52.1 About Oracle Access Management OAuth Services

OAuth is an open standard authorization protocol that provides authentication and access control between a Client (including mobile apps and Web services) and a Resource Owner (or Service Provider) on the Web.

Oracle Access Management OAuth Services is based on this standard and designed:

  • To address enterprise-level extranet use cases.

  • To provide secure mobile access to APIs.

  • To leverage built-in Oracle Access Management features (including authentication schemes, strong authentication, fraud detection, session management and federated authentication).

  • To secure confidential clients with a high level of security.

Oracle Access Management OAuth Services are available for Web clients or for mobile clients. OAuth Services for Web clients implement the standard OAuth 2.0 use cases. In this case, the clients rely on a Client ID/Client Password (or secret) to secure itself. For an example, see http://tools.ietf.org/html/rfc6749#page-4.

Mobile OAuth Services is an extension on top of the standard OAuth specification in which the identity of the mobile client is secured through application registration, and a credential specific to the mobile client is included with a request for access. As mobile clients store passwords on mobile devices, they can not be confidential like Web clients so the identity of the mobile client is established through device/app registration before accessing REST or Web services using the OAuth Services Access Token. Thus, the key difference between the standard Web and mobile OAuth Services use cases is that the mobile client is secure before it can request an Access Token (through device/app registration) whereas a standard OAuth Web client uses a credential like password or an assertion to self identify. See  Configuring OAuth Services in 12c for details on configuring OAuth Services.

See Also,