricted Package Name - The Google restricted package name.
Mobile Service Settings
Override the default settings - By enabling Override the default settings in a Mobile Client profile, an administrator can set the security level and enable server-side single sign on at the client level. When set, these client settings over ride same settings at the OAuth Services Service Profile mobile configuration setting. This can be used if a particular client in an identity domain needs a behavior that is different from what is defined in the OAuth Services Service Profile.
Configuration Settings
Device Claim Attributes - Specifies the device attributes that the system should collect for device fingerprinting. If empty, the system collects every attribute in the SDK.
Mobile Custom Attributes - Specifies key-value pairs that should be sent to mobile applications using app profiles. (Mobile applications request app profiles that contain server-side settings, including endpoints, jail break detection policies, and security level details.
Attributes
Add or delete custom attributes that the authorization server returns to the client along with the scope settings.
Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence.
See Service Providers - Identity Federation and OAuth Services for introductory information about Service Providers. The following section describes how to use the user interface to configure a Service Provider. It includes the following topics:
Note:
Only one Service Provider can be configured at a time.
You can edit or delete a Service provider from the Service Providers tab.
Following are the form fields on the Service Provider Configuration page:
Identity Domain - The name of the identity domain with which this Service Provider is registered. (Read-only)
Name - The name of this service provider.
Description - (Optional) A short description to help you or another administrator identify this service provider.
Service Provider Java Class - The Java class that implements this service provider.
Attributes
Use the attribute settings in Table 53-3 to configure the Service Provider connection with Access Manager.
Table 53-3 OAuth Service Provider Attributes for Access Manager
Name | Value | Notes |
---|---|---|
|
|
Either |
|
|
|
|
||
|
|
|
|
|
Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include:
To update these settings, see Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode. |
|
|
Specify the host name and port number of the primary Oracle Access Management server. |
|
|
Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_1. The default value is 4. |
|
|
Specify the host name and port number of the secondary Oracle Access Management server. |
|
|
Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_2. The default value is 4. |
|
|
|
|
|
Specifies if Mobile and Social should use "local mode" or "remote mode" to communicate with the OAM server. If the attribute value is set to false, Mobile and Social communicates with OAM over TCP/IP. If set to true (or if this attribute is undefined), Mobile and Social uses a direct connection to communicate with OAM. Prior to version 11.1.2.3, Mobile and Social only communicated with OAM using TCP/IP (that is, remote mode). Now communication defaults to local, which is faster. To configure Mobile and Social to communicate with OAM 10g, set the |
You can configure a Resource Server using the user interface.
See Resource Servers - Identity Federation and OAuth Services for introductory information about Resource Servers. The following section describes how to use the user interface to configure a Resource Server. It includes the following topics:
OAuth Services provides two out-of-the-box services modeled as Resource Servers and protected with an Access Token. For configuration information on the User Profile Services and Consent Management Services Resource Servers, see Configuring User Profile Services and Configuring Consent Management Services respectively.
You can create a Custom Resource Server from the Resource Servers tab.
You can edit and delete a Resource Server from the Resource Servers tab.
The tabs and form fields in the Custom Resource Servers Configuration Page are discussed here.
Identity Domain - The name of the identity domain to which this resource server applies. (Read-only)
Name - The name of this resource server (or resource service).
Description - (Optional) A short description to help you or another administrator identify this resource server in the future.
Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.
Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the resource server. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.
Audience Claim - Identifies the audiences for which the OAuth token is intended. Each principal intended to process the OAuth token must identify itself with a value in Audience Claim.
Resource Server ID - The unique ID created for this resource server during registration. (Once the resource server configuration is saved, this field cannot be changed.)
Scopes
Click Add to add a new row to the scopes table. Click to select a row, then click Delete to remove it.
Name - Type a scope definition. Use dot notation, for example: photo.read
Description - Type a short note that describes the scope.
Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request.
Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See About OAuth Services Tokens for more information.
Token Settings
Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth Services profile page.
Token Name - The name of the token.
Expires - The length of time in minutes after which the token is no longer valid.
Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.
Custom Attributes
Use this section to define custom attributes that OAuth Services embeds in the access tokens. See OAuth Services Access Tokens for more information about custom attributes.
Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1
.
Dynamic Attributes - User-profile specific attributes.
You can configure an instance for the User Profile Services using the console.
See User Profile Services for introductory information about the User Profile Services. The following section describes how to use the console to configure an instance for the User Profile Services.
You can create a New User Profile Service from the Resource Servers tab.
You can edit the User Profile Service from the Resource Servers tab.
You can configure the User Profile Service from the User Profile Services Configuration Page.
Use this page to configure the User Profile Service. This service supports OAuth 2.0 authorization and allows clients to interact with a back-end directory server and perform User Profile REST operations on Person, Group, and Relationship entities.
Identity Domain - The name of the identity domain to which this service profile applies. (Read-only)
Name - The name of this service profile.
Description - (Optional) A short description to help you or another administrator identify this service profile in the future.
Service Enabled - Select to enable the service, or clear the option box to disable it.
Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients. If enabled, the user consent form notifies the user that user-profile-specific details will be shared with the client. See OAuth Services Access Tokens for more information about custom attributes.
Audience Claim - Identifies the audiences that the OAuth token is intended for. Each principal intended to process the OAuth token must identify itself with a value in audience claim.
Resource Server ID - The unique ID that OAuth Services created for this User Profile resource server. (Read-only)
Service Endpoint - The URI where the service receives and responds to create, read, update, and delete user profile service requests. Create a unique uniform resource identifier (URI) address for this service; for example, localhost:5575
Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the service. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.
Protected by OAuth Service Profile - From the menu, choose the OAuth service profile that protects the user profile service.
Identity Store Name - The name of the identity store that contains the user records.
Scopes
Security Protection
Configure individual permission settings for person, relationship, and group entities. Click Add to add a record to the table; select a row and click Delete to remove the record. The service uses the following default entity names:
URI - The URI segment for which the scope is defined.
/me - Designates operations that apply to the user logged in to the client
/users - Designates operations that apply to other users
/groups - Designates operations that apply to groups
/secretkey - Designates operations that apply to secret key management
Service Enabled - Select to enable the service for this scope.
Allow Read - Select to allow read operations for this scope.
Allow Write - Select to allow write operations for this scope.
Unprotected - Select this option if you do not want to limit access, or clear this option to limit access by scope.
OAuth Scope - Type a scope definition. Use dot notation, for example: UserProfile.me.write
Description - Type a short note that describes the scope.
Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request.
Identity Attributes of the Selected Scope - Click an entity row in the Security Protection table to view the Attribute table for that entity. Click Add to add a record to the table; select a row and click Delete to remove the record.
Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See About OAuth Services Tokens for more information.
Token Settings
Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth Services profile page.
Token Name - The name of the token.
Expires - The length of time in minutes after which the token is no longer valid.
Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.
Proxy Authentication
Select Proxy Authentication to allow the identity of a user using a web application (also known as a "proxy") to be passed through the application to the database server. Oracle Unified Directory (OUD) and Active Directory (AD) support proxy authentication. The Access Control option is simply to provide Proxy Authentication support for directory servers that do not have it built in. See Proxy Authentication for more details.
Attributes
Use this section to define user-profile specific (dynamic) attributes.
Table 53-4 User Profile Service Attributes
Name | Value |
---|---|
|
|
|
|
|
|
Resource URIs
Use this section to enable or disable the /me, /users, /groups, /secretkey services, and define the service endpoint URIs and provider implementation class paths for these services.
Service Endpoint - The URI where the service receives and responds to service requests. Create a unique uniform resource identifier (URI) address for this service; for example, localhost:5575
Entities
Use the fields in this section to configure entity relationships.
Name - The name of the defined entity relationship.
Identity Directory Service Relation - Choose the directory service relationship that is to be accessed by the relationship End Point segment.
End Point - Type an entity relationship URI segment that will be used to access a corresponding data column in the Identity Directory service. For example, if memberOf
is the End Point URI, then:
http://<host>:<port>/.../idX/memberOf
would be the URI to access related entities of an entity with ID idX
.
Source Entity URI - The URI (or URL) of the source entity.
Destination Entity URI - The URI (or URL) of the destination entity.
Scope for Requesting Recursion - Use Scope attribute values with the scope query parameter to retrieve a nested level of attributes in a relationship search. To access related entities recursively, type the value to be used. The default configuration uses two scope attribute values: toTop
and all
. If the Scope for Requesting Recursion value is the attribute value all
, then the following REST URI example is used to make the request:
http://host:port/.../idX/reports?scope=all
In this example, the URI returns the entities related to the entity with ID idX
, as well as all further related entities.
Attributes
Use this section to define user-profile entity specific (dynamic) attributes.
You can configure the Consent Management Services using the user interface.
See Consent Management Services for introductory information about the Consent Management Services. The following section describes how to use the user interface to configure the Consent Management Services.
You can create a New Consent Management Service from the Resource Servers tab.
You can edit an Existing Consent Management Service from the Resource Servers tab.
The Consent Management Services handle consent storage, retrieval, revocation, and consent validation operations. You can configure the Consent Management Services.
Following are the form fields in the Consent Management Services configuration page:
Identity Domain - The name of the identity domain to which this consent management service applies. (Read-only)
Name - The name of this consent management service.
Description - (Optional) A short description to help you or another administrator identify this service in the future.
Service Enabled - Select to enable the service, or clear the option box to disable it.
Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients, resource servers, and the resource owner.
Audience Claim - Identifies the audiences that the OAuth token is intended for. Each principal intended to process the OAuth token must identify itself with a value in audience claim.
Resource Server ID- The unique ID that the authorization server created for this resource server during registration. (Read-only)
Service Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests.
Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the service. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.
Protected by OAuth Service Profile - From the menu, choose the OAuth service profile that protects the consent management service.
Scopes
Security Protection
Configure individual permission settings. Click Add to add a record to the table; select a row and click Delete to remove the record. The service uses the following default entity names:
URI - The URI segment for which the scope is defined.
/retrieve
/grant
/revoke
Allow Read - Select to allow read operations for this scope.
Allow Write - Select to allow write operations for this scope.
Unprotected - Select this option if you do not want to limit access, or clear this option to limit access by scope.
OAuth Scope - Type a scope definition. Use dot notation, for example: UserProfile.me.write
Description - Type a short note that describes the scope.
Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request.
Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See About OAuth Services Tokens for more information.
Token Settings
Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth service profile page.
Token Name - The name of the token.
Expires - The length of time in minutes after which the token is no longer valid.
Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.
Attributes
Use this section to define custom attributes
Resources URIs
Use this section to enable or disable the retrieve, grant, and revoke services. You can also define the service endpoint URIs and provider implementation class paths for these services.
Service Endpoint - The URI where the service receives and responds to requests. Create a unique URI address for this service.
Service Enabled - Select to enable the service, or clear the option box to disable it.
Attributes
Use this section to define consent management entity-specific (dynamic) attributes.
You can configure security plug-ins.
See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.
You can add a plug-in to an Identity Domain or edit an existing plug-in configuration from the Plug-in Configuration Page.
Only some of the fields listed below will apply to the plug-in you are configuring.
Identity Domain - The name of the identity domain where the plug-in is located.
Name - The name of the plug-in.
Description - (Optional) A short description to help you or another administrator identify this plug-in in the future.
Implementation Class - Choose the class from the menu that implements the plug-in interface. Applies to the Mobile Client Plug-in Configuration page, the Mobile Resource Server Plug-in Configuration page, and the Mobile Authorization & Consent Service Plug-in Configuration page. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details.
Interface Class - Lists the interface class for this plug-in. Applies to the Mobile Client Plug-in Configuration page, the Mobile Resource Server Plug-in Configuration page, and the Mobile Authorization & Consent Service Plug-in Configuration page.
Security Handler Class - Choose the Java class that defines the Security Handler Plug-in. Applies to the Mobile Adaptive Access Plug-in Configuration page and the Mobile Custom Token Attributes Plug-in Configuration page.
Mobile Security Manager Plug-in Class - Choose the Java class that defines the Mobile Security Manager Plug-in. Applies to the Mobile Security Manager Plug-in Configuration page only.
MSM Device Inventory Attributes Precedence - When enabled, if both the Mobile Security Manager (MSM) component and the Mobile OAuth server supply a value for the same device attribute, the value supplied by the Mobile Security Manager is used. If the attribute value from the MSM component is not available, the value from the Mobile OAuth server is used instead.
MSM Attributes - Lists the attributes that the Mobile Security Manager plug-in harvests from mobile devices. The first column lists the mobile device attributes that the Mobile Security Manager component collects. The second column lists the mobile device attributes that the Mobile OAuth server collects during mobile app requests. If the same device attribute is available from both the MSM component and the server, both are listed in the same row. (For example, the MSM attribute "imei" appears in column one, and the matching server attribute "oracle:idm:claims:client:imei" appears in column two of the same row.) For a list of the device attributes that the Mobile OAuth server collects during app requests, open the OAuth Mobile Client Configuration page and locate the Device Claim Attributes list in the Configuration Settings section. To add additional attributes, click Add to add a row at the bottom of the table, and enter the attribute name. (Enter attributes sourced from Mobile Security Manager in the first column, and attributes from the Mobile OAuth server in the second column. Enter attributes one per row unless the attributes are equivalent and should be mapped to one another.)
Attributes - Use this section to define custom plug-in attributes.
You can configure general server settings for the identity domain named using the Server Settings Configuration page.
Use the Server Settings Configuration page to configure general server settings for the identity domain named.
Note:
See Deployment Constraints for Mobile and Social for information about deploying Mobile and Social with a WebGate.
Identity Domain - The name of the identity domain to which the settings on this configuration page apply. (Read-only)
HTTP Proxy Settings
Configure the following settings if a proxy server is in place between the OAuth Token Service (the Push Service) and the Apple Push Notification Service (APNS) or Google Cloud Messaging (GCM) service.
Proxy URL - Choose the protocol to use to connect to the proxy server (HTTP or HTTPS), then type the proxy server host name and port number.
Proxy Authentication - Type the user name and password required to authenticate with the proxy server.
Apple Push Notification
Configure the default values that should be used for this identity domain. Use the OAuth Mobile Client Configuration page to customize these settings on an app by app basis.
Minimum Connection Pool Size - Specifies the minimum number of connections in the connection pool.
Maximum Connection Pool Size - Specifies the maximum number of connections in the connection pool.
Keep Alive - The Apple Push Notification keep alive value in seconds.
Token Life Cycle Management
Maximum Search Results - Specify the maximum number of token entry search results that should be returned on the Token Life Cycle Management page.
Attributes
Attributes - Use this section to define custom attributes.
Table 53-5 OAuth Server Settings Attributes
Name | Value | Notes |
---|---|---|
|
|
This attribute usage is optional. If an OAM Webgate is front ending/proxying requests to an OAuth server, set this attribute. The OAM Webgate sets the |
You can configure the Jailbreak Detection Policy using the user interface.
See Jailbreak Detection Policy - OAuth Services for introductory information about the jail breaking detection policy. The following section describes how to use the user interface to configure the policy.
Jailbreak Detection - Select Enabled to turn the Jailbreaking Detection Policy on, or clear this option to turn it off for all client application instances. If you enable the Jailbreaking Detection Policy here, you can disable it on an application by application basis. If you disable the Policy here, you cannot enable or disable the feature on an application by application basis.
Policy Statements
Use the buttons in the menu to add, delete, and re-order policy statements.
Order - The sequential row number assigned to each row in the table.
Enabled - Select this option to activate the policy statement condition.
Minimum OS Version - The minimum iOS version to which the policy applies. If the value is 1.0, the policy will apply to iOS devices running at least version 1.0 of iOS.
Maximum OS Version - The maximum iOS version to which the policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set you cannot remove the value and leave this field empty.
Minimum Client SDK Version - The minimum Mobile and Social Client SDK version number. For example, 11.1.2.0.0.
Maximum Client SDK Version - The maximum Mobile and Social Client SDK version number. For example, 11.1.2.3.0.
Details - Additional details about the Jailbreak Detection Policy policy statement. Hover the mouse over the info icon to view the details in a pop-up.
Policy Statement Conditions
Click to select a row in the table to view or edit its values in this section. See the previous section (Policy Statements) for field descriptions.
Policy Statement Detection Logic
Policy Expiration Duration - Type the length of time in seconds that the SDK on the mobile client device should wait before expiring the local copy of the policy and retrieving a newer version.
Auto Check Period - Type the interval of time in minutes that the client device should wait before executing the Jailbreaking Detection Policy statements again.
Detection Location - The iOS client device uses a logical-OR operator to evaluate Policy statements. Add a Detection Location as follows:
File Path - Type the absolute path to the file or directory on the device for which the Detection Policy should search.
Action - Select Exists which instructs the Detection Policy to evaluate whether it can access a file path.
Success - Select if the Policy should flag the device as jail broken if the specified files or directories are found on the device. Use this option if the policy is checking for unauthorized files or directories. Clear this option if the Policy should flag the device as jail broken if the specified files or directories are not found. (Use this option if checking for required files or directories.)
You can use the Token Life Cycle Management page to search for and revoke tokens that have been issued.
You can search for tokens using criteria such as user ID, client ID/name, client IP address, service profile, assertion token category, and token creation/expiration time. Enter your criteria and click Search. The maximum number of token entry search results returned is determined by the Maximum Search Results setting on the OAuth Server Settings page.
Search Criteria
Identity Domain - The name of the identity domain that you are searching for tokens. (Read only)
User - Specify an LDAP UID (john.smith
) or an LDAP Fully Qualified DN (cn=jane.smith,dc=example,dc=com
) to search by.
Client - Specify a client ID to search for tokens by.
Client IP Address - Specify a client IP address (for example, 192.168.100.1
) to search for tokens by
Service Profile - Choose a profile from the menu, or leave this selection empty.
Assertion Token Category - Choose a category from the menu, or leave this selection empty.
Token Issued - Search for tokens by the date and time that they were issued.
Token Expiring at - Search for tokens by the date and time that they expire.
Mobile Device Claim Attributes
IMEI - Specify the unique 15-digit IMEI (International Mobile Equipment Identity) code to search by. The IMEI can be displayed on most mobile handsets by dialing *#06#.
MAC Address - Specify the unique MAC (Media Access Control) address to search by.
Phone Number - Specify a phone number to search by.