This chapter describes the Oracle Access Management OAuth Services API. This chapter includes the following topics:
Administering the OAuth Services User Profile Service with REST
Administering OAuth Services Consent Management Services with REST
This chapter uses cURL to demonstrate the REST calls that the OAuth client sends to the Mobile and Social OAuth Services. cURL is free software that you can download from the cURL website at http://curl.haxx.se/
Using cURL to send REST calls to the server can help you better understand how the client interacts with the server. It can also be a helpful troubleshooting tool. Consider the following when using this chapter.
cURL commands that contain single quotes ( '
) will fail on Windows. When possible, use double quotes ( "
) in place of single quotes.
If a command requires both single quotes and double quotes, escape the double quotes with a backslash (for example: \"
) and replace the single quotes with double quotes.
Note:
In this guide, line breaks in cURL commands and server responses are for display purposes only.In addition to this Oracle Fusion Middleware Developer's Guide for Oracle Access Management, the Oracle Fusion Middleware Java API Reference for Oracle Access Management OAuth Services is available.
This section documents the REST calls for the 3-legged OAuth Services flows. For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
The following sample request has two parts:
Part One: The Front-Channel Request - takes place between the resource owner (or end user) and the OAuth Services server.
Part Two: The Back-Channel Request - takes place between the OAuth Services server and the client application.
The client application redirects the user (the owner of the resource being requested) to the OAuth Services server's authorization endpoint using a browser. The user needs to authenticate with OAuth Services and, optionally, authorize access to the requested resources by providing consent. Once the user interaction completes successfully, OAuth Services issues an authorization code which the client application then uses to request an Access Token as documented in Part Two: The Back-Channel Request.
Sample Authorization Code Request
curl - i --request GET "https://host:port/ms_oauth/oauth2/endpoints/oauthservice/authorize? response_type=code &client_id=54321id &redirect_uri=http://client.example.com/return &scope=user_read &state=xyz"
Name | Description | Required |
---|---|---|
|
Value must be |
Required |
|
A client identifier given by the authorization server. The authorization server validates the |
Required |
|
The client app's redirect URI authorization code. If not sent, then the configuration/client registry is checked to see if a |
Optional |
|
Defines scope values in the configuration/scope registry. If no scope is sent, or if an invalid scope is specified, an error response is sent to the client app's |
Required |
|
An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used to prevent cross-site forgery requests. |
Recommended |
Sample Authorization Code Response
If the resource owner grants access, the OAuth Services server issues an authorization code and delivers it to the client by adding the applicable parameters to the query component of the redirection URI using the application/x-www-form-urlencoded
format. The parameters are documented in Table 15-2.
https: //client.example.com/return?code=eyJhbG...rWWk8hbs_o6uY&state=xyz
Table 15-2 Response Parameters
Name | Description |
---|---|
|
Includes the following:
|
|
Same value specified in the authorization request. Only included if it was specified in the authorization request. |
If validation errors are found, a JSON response containing error codes and descriptions is sent.
{”error_code”:”invalid_client”, ”error_description”:”client identifier invalid”}
The following list documents some error codes and their descriptions.
server_error
- runtime processing error
invalid_scope
- requested scope is invalid, unknown, or malformed
invalid_redirect_uri
- redirect URI does not match with client app
access_denied
- end-user denied authorization
invalid_client
- client identifier invalid
This flow is between OAuth Services (the authorization server) and the client application. The sample shows how to exchange the authorization code for an Access Token.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://hostname:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' redirect_uri=http%3A%2F%2Fclient.example.com:17001%2Freturn &grant_type=authorization_code &code=eyJhbG...rWWk8hbs_o6uY '
The grant_type
parameter value must be authorization_code
, and the code
parameter value must be the authorization code generated by the authorization endpoint. You must send the redirect_uri
token if the redirect_uri
parameter was included in the authorization request. The value must be the same.
{ "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA" }
This section documents the REST calls for the 2-legged OAuth Services flows. It provides sample REST requests that show how to get a resource access token. When no resource is sent in the request, the resulting token can be used as an Identity Token. For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Using User ID/Password Credentials and ClientID+Secret in an HTTP Basic Header
Using User ID/Password Credentials and a JWT Client Assertion
Using UserID/Password Credentials and a SAML Client Assertion
Using a SAML User Assertion Credential and ClientID+Secret in an HTTP Basic Header
Using a SAML User Assertion Credential and a SAML Client Assertion
Using a SAML User Assertion Credential and a JWT Client Assertion
Using a JWT User Assertion Credential and ClientID+Secret in an HTTP Basic Header
Using a JWT User Assertion Credential and a SAML Client Assertion
Using a JWT User Assertion Credential and a JWT Client Assertion
The following response is typical for the requests documented in this section.
Note:
Therefresh_token
element is included in the server response if a requested scope is designated as an offline scope.The refresh_token
element is not sent if none of the scopes is offline.HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Date: Wed, 04 Dec 2013 21:52:03 GMT Pragma: no-cache Transfer-Encoding: chunked Content-Type: application/json X-ORACLE-DMS-ECID: 09edd9b26949554d:-1f8be51:142bf50a0dc:-8000-0000000000001b27 X-Powered-By: Servlet/2.5 JSP/2.1 { "expires_in":3600, "token_type":"Bearer", "access_token":"<access token value>", "refresh_token":"<refresh token value>" }
The following sample shows how to use client credentials to get an access token.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://hostname:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=client_credentials &scope=scope1%20scope2 '
The following sample shows a resource owner request that includes user ID and password credentials, as well as a client ID and secret in an HTTP Basic header.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://hostname:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=password &username=userxyz &password=pwd123xyz &scope=scope1%20scope2'
The following sample shows using a refresh token with clientid:clientsecret
in the basic authorization header.
curl -i -H 'Authorization: Basic dGVzdDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://hostname:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=refresh_token &refresh_token=<refresh-token-value>'
This next example shows using the client assertion as a client credential.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=refresh_token &refresh_token=<refresh-token-value> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=<client-assertion-value>'
The following sample shows a client credentials request that uses a SAML client assertion generated by a third party.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'client_id=54321id &grant_type=client_credentials &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> &scope=scope1%20scope2'
The following sample shows an authorization code request that uses a JWT client assertion generated by the IDM OAuth Server or a third party.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'client_id=54321id &grant_type=client_credentials &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> &scope=scope1%20scope2'
The following sample shows a resource owner request that uses user ID and password credentials, plus a ClientID and secret in the HTTP Basic header.
curl -i -H 'Authorization: Basic <base64encoded(clientID:Secret)>' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=password &username=user123 &password=password123 '
The following sample shows a resource owner request that uses user ID and password credentials, and a JWT client assertion generated by a third party.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=password &username=userxyz &password=pwd123xyz &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> &scope=scope1%20scope2'
The following sample shows an authorization code request that uses user ID and password credentials, and a SAML client assertion generated by a third party.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=password &username=userAbc123 &password=passwordAbc123 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> &scope=scope1%20scope2'
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer &assertion=<SAML user assertion value>' &scope=scope1%20scope2
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> &assertion=<SAML user assertion value> &scope=scope1%20scope2'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> &assertion=<SAML user assertion value> &scope=scope1%20scope2'
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=<JWT user assertion value> &scope=scope1%20scope2'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> &assertion=<JWT user assertion value> &scope=scope1%20scope2'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> &assertion=<JWT user assertion value> &scope=scope1%20scope2'
This section demonstrates how to get an access token (that is, an identity token for client and user) from OAuth Services. It includes the following sections.
This section shows multiple ways to get a client identity token.
This sample includes the ClientID+Secret in the HTTP Basic Auth header.
curl - i - H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' - H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http: //host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=client_credentials'
{ "oracle_client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "expires_in": 604800, "token_type": "Bearer", "oracle_tk_context": "client_assertion", "access_token": "access token value" > , }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' client_id=54321id &grant_type=client_credentials &client_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> '
Refer to the sample response in the first example.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' client_id=54321id &grant_type=client_credentials &client_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> '
Refer to the sample response in the first example.
The samples in this section demonstrate how to get a user identity token, also referred to as an access token or user assertion. All of the requests receive a response similar to the following:
{ "expires_in": 28800, "token_type": "Bearer", "oracle_tk_context": "user_assertion", "oracle_grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token": "<access token value>" }
The following sections contain the samples.
Getting a User Identity Token With a User ID and Password and Varying Client Credentials
Getting a User Identity Token With a SAML User Assertion Credential and Varying Client Credentials
Getting a User Identity Token With a JWT User Assertion Credential and Varying Client Credentials
This category has three samples.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=password &username=sampleuser &password=samplepassword '
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=password &username=sampleuser &password=samplepassword &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> '
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=password &username=sampleuser &password=samplepassword &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value>'
This category has three samples.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer &assertion=<SAML user assertion value>'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> &assertion=<SAML user assertion value>'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> &assertion=<SAML user assertion value>'
This category has three samples.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=<JWT user assertion value>'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer &client_assertion=<SAML client assertion value> &assertion=<JWT user assertion value>'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<JWT client assertion value> &assertion=<JWT user assertion value>'
This section provides sample REST requests that show how to validate a resource access token. It includes the following examples:
The following sample shows an access token validation request that includes the client ID and secret in an HTTP Basic header. Note that the assertion value is not a normal string, but a JSON. The value of assertion
is the access token.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt &oracle_token_action=validate &scope=UserProfile.users &assertion= eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsIng1dCI6Im51T0JSSjhOVDRNTEZYRVkwZEVZb3d2MjhrWS IsImtpZCI6Im9yYWtleSJ9.eyJzdWIiOiJ3ZWJsb2dpYyIsIm9yYWNsZS5vYXV0aC51c2VyX29yaWdpbl9 pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dGgudXNlcl9vcmlnaW5faWQiOiJ3ZWJsb2dpYyIsI mlzcyI6Im9yYWtleSIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhTZXJ2aWNlUHJvZmlsZSIsIml hdCI6MTQyMjAzODEyNTAwMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjb GUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY2Vzc190ayIsImV4cCI6MTQyMjA0MTcyNTAwMCw icHJuIjoid2VibG9naWMiLCJqdGkiOiIxMDA0MTMyZC03MTBkLTRlMGEtOGI1OS01NzI0ZTFlMmI0Y2UiL CJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6ImM4MDcwMGNlYTJkNDQ1ZjFiOGQ2OWVkZDEyMDY 1ODY1Iiwib3JhY2xlLm9hdXRoLnNjb3BlIjoiVXNlclByb2ZpbGUubWUiLCJ1c2VyLnRlbmFudC5uYW1lI joiRGVmYXVsdERvbWFpbiIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTIzNDU2NzgtMTIzNC0xMjM0LTE yMzQtMTIzNDU2Nzg5MDEyIn0.PymkviRiSGjkGtY9eT1BzRLXc_ kbaPMSq-SK5FY5CF6RHH5O7DLqYY0uYLd0EF8fI2zpX5AqD9B5p-12IqNox-hfR7BoPs11lgi2U-j1gZfT XqHu7SsI3sMgwiTRrllfMD1MjoGRFYbi446C-rBiVXzUgRRaEMf9oic14O26xm4
{"successful":true}
The following sample shows an access token validation request that gets a JWT client assertion using the client credentials grant type, which is used as a credential.
curl -i --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt &oracle_token_action=validate &scope=ConsentManagement.grant &assertion=<access token value> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=<JWT client assertion value>'
{"successful":true}
This section provides sample REST requests that show how to query OAM OAuth Services to determine meta-information about an OAuth token. This process, called OAuth introspection, is the same as access token validation but additional claims data is included inside the access token as part of the response.
To request that the server return additional token claims data in its response, include the oracle_token_attrs_retrieval
parameter. This parameter takes the following space-separated claims names:
iss aud exp prn jti exp iat oracle.oauth.scope oracle.oauth.client_origin_id oracle.oauth.user_origin_id oracle.oauth.user_origin_id_type oracle.oauth.tk_context oracle.oauth.id_d_id oracle.oauth.svc_p_n
This section includes the following examples:
The following token introspection sample shows the first access token validation request shown previously in the Validating an Access Token section, but with the addition of the oracle_token_attrs_retrieval
parameter.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt &oracle_token_action=validate &scope=UserProfile.users &oracle_token_attrs_retrieval=iss%20aud%20exp%20prn%20jti%20exp%20iat %20oracle.oauth.scope%20oracle.oauth.client_origin_id %20oracle.oauth.user_origin_id%20oracle.oauth.user_origin_id_type %20oracle.oauth.tk_context%20oracle.oauth.id_d_id%20oracle.oauth.svc_p_n &assertion=<access token value>'
{"successful":true, "oracle_token_attrs_retrieval": {"oracle.oauth.tk_context":"resource_access_tk", "exp":1386276668000, "iss":"www.oracle.example.com", "prn":"54321id", "oracle.oauth.client_origin_id":"54321id", "oracle.oauth.scope":"ConsentManagement.grant", "jti":"0fb4eef6-44ce-46ac-9230-7a335c05bf0f", "oracle.oauth.svc_p_n":"OAuthServiceProfile", "iat":1386273068000, "oracle.oauth.id_d_id":"12345678-1234-1234-1234-123456789012" } }
The following token introspection sample shows the second access token validation request shown previously in the Validating an Access Token section, but with the addition of the oracle_token_attrs_retrieval
parameter.
curl -i --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt &oracle_token_action=validate &scope=ConsentManagement.grant &oracle_token_attrs_retrieval=iss%20aud%20exp%20prn%20jti%20exp%20iat %20oracle.oauth.scope%20oracle.oauth.client_origin_id %20oracle.oauth.user_origin_id%20oracle.oauth.user_origin_id_type %20oracle.oauth.tk_context%20oracle.oauth.id_d_id%20oracle.oauth.svc_p_n &assertion=<access token value> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=<JWT client assertion value>'
{"successful":true, "oracle_token_attrs_retrieval": {"oracle.oauth.tk_context":"resource_access_tk", "exp":1386276668000, "iss":"www.oracle.example.com", "prn":"54321id", "oracle.oauth.client_origin_id":"54321id", "oracle.oauth.scope":"ConsentManagement.grant", "jti":"0fb4eef6-44ce-46ac-9230-7a335c05bf0f", "oracle.oauth.svc_p_n":"OAuthServiceProfile", "iat":1386273068000, "oracle.oauth.id_d_id":"12345678-1234-1234-1234-123456789012" } }
This section provides sample REST requests that show how to revoke a resource access token. It includes the following examples:
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt &oracle_token_action=delete &assertion=<access token value>'
{"successful":true}
curl -i --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt &oracle_token_action=delete &assertion=<access token value> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=<JWT client assertion value>'
{"successful":true}
The following sections document the API for administering the secret key.
To create a secret key use the following REST API.
curl -i --request POST $SERVER_URL/ms_oauth/resources/userprofile/secretkey -H "Authorization: Bearer $access_token"
To retrieve a secret key use the following REST API.
curl -i --request GET $SERVER_URL/ms_oauth/resources/userprofile/secretkey -H "Authorization: Bearer $access_token"
A typical response would be:
{ "uri": "\/ms_oauth\/resources\/userprofile\/secretkey\/weblogic", "secret_key": "7OWZSV2OYFZSJZWT" }
The following User Profile Service REST commands are documented in this section.
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.me.read
.
curl -i --request GET "http://host:port/ms_oauth/resources/userprofile/me" -H 'Authorization:<OAUTH ACCESS TOKEN>'
{ "uid": "weblogic", "description": "This user is the default administrator.", "lastname": "Doe", "commonname": "John", "uri": "\/ms_oauth\/resources\/userprofile\/me\/weblogic" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.me.write
.
curl -H "Content-Type: application/json" --request PUT "http://host:port/ms_oauth/resources/userprofile/me" -H 'Authorization:<OAUTH ACCESS TOKEN>' -d '{ "description": "user2description" }'
{ "uid": "weblogic", "description": "user2description", "lastname": "Doe", "commonname": "John", "uri": "\/ms_oauth\/resources\/userprofile\/me\/weblogic" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.users.write
.
curl -H "Content-Type: application/json" --request POST http://host:port/ms_oauth/resources/userprofile/users -H 'Authorization:<OAUTH ACCESS TOKEN>' -d '{ "uid": "John", "description": "test user", "lastname": "Anderson", "commonname": "John Anderson", "firstname": "John" }'
{ "uid": "John", "guid": "FE1D7BD0590111E1BFDCF77FB8E715D5", "description": "test user", "name": "John", "lastname": "Anderson", "commonname": "John Anderson", "loginid": "John", "firstname": "John", "uniquename": "FE1D7BD0590111E1BFDCF77FB8E715D5", "uri": "\/ms_oauth\/resources\/userprofile\/people\/John" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.users.read
.
curl -i --request GET -H 'Authorization:<OAUTH ACCESS TOKEN>' http://host:port/ms_oauth/resources/userprofile/users/John
{ "uid": "John", "guid": "FE1D7BD0590111E1BFDCF77FB8E715D5", "description": "test user", "name": "John", "lastname": "Anderson", "commonname": "John Anderson", "loginid": "John", "firstname": "John", "uniquename": "FE1D7BD0590111E1BFDCF77FB8E715D5", "uri": "\/ms_oauth\/resources\/userprofile\/people\/John" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.users.write
.
curl -H "Content-Type: application/json" --request PUT http://host:port/ms_oauth/resources/userprofile/users/John -H 'Authorization:<OAUTH ACCESS TOKEN>' -d '{ "description":"test user1" }'
{ "uid": "John", "guid": "FE1D7BD0590111E1BFDCF77FB8E715D5", "description": "test user1", "name": "John", "lastname": "Anderson", "commonname": "John Anderson", "loginid": "John", "firstname": "John", "uniquename": "FE1D7BD0590111E1BFDCF77FB8E715D5", "uri": "\/ms_oauth\/resources\/userprofile\/people\/John" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.users.write
.
curl -i --request DELETE -H 'Authorization:<OAUTH ACCESS TOKEN>' http://host:port/ms_oauth/resources/userprofile/users/John
No Response.
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.users.write
.
curl -H "Content-Type: application/json" --request POSThttp://host:port/ms_oauth/resources/userprofile/groups -H 'Authorization:<OAUTH ACCESS TOKEN>' -d '{ "description":"group1 testing", "commonname":"group1" }'
{ "guid": "2259C6C0592011E1BFDCF77FB8E715D5", "description": "group1 testing", "name": "group1", "commonname": "group1", "uniquename": "2259C6C0592011E1BFDCF77FB8E715D5", "uri": "\/ms_oauth\/resources\/userprofile\/groups\/group1" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.groups.read
.
curl -i --request GET "http://host:port/ms_oauth/resources/userprofile/groups/group1" -H 'Authorization:<OAUTH ACCESS TOKEN>'
{ "guid": "2259C6C0592011E1BFDCF77FB8E715D5", "description": "group1 testing", "name": "group1", "commonname": "group1", "uniquename": "2259C6C0592011E1BFDCF77FB8E715D5", "uri": "\/ms_oauth\/resources\/userprofile\/groups\/group1" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.groups.write
.
curl -H "Content-Type: application/json" --request PUT http://host:port/ms_oauth/resources/userprofile/groups/group1 -H 'Authorization:<OAUTH ACCESS TOKEN>' -d '{ "description":"group11 testing" }'
{ "guid": "2259C6C0592011E1BFDCF77FB8E715D5", "description": "group11 testing", "name": "group1", "commonname": "group1", "uniquename": "2259C6C0592011E1BFDCF77FB8E715D5", "uri": "\/ms_oauth\/resources\/userprofile\/groups\/group1" }
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.groups.write
.
curl -i --request DELETE "http://host:port/ms_oauth/resources/userprofile/groups/group1" -H 'Authorization:<OAUTH ACCESS TOKEN>'
This resource server URI is protected by an OAuth Access Token. To complete this action using the default configuration, the OAuth Access Token requires a scope of userProfile.users.write
.
curl -i --request DELETE -H 'Authorization:<OAUTH ACCESS TOKEN>' http://host:port/ms_oauth/resources/userprofile/users/John
No Response.
Use this interface to customize the consent experience by rendering a custom user interface and driving the user consent process. This interface retrieves the client's consent status for all users and scopes with the POST/consentmanagement/retrieve grant. Using this interface you can enable the client to show a user all of the scopes they have previously granted.
For details on enabling user consent, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. Configure the permissions in the Scopes section as needed. The following topics are covered in this section:
Granting the Client Permission to Access the a UserProfile Resource
Accessing a User's UserProfile Resource with the Access Token
The following sample shows how to get an access token using the client_credentials
grant type.
Set the Authorization attribute using a "Basic" base 64 encoded (clientId:<secret>) in the request header.
Add grant_type=client_credentials and scope=ConsentManagement.retrieve+ConsentManagement.grant+ConsentManagement.revoke to the request query.
POST the request to the http://<host>:<port>/ms_oauth/oauth2/endpoints/oauthservice/tokens endpoint.
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=client_credentials &scope=ConsentManagement.retrieve+ ConsentManagement.grant+ ConsentManagement.revoke'
The expected output is OK 200 and a valid token.
{ "expires_in": 3600, "token_type": "Bearer", "access_token": "eyJhbGciOiJSyfecz3p...nYlReMjATbLs" }
This cURL command illustrates how to use an access token (from Getting an Access Token with Client Credentials and Scope) to grant consent.
Set the Authorization attribute using a "Bearer" and the previously obtained access token AT_1
Add oracle_user_id=[a user id] (in example, weblogic)
Add client_id=[a client id] (in example 54321id)
Add scope=[a list of scope space separated] (in example, "samplePhotoServer.photo.read samplePhotoServer.photo.write" is used)
POST the request to the http://<host>:<port>/ms_oauth/resources/consentmanagement/grant endpoint.
curl -i -H 'Authorization: Bearer AT_1' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST http://host:port/ms_oauth/resources/consentmanagement/grant -d 'oracle_user_id=weblogic& scope=samplePhotoServer.photo.write+samplePhotoServer.photo.read& lang=en& client_id=54321id'
The expected output is an enhanced token for samplePhotoServer.photo with the client_credentials grant type and a scope of samplePhotoServer.photo.write+samplePhotoServer.photo.read.
This cURL command illustrates how to use the token to retrieve the consent.
Set the Authorization attribute using a "Bearer" and the previously obtained access token AT_1 (from Getting an Access Token with Client Credentials and Scope)
Add oracle_user_id=[a user id] (in example, weblogic)
Add client_id=[a client id] (in example, 54321id)
POSt the request to the http://<host>:<port>/ms_oauth/resources/consentmanagement/retrieve endpoint.
curl -i -H 'Authorization: Bearer AT_1' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST http://host:port/ms_oauth/resources/consentmanagement/retrieve -d 'oracle_user_id=weblogic& lang=en& client_id=54321id'
This cURL command illustrates how to use the token to revoke consent.
Set the Authorization attribute using a "Bearer" and the previously obtained access token AT_1 (from Getting an Access Token with Client Credentials and Scope)
Add oracle_user_id=[a user id] (in example, weblogic)
Add client_id=[a client id] (in example, 54321id)
Add scope=[a list of scope space separated] (in example, "samplePhotoServer.photo.read samplePhotoServer.photo.write")
POST the request to the http://<host>:<port>/ms_oauth/resources/consentmanagement/revoke endpoint.
curl -i -H 'Authorization: Bearer AT_1' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST http://host:port/ms_oauth/resources/consentmanagement/revoke -d 'oracle_user_id=weblogic& scope=samplePhotoServer.photo.write+samplePhotoServer.photo.read&lang=en& client_id=54321id'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/resources/consentmanagement/grant -d ' scope=UserProfile.me.read &client_id=54321id &oracle_user_id=weblogic &lang=en ' -H 'Authorization: eyJhbGciOiJSUzUxM...3OxH7jIRqGL-6w'
HTTP/1.1 200 OK
curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=password &username=weblogic &password=password123 &scope=UserProfile.me.read'
{ "expires_in": 3600, "token_type": "Bearer", "refresh_token": "eyJhbGciOiJSUzUxM...t7ihyNjqbb6Q9bCwE", "access_token": "eyJhbGciOiJSUzUxM...MIXI0ztb6NfOBMb4A" }
The following sample demonstrates an unauthorized request and the response.
curl -i --request GET "http://host:port/ms_oauth/resources/userprofile/me" -H 'Authorization: eyJhbGciOiJSUzUxM...MIXI0ztb6NfOBMb4A'
HTTP/1.1 401 Unauthorized Date: Fri, 16 Aug 2013 18:47:44 GMT Transfer-Encoding: chunked Content-Type: application/json X-ORACLE-DMS-ECID: 316690b8df2db0a3:-794ed83e:140885d3651:-8000-000000000000005e X-Powered-By: Servlet/2.5 JSP/2.1 { "message": "oracle.security.idaas.oauth.resourceserver.jaxrs.userprofile.Me.getMyProfile: resource uri is not protected", "oicErrorCode": "IDAAS-20027 : oracle.security.idaas.rest.jaxrs.OICExceptionMapper : [ No error code is available from the underlying exception ]" }
This section documents the REST calls for 3-legged mobile client flows. For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Note:
All attribute names and values are case-sensitive.The following topics are covered in this section:
Creating a Client Assertion and JWT User Assertion Using Social Authentication
Requesting a Verification Code for Mobile Client Registration
Requesting an Authorization Code for Mobile Device Registration
Beginning with this 11.1.2.3.0 release, the OAM Server returns the allowed grant types in response to a Get Application Profile request. The response is returned whether server side SSO is enabled or not to inform the client of how it is configured so that the client can make correct calls to the server. Following are some example responses.
curl -i --request GET 'http://host:port/ms_oauth/oauth2/ endpoints/oauthservice/appprofiles/MobileApp1?device_os=iPhone%20OS&os_ver=7.000000'
Response Without Jail-Breaking Detection Policies
{ "allowedGrantTypes": [ "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "oracle-idm:/oauth/grant-type/mobile-client-registration-key", "password" ], "client_id":"MobileApp1", "mobileAppConfig":{ "claimAttributes":[ "oracle:idm:claims:client:geolocation", "oracle:idm:claims:client:imei", "oracle:idm:claims:client:jailbroken", "oracle:idm:claims:client:locale", "oracle:idm:claims:client:networktype", "oracle:idm:claims:client:ostype", "oracle:idm:claims:client:osversion", "oracle:idm:claims:client:phonecarriername", "oracle:idm:claims:client:phonenumber", "oracle:idm:claims:client:sdkversion", "oracle:idm:claims:client:udid", "oracle:idm:claims:client:vpnenabled", "oracle:idm:claims:client:fingerprint", "oracle:idm:claims:client:iosidforvendor", "oracle:idm:claims:client:iosidforad" ] }, "oauthAuthZService":"/ms_oauth/oauth2/endpoints/oauthservice/authorize", "oauthNotificationService":"/ms_oauth/oauth2/endpoints/oauthservice/push", "oauthTokenService":"/ms_oauth/oauth2/endpoints/oauthservice/tokens", "oracleMobileSecurityLevel":"LOW", "userConsentService":["/ms_oauth/resources/consentmanagement"], "userProfileService":["/ms_oauth/resources/userprofile"], "oracleConsentServiceProtection":"OAM" }
Response With Jail-Breaking Detection Policies
{ "allowedGrantTypes": [ "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "oracle-idm:/oauth/grant-type/mobile-client-registration-key", "password" ], "client_id":"ACMEStock", "jailBreakingDetectionPolicy": { "autoCheckPeriodInMin":60, "detectionLocation": [ {"action":"exists", "filePath":"/bin/bash", "success":true }, {"action":"exists", "filePath":"/Applications/Cydia.app", "success":true }, {"action":"exists", "filePath":"/Applications/limera1n.app", "success":true }, {"action":"exists", "filePath":"/Applications/greenpois0n.app", "success":true }, {"action":"exists", "filePath":"/Applications/blackra1n.app", "success":true }, {"action":"exists", "filePath":"/Applications/blacksn0w.app", "success":true }, {"action":"exists", "filePath":"/Applications/redsn0w.app", "success":true }, {"action":"exists", "filePath":"/Applications/sn0wbreeze.app", "success":true } ], "device_os":"iPhone OS", "os_ver":"7.000000", "policyExpirationInSec":3600 }, "mobileAppConfig": { "claimAttributes":[ "oracle:idm:claims:client:geolocation", "oracle:idm:claims:client:imei", "oracle:idm:claims:client:jailbroken", "oracle:idm:claims:client:locale", "oracle:idm:claims:client:networktype", "oracle:idm:claims:client:ostype", "oracle:idm:claims:client:osversion", "oracle:idm:claims:client:phonecarriername", "oracle:idm:claims:client:phonenumber", "oracle:idm:claims:client:sdkversion", "oracle:idm:claims:client:udid", "oracle:idm:claims:client:vpnenabled", "oracle:idm:claims:client:fingerprint", "oracle:idm:claims:client:iosidforvendor", "oracle:idm:claims:client:iosidforad" ] }, "oauthAuthZService":"/ms_oauth/oauth2/endpoints/oauthservice/authorize", "oauthNotificationService":"/ms_oauth/oauth2/endpoints/oauthservice/push", "oauthTokenService":"/ms_oauth/oauth2/endpoints/oauthservice/tokens", "oracleMobileSecurityLevel":"LOW", "userConsentService":["/ms_oauth/resources/consentmanagement"], "userProfileService":["/ms_oauth/resources/userprofile"], "oracleConsentServiceProtection":"OAM" }
This section shows the REST request for a mobile client verification code for device registration.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=client_credentials &oracle_device_profile=<Base 64 Encoding Device Profile> &client_id=<MobileApp1> &oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-identity/ mobile-client-pre-authz-code-client'
{ "expires_in":300, "token_type":"Bearer", "oracle_tk_context":"pre_azc", "access_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImt...5_LsQwlg7y-D8TW_0Q" }
To request an authorization code for device registration, the user-agent uses the URL shown below. In return, the authorization service sends an authorization code to the client using the redirection URI.
http://host:port/ms_oauth/oauth2/endpoints/oauthservice/ authorize?client_id=MobileApp1&redirect_uri=<Mobile App URL Scheme> &response_type=code &oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type: jwt-bearer &oracle_pre_authz_code=<Mobile Device Client Verification Code >
<Mobile App URL Scheme>?code=eyJhbGciOiJSUzUxMiIsIns93I6...A0qenJQX5rrtRpdZJl50bS0
This request creates a mobile client assertion and a JWT user assertion. The JWT user assertion is stored in the server-side device store.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=authorization_code &code=<Authorization Code for Device Registration> &client_id=<MobileApp1> &redirect_uri=<Mobile App URL Scheme> &oracle_device_profile=<Base 64 Encoding Device Profile>
{ "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "refresh_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6...7iEID1pLavdMsIg" }
This request creates a mobile client assertion and a JWT user assertion. The Social Identity Provider sends an Access Token in the response. The JWT user assertion is stored in the server-side device store.
curl - i - H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' - H 'Cache-Control: no-cache, no-store, must-revalidate' --request POST http: //host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=authorization_code &code=<Authorization Code for Device Registration> &client_id=<MobileAppName> &redirect_uri=<Mobile App URL Scheme> &oracle_device_profile=<Base 64 Encoding of Device Profile>'
{ "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "social_payload": "{ "UserProfile": { "mail":"exampleuser@yahoo.com", "lastname":"", "commonname":"Scott", "firstname":"Scott", "loginid":"exampleuser@yahoo.com", "password":"", "displayname":"Scott" }, "IdentityProvider":"Facebook", "Protocol":"OAuth", "oauth_access_token": "{ "access_token":"CAAUh80zH...wwHKZCAu", "expiry":5183984, "consumer":"OAuthMobileApplication", "provider":"Facebook" }" }", "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "refresh_token":"eyJh.....", "access_token":"eyJhbGciOiJSUzUxMiIs......." }
This section shows the REST request for a mobile client verification code (if required) for device registration.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=client_credentials &oracle_device_profile=<Base 64 Encoding Device Profile> &client_id=<MobileApp1> &oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-identity /mobile-client-pre-authz-code-access'
{ "expires_in":300, "token_type":"Bearer", "oracle_tk_context":"pre_azc", "access_token":"eyJhbGciOiJSUzUxMiI4sInR5h4cCI6IkpXVCIsIm...NQXXd5_LsQy-D8TW_0Q" }
To request an authorization code for device registration, the user-agent uses the URL shown below. In return, the authorization service sends an authorization code to the client using the redirection URI.
http://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/ authorize?client_id=MobileApp1&redirect_uri=<Mobile App URL Scheme> &response_type=code &scope=<Resource Scope> &oracle_pre_authz_code=<optional Mobile Device Client Verification Code>
<Mobile App URL Scheme>?code=eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVC...m_7FMwRXyEJI8J4JmPDf8RFdM7MP4_x3IBmK9amUAPRFJRNg
The following request creates an OAuth Access Token if the JWT User Assertion is valid in the server-side device store.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:14100/ms_oauth/oauth2/endpoints /oauthservice/tokens -d 'grant_type=authorization_code &code=<Authorization Code for Access Token> &client_id=<MobileApp1> &redirect_uri=<Mobile App URL Scheme> &oracle_device_profile=<optional base 64 encoding device profile> &client_assertion=<Mobile Client Assertion> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
{ "expires_in":3600, "token_type":"Bearer", "refresh_token":"eyJhbGiiIsInR5cCI6IkpXVCmtaWRfdHlwZSI6IBfVUDM5Qi00Q0U3LUxyJ6ndU" }
The following request creates an OAuth Access Token if the JWT User Assertion is valid in the server-side device store. The Social Identity Provider also sends an Access Token in the response.
curl -i -H 'Accept: */*' --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=authorization_code &code=<Authorizaton Code for Access Token> &client_id=<MobileAppName> &redirect_uri=<Mobile App URL Scheme> &oracle_device_profile=<Optional Base 64 Encoding of Device Profile> &client_assertion=<Mobile Client Assertion> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
{ "expires_in":3600, "token_type":"Bearer", "access_token":"ey...3JhY2xlLm9hdXRoLn", "social_payload": "{ "UserProfile": { "mail":"exampleuser@yahoo.com", "lastname":"", "commonname":"Scott", "firstname":"Scott", "loginid":"exampleuser@yahoo.com", "password":"", "displayname":"Scott" }, "IdentityProvider":"Facebook", "Protocol":"OAuth", "oauth_access_token": "{ "access_token":"CAAUh80zHfPQBA....lP4kmNRyg", "expiry":5113635, "consumer":"OAuthMobileApplication", "provider":"Facebook" }" }" }
This request provides mobile single sign-out as follows:
Removes the JWT user assertion from the server-side device key chain
Terminates and removes OAM user tokens and OAM user session data from the server-side device keystore
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/oammsui/oauthservice/logout -d 'client_id=MobileApp1 &redirect_uri=mobileapp:// &oracle_device_profile=<Base 64 Encoding Device Profile> &client_assertion=<Mobile Client Assertion> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
HTTP/1.1 200 OK Date: Mon, 02 Dec 2013 22:55:37 GMT Content-Length: 0 Set-Cookie: JSESSIONID=z17tSdPLd7TG11dw7wNtTlJnzGXty3y3B8TqwW1GNvHjmzv6FqGv!535445357; path=/; HttpOnly X-ORACLE-DMS-ECID: 09edd9b26949554d:f4833c6:142b4da1082:-8000-000000000000277f X-Powered-By: Servlet/2.5 JSP/2.1
This section documents the REST calls for 2-legged mobile client flows. For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Note:
All attribute names and values are case-sensitive.The following topics are covered in this section:
Answer the Knowledge-Based Authentication (KBA) Challenge Request
Creating OAM Access and Master Tokens with Valid OAM User Token
Creating an OAuth Services Access Token Using an OAM Credential Grant Type
Creating an OAuth Services Access Token Using a Standard JWT User Assertion Grant
Beginning with this 11.1.2.3.0 release, the OAM Server returns the allowed grant types in response to a Get Application Profile request. The response is returned whether server side SSO is enabled or not to inform the client of how it is configured so that the client can make correct calls to the server. Following is the request and sample responses.
curl -i --request GET 'http://host:port/ms_oauth/oauth2/endpoints /oauthservice/appprofiles/MobileApp1?device_os=iPhone%20OS&os_ver=7.000000'
{"allowedGrantTypes":["oracle-idm:/oauth/grant-type/oam_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer","refresh_token","code","client_credentials","authorization_code","password", "oracle-idm:/oauth/grant-type/challenge-answer"], "client_id":"mobileClient", "mobileAppConfig":{"claimAttributes": ["oracle:idm:claims:client:sdkversion","oracle:idm:claims:client:networktype", "oracle:idm:claims:client:fingerprint","oracle:idm:claims:client:phonenumber", "oracle:idm:claims:client:iosidforad","oracle:idm:claims:client:ostype", "oracle:idm:claims:client:imei","oracle:idm:claims:client:phonecarriername", "oracle:idm:claims:client:iosidforvendor","oracle:idm:claims:client:jailbroken", "oracle:idm:claims:client:udid","oracle:idm:claims:client:geolocation", "oracle:idm:claims:client:vpnenabled","oracle:idm:claims:client:locale", "oracle:idm:claims:client:osversion"]}, "oauthAuthZService":"/ms_oauth/oauth2/endpoints/oauthservice/authorize", "oauthNotificationService":"/ms_oauth/oauth2/endpoints/oauthservice/push", "oauthTokenService":"/ms_oauth/oauth2/endpoints/oauthservice/tokens", "oracleConsentServiceProtection":"OAM","oracleMobileSecurityLevel":"LOW", "server_side_sso":true,"sharedKeyAttributeName":"secret_key", "userConsentService":["/ms_oauth/resources/consentmanagement"], "userProfileService":["/ms_oauth/resources/userprofile"]}
HTTP Response Without Jail-Breaking Detection Policies
{ "allowedGrantTypes": [ "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "oracle-idm:/oauth/grant-type/mobile-client-registration-key", "password" ], "client_id":"MobileApp1", "mobileAppConfig":{ "claimAttributes":[ "oracle:idm:claims:client:geolocation", "oracle:idm:claims:client:imei", "oracle:idm:claims:client:jailbroken", "oracle:idm:claims:client:locale", "oracle:idm:claims:client:networktype", "oracle:idm:claims:client:ostype", "oracle:idm:claims:client:osversion", "oracle:idm:claims:client:phonecarriername", "oracle:idm:claims:client:phonenumber", "oracle:idm:claims:client:sdkversion", "oracle:idm:claims:client:udid", "oracle:idm:claims:client:vpnenabled", "oracle:idm:claims:client:fingerprint", "oracle:idm:claims:client:iosidforvendor", "oracle:idm:claims:client:iosidforad" ] }, "oauthAuthZService":"/ms_oauth/oauth2/endpoints/oauthservice/authorize", "oauthNotificationService":"/ms_oauth/oauth2/endpoints/oauthservice/push", "oauthTokenService":"/ms_oauth/oauth2/endpoints/oauthservice/tokens", "oracleMobileSecurityLevel":"LOW", "userConsentService":["/ms_oauth/resources/consentmanagement"], "userProfileService":["/ms_oauth/resources/userprofile"], "oracleConsentServiceProtection":"OAM" }
HTTP Response With Jail-Braking Detection Policies
{ "allowedGrantTypes": [ "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "oracle-idm:/oauth/grant-type/mobile-client-registration-key", "password" ], "client_id":"ACMEStock", "jailBreakingDetectionPolicy": { "autoCheckPeriodInMin":60, "detectionLocation": [ {"action":"exists", "filePath":"/bin/bash", "success":true }, {"action":"exists", "filePath":"/Applications/Cydia.app", "success":true }, {"action":"exists", "filePath":"/Applications/limera1n.app", "success":true }, {"action":"exists", "filePath":"/Applications/greenpois0n.app", "success":true }, {"action":"exists", "filePath":"/Applications/blackra1n.app", "success":true }, {"action":"exists", "filePath":"/Applications/blacksn0w.app", "success":true }, {"action":"exists", "filePath":"/Applications/redsn0w.app", "success":true }, {"action":"exists", "filePath":"/Applications/sn0wbreeze.app", "success":true } ], "device_os":"iPhone OS", "os_ver":"7.000000", "policyExpirationInSec":3600 }, "mobileAppConfig": { "claimAttributes":[ "oracle:idm:claims:client:geolocation", "oracle:idm:claims:client:imei", "oracle:idm:claims:client:jailbroken", "oracle:idm:claims:client:locale", "oracle:idm:claims:client:networktype", "oracle:idm:claims:client:ostype", "oracle:idm:claims:client:osversion", "oracle:idm:claims:client:phonecarriername", "oracle:idm:claims:client:phonenumber", "oracle:idm:claims:client:sdkversion", "oracle:idm:claims:client:udid", "oracle:idm:claims:client:vpnenabled", "oracle:idm:claims:client:fingerprint", "oracle:idm:claims:client:iosidforvendor", "oracle:idm:claims:client:iosidforad" ] }, "oauthAuthZService":"/ms_oauth/oauth2/endpoints/oauthservice/authorize", "oauthNotificationService":"/ms_oauth/oauth2/endpoints/oauthservice/push", "oauthTokenService":"/ms_oauth/oauth2/endpoints/oauthservice/tokens", "oracleMobileSecurityLevel":"LOW", "userConsentService":["/ms_oauth/resources/consentmanagement"], "userProfileService":["/ms_oauth/resources/userprofile"], "oracleConsentServiceProtection":"OAM" }
This section shows the REST request for a mobile client verification code for device registration.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2 /endpoints/oauthservice/tokens -d 'grant_type=client_credentials &oracle_device_profile=<Base 64 Encoding Device Profile> &client_id=<MobileApp1> &oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-identity/ mobile-client-pre-authz-code-client'
{ "expires_in":300, "token_type":"Bearer", "oracle_tk_context":"pre_azc", "access_token":"eyJhbGciOiJg0LzJL...6LnHpAhcZA-EfJU9jQYH4GPINQXXd5_LsQy-D8TW_0Q" }
This request creates a mobile client assertion and a JWT user assertion. The JWT user assertion is stored in the server-side device store. In addition, if Oracle Adaptive Access Manager and the adaptive-access security plug-in are active, an OAAM device handle and OAAM session handle are created and also stored in the server-side device store.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2 /endpoints/oauthservice/tokens -d 'grant_type=password &username=userAbc123 &password=passwordAbc123 &client_id=<MobileApp1> &oracle_pre_authz_code=<Mobile Device Verification Code> &oracle_device_profile=<Base 64 Encoding Device Profile> &oracle_requested_assertions=urn:ietf:params:oauth: client-assertion-type:jwt-bearer'
This is the response if Oracle Adaptive Access Manager and the adaptive-access security plug-in are not active.
{ "expires_in":3600, "token_type":"Bearer", "access_token":"eyJhbcOiJSzUxMIsInR5cCI6IkpX...OQN5mrZrl5pGyEJOMm4BSLQVVZhLsS5g" }
Response if OAAM and the Adaptive-Access Security Plug-in are Enabled
{ "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "oracle_aux_tokens": { "user_assertion": { "oracle_token_in_server_device_store":true, "expires_in":28800, "token_type":"Bearer", "oracle_tk_context":"user_assertion", "oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token":"eyJhbGciOiJSUzUxM...6Ik5BRVNyanZha0dUlBVGlGQSJ9" } }, "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "access_token":"eyJhbGciOiJSUzUxM...6Ik5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
Response if the Security Plug-in Responds With "Denied"
This response only occurs if Oracle Adaptive Access Manager and the adaptive-access security plug-in are active. If the security plug-in responds with "denied," nothing is created or stored in the server-side device store.
HTTP/1.1 401 Unauthorized { "error":"DENIED", "error_description":"Denied Action is triggered", }
Response if the Challenge Action is Triggered
This response only occurs if Oracle Adaptive Access Manager and the adaptive-access security plug-in are active. If the security plug-in responds with "challenge," a challenge question is returned. User information associated with mobile.multi_step_authn_session_handle
is stored in memory with a time-out value. The user must answer the challenge question before the time-out value expires. To send the user's response, see "Answer the Knowledge-Based Authentication (KBA) Challenge Request."
HTTP/1.1 401 Unauthorized { "error": "REQUIRE_MULTI_STEP_AUTHN", "error_description": "The Challenge Action is triggered", "multi-step-challenge-question": { "challengeType": "KBA", "locale": "en-us", "questionRefId": "80", "questionStr": "What model was your first car?", ”mobile.multiStepAuthnSessionHandle”: ”eyJvcmlnU2VjdXJpdHlFdmVudHMiOlsiUkVHX1…..” } }
Applies if Oracle Adaptive Access Manager and the adaptive-access security plug-in are active, and if the plug-in responds with "challenge."
curl - i - H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm:/mobile/grant-type/mobile-client-challenge-answer &oracle_device_profile=<Base 64 Encoded Device Profile> &challenge_response=<Base 64 Encoded Response> &oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
In the challenge_response
request parameter, supply the base-64 encoded version of the following JSON:
{ "challenge":"KBA", "locale": "en - us", "question_ref_id": "80", "mobile.multi_step_authn_session_handle": "eyJvcmlnU2VjdXJpdHlFdmVudHMiOlsiUkVHX1….." }Mobile Flows When the Server-Side SSO Feature is Disabled'' > "Answer the Knowledge-Based Authentication (KBA) Challenge Request" section
If the security plug-in verifies the answer and responds with "allowed," the OAAM device handle and OAAM session handle will be created and saved to the server-side keystore.
{ "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "oracle_aux_tokens": { "user_assertion": { "oracle_token_in_server_device_store":true, "expires_in":28800, "token_type":"Bearer", "oracle_tk_context":"user_assertion", "oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" } }, "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
If the security plug-in responds with denied, nothing is created or stored in the server-side keystore.
HTTP/1.1 401 Unauthorized { "error":"DENIED", "error_description":"Denied Action is triggered" }
If the user does not answer the challenge question before the time-out value expires, the security plug-in does not verify the answer and nothing is created or stored in the server-side keystore.
HTTP/1.1 401 Unauthorized { "error":"TIMEOUT", "error_description":"Timeout Action is triggered" }
This request cleans the JWT user assertion from the server-side device key chain.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/oammsui/oauthservice/logout -d 'client_id=MobileApp1 &redirect_uri=mobileapp:// &oracle_device_profile=<Base 64 Encoding Device Profile> &client_assertion=<Mobile Client Assertion> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
HTTP/1.1 200 OK Date: Mon, 02 Dec 2013 22:55:37 GMT Content-Length: 0 Set-Cookie: JSESSIONID=z17tSdPLd7TG11dw7wNtTlJnzGXty3y3B8TqwW1GNvHjmzv6FqGv!535445357; path=/; HttpOnly X-ORACLE-DMS-ECID: 09edd9b26949554d:f4833c6:142b4da1082:-8000-000000000000277f X-Powered-By: Servlet/2.5 JSP/2.1
This request creates a JWT user assertion in the server-side key chain.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2 /endpoints/oauthservice/tokens -d 'grant_type=password &username=user123 &password=pwd456xyz &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Ajwt-bearer &oracle_device_profile=<BASE 64 ENCODING DEVICE PROFILE> &oracle_requested_assertions=oracle-idm%3A%2Foauth%2Fassertion-type %2Fuser-identity%2Fjwt&oracle_use_server_device_store=true'
{"oracle_token_in_server_device_store":true, "expires_in":28800, "token_type":"Bearer", "oracle_tk_context":"user_assertion", "oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token":""}
This request creates an OAM user token and an OAM master token if the JWT user assertion is valid in the server-side device store.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –request http://host:port/ms_oauth/oauth2/ endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type %3Ajwt-bearer &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Ajwt-bearer &oracle_device_profile=<BASE 64 ENCODING DEVICE PROFILE> &oracle_use_server_device_store=true'
{"oracle_token_in_server_device_store":true, "oracle_aux_tokens": {"oam_mt": {"oracle_tk_context":"oam_mt", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/oam\/master-token", "access_token":"VERSION_4%7EDj10z62v9CQbnuX...Stid6XMhamU%2B" } }, "oracle_tk_context":"oam_ut", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam", "access_token":"" }
This request creates an OAM access token and an OAM master token if the OAM user token is valid in the server-side device store. Note that in the following request oracle_oam_application_resource
is a WebGate protected resource, and oracle_oam_application_context
is a WebGate generated value.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –request http://host:port/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_use_server_device_store=true &user_assertion_type=oracle-idm:/oauth/assertion-type/user-identity/oam &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Ajwt-bearer &oracle_device_profile=<BASE 64 ENCODING DEVICE PROFILE> &scope=oracle.security.oauth.oam.resource_access &oracle_oam_application_context=<WebGate generated value> &oracle_oam_application_resource=http%3A%2F%2Fhost.example.com %3A12884%2Findex.html'
{ "oracle_aux_tokens": {"oam_ut": {"oracle_token_in_server_device_store":true, "oracle_tk_context":"oam_ut", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam", "access_token":"" } }, "oracle_tk_context":"oam_at", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/resource-access-token\/oam", "access_token":"3F62m7EDq%2FRMIwA16gUjg40DT43xDEik...xAViyc7XmzGIFBoBsNbbuN6SO1" }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &username=alice &password=welcome &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=<BASE 64 ENCODING DEVICE PROFILE> &oracle_use_server_device_store=true &scope=UserProfile.users'
{ "expires_in":3600, "token_type":"Bearer", "access_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCciO...iJSfkhhXLHhonktvigMCeI" }
The following request creates an OAuth Services Access Token if the JWT User Assertion is valid in the server-side device store.
curl -i - H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POSThttp: //host:port/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer &client_id=App2 &oracle_pre_authz_code=<Mobile DeviceVerification Code > &oracle_device_profile = < Base 64 Encoding DeviceProfile > &oracle_requested_assertions = urn: ietf: params: oauth: client- assertion- type: jwtbearer &oracle_use_server_device_store = true'
HTTP / 1.1 200 OK { "oracle_client_assertion_type": "un:ietf:params:oauth:client-assertion-type:jwt-bearer", "expires_in": 604800, "token_type": "Bearer", "oracle_tk_context": "client_assertion", "refresh_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6Ikp...mbmU5cDl2WjhtdUlBVGlGQSJ9.", "access_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6Ikp...mbmU5cDl2WjhtdUlBVGlGQSJ9." }
Response if the Server-Side JWT User Token is Expired or Invalid
HTTP/1.1 401 Unauthorized { "error":"invalid_grant", "error_description":"Invalid Grant: grant_type=urn:ietf:params:oauth:grant]type:jwt]bearer"}
The advantage of using server-side SSO is that the server will maintain the session and associated artifacts and the client can focus on the business aspects of the application rather than maintaining sessions. Only when the client needs to control SSO, should server-side SSO be disabled. If server-side SSO is turned off, two-legged mobile OAuth Services scenarios will return tokens to the application instead of storing tokens in the server-side device store.
Note:
For more information, see Understanding Mobile OAuth Services Server-Side Single Sign-on in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.An administrator can disable the server-side SSO option at the OAuth Services Service Profile level by setting the serverside.sso.enabled
configuration parameter to false
. The following sections contain details on mobile requests and responses when server-side SSO is disabled.
Answer the Knowledge-Based Authentication (KBA) Challenge Request
Create an OAM User Token and OAM Master Token using a JWT User Assertion (Token Exchange)
Create the client and user assertion.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=password &username=userAbc123 &password=passwordAbc123 &client_id=App1 &oracle_pre_authz_code=<Mobile Device Verification Code> &oracle_device_profile=<Base 64 Encoding Device Profile> &oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
{ "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "oracle_aux_tokens": { "user_assertion": { "expires_in":28800, "token_type":"Bearer", "oracle_tk_context":"user_assertion", "oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token":"eyJhbGciOiJSUzUxM...6Ik5BRVNyanZha0dUlBVGlGQSJ9" } }, "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "refresh_token":"eyJhbGciOiJSUzUxM...6Ik5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9", "access_token":"eyJhbGciOiJSUzUxM...6Ik5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
Create the client assertion.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer &client_id=App2 &oracle_pre_authz_code=<Mobile Device Verification Code> &oracle_device_profile=<Base 64 Encoding Device Profile> &oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &assertion=<JWT User Assertion>'
HTTP/1.1 200 OK { "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "refresh_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
HTTP/1.1 401 Unauthorized {"error":"invalid_grant", "error_description":"Invalid Grant: grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" }
Response if the Challenge Action is Triggered
Only applies if the adaptive-access security plug-in for Oracle Adaptive Access Manager is active and if knowledge-based authentication (KBA) is enabled.
HTTP/1.1 401 Unauthorized {"error":"require_multi_step_authn", "oracle_challenge_questions": {"questionList": [ {"challengeType":"KBA", "questionStr":"What color was your first dog?", "questionRefId":"98" } ], "mobile.multiStepAuthnSessionHandle":"eyJ……MkE", "locale":"en" }, "error_description":"The Challenge Action is triggered " }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &assertion=<JWT User Assertion> &client_id=App1 &client_assertion=<Mobile Client Assertion> &scope=UserProfile.users'
In this request, send the <JWT User Assertion> and <Mobile Client Assertion> response values that were returned during the sample request Register Mobile App1 Using a User Name and Password.
{ "expires_in":3600, "token_type":"Bearer", "refresh_token":"eyJhbGciOiJSUzUx...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9", "access_token":"eyJhbGciOiJSUzUxMi...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" " }
HTTP/1.1 401 Unauthorized { "error":"invalid_grant", "error_description":"Invalid Grant: grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" }
If the JWT User Assertion value is expired, then the mobile application can create a JWT User Assertion using the Login (Create JWT User Assertion) step.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type= oracle-idm:/oauth/grant-type/challenge -answer& &client_id=App1 &oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &oracle_device_profile=<Base 64 Encoded Device Profile> &oracle_challenge_response=<Base 64 Encoded Response>'
In the oracle_challenge_response
request parameter, supply the base-64 encoded version of the following JSON:
{ "mobile.multi_step_authn_session_handle":"eyJ......MkE", "locale":"en", "answer_list": [ { "question_ref_id":"98", "challenge_type":"KBA", "question_ans":"dog" } ] }
HTTP/1.1 200 OK { "oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "oracle_aux_tokens":{ "user_assertion":{ "expires_in":28800, "token_type":"Bearer", "oracle_tk_context":"user_assertion", "oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" } }, "expires_in":604800, "token_type":"Bearer", "oracle_tk_context":"client_assertion", "refresh_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=refresh_token &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_id=App1 &client_assertion=<Mobile Client Assertion> &scope=UserProfile.users &refresh_token=<Refresh Token>'
{ "expires_in":3600, "token_type":"Bearer", "refresh_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'client_id=App1 &grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fuser-token%2Fjwt &assertion=<JWT User Assertion> &oracle_token_action=delete &oracle_device_profile=<Base 64 Device Profile> &client_assertion=<Mobile Client Assertion> &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
In this request, send the <JWT User Assertion> and <Mobile Client Assertion> response values that were returned during the sample request Register Mobile App1 Using a User Name and Password.
{"successful":true}
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=password &username=weblogic &password=welcome1 &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=<Base 64 Device Profile> &oracle_requested_assertions=oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Fjwt'
{ "expires_in":28800, "token_type":"Bearer", "oracle_tk_context":"user_assertion", "oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "access_token":"eyJhbGciOiJSUzUxM...k5BRVNyanZha0RmbmU5cDl2WjhtdUlBVGlGQSJ9" }
Negative HTTP Response if the User Name and Password are Invalid
HTTP/1.1 401 Unauthorized { "error":"invalid_grant", "error_description":"Invalid resource owner user name or password " }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –request https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type%3Ajwt-bearer &user_assertion=<JWT User Assertion> &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=<Base 64 Device Profile>'
{ "oracle_aux_tokens": { "oam_mt": { "oracle_tk_context":"oam_mt", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/oam\/master-token", "access_token":"VERSION_4%...." } }, "oracle_tk_context":"oam_ut", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam", "access_token":"fEmB0nPdgGfyNjshws8z….. " }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –request https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type%3Ajwt-bearer &user_assertion=<JWT User Assertion> &client_assertion=<MOBILE CLIENT ASSERTION> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=<Base 64 Device Profile> &oracle_user_credentials=<Base 64 encoding of user credential>'
In the oracle_user_credentials
request parameter, supply the base-64 encoded version of the user credential payload JSON. For example, if this is the PIN:
{"pin":"123"}
The Base 64 encoded value is this:
eyJwaW4iOiIxMjMifQ==
{ "oracle_aux_tokens": { "oam_mt": { "oracle_tk_context":"oam_mt", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/oam\/master-token", "access_token":"VERSION_4%...." } }, "oracle_tk_context":"oam_ut", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam", "access_token":"fEmB0nPdgGfyNjshws8z….. " }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –request https://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_assertion_type=oracle-idm:/oauth/assertion-type/user-identity/oam &client_assertion=<MOBILE CLIENT ASSERTION> &user_assertion=<JWT User Assertion> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=<Base 64 Device Profile> &scope=oracle.security.oauth.oam.resource_access&oracle_oam_application_context=dfsdfsdfsdfsdf &oracle_oam_application_resource=http%3A%2F%2Fhost.example.com%3A12884%2Findex.html'
{ "oracle_tk_context":"oam_at", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/resource-access-token\/oam", "access_token":"3F62m7EDq%....." }
This section documents the REST calls for procuring tokens from OAuth Services.
Note:
All attribute names and values are case-sensitive.The following topics are covered in this section:
Using a Client Credential + User Name and Password Combination
Using a Client Credential + oracle_user_credentials Combination
This section documents how to use a client credential together with a user name and password to get the following token types: a JWT user token, a JWT access token, an OAM user token and master token, or an OAM access token.
The following topics are covered in this section:
Requests in this section use the following basic template.
curl -i -H 'Authorization: Basic <sample client ID and password>' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/ endpoints/oauthservice /tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &username=<username> &password=<password> &oracle_requested_assertions=<Oracle_Requested_Assertion_Type> &oam_authen_resource=<oam_authen_resource>'
Note the following:
The sample client ID and password takes the following form:
userID123:password123
--> base 64 encoding -->
NTQzMjFpZDp3ZWxjb21lMQ==
The actual client ID will be a machine generated GUID.
You can specify the following assertion types:
oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Foam
oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Fjwt
Use the oam_authen_resource
optional parameter to specify the authentication resource name configured on the OAM server side.
$ curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &username=user123 &password=passwordAbc12323 &oracle_requested_assertions= oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Fjwt'
$ curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &username=user123 &password=passwordAbc123 &scope=ConsentManagement.retrieve ConsentManagement.grant ConsentManagement.revoke'
$ curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &username=user123 &password=passwordAbc123'
This section documents how to use a client credential together with the oracle_user_credentials
value to get the following token types: a JWT user token, a JWT access token, an OAM user token and master token, or an OAM access token.
The following topics are covered in this section:
Requests in this section use the following basic template.
curl -i -H 'Authorization: Basic <sample client ID and password>' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<ORACLE_USER_CREDENTIALS> &oracle_requested_assertions=<Oracle_Requested_Assertion_Type> &oam_authen_resource=<oam_authen_resource>'
Note the following:
The oracle_user_credentials
take the following form:
{"userid":"user123","password":"password123"}
>> Base64 encoded value of JSON data >>
eyJ1c2VyaWQiOiJ3ZWJsb2dpYyIsInBhc3N3b3JkIjoid2VsY29tZTEifQ==
The actual client ID will be a machine generated GUID.
You can specify the following assertion types:
oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Foam
oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Fjwt
Use the oam_authen_resource
optional parameter to specify the authentication resource name configured on the OAM server side.
$ curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=eyJ1c2VyaWQiOiJ3ZWJsb2dpYyIsInBhc3N3b3JkIjoid2VsY29tZT EifQ== &oracle_requested_assertions=oracle-idm%3A%2Foauth%2Fassertion-type%2F user-identity%2Fjwt'
$ curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=eyJ1c2VyaWQiOiJ3ZWJsb2dpYyIsInBhc3N3b3JkIjoid2VsY29t ZTEifQ== &scope=ConsentManagement.retrieve ConsentManagement.grant ConsentManagement.revoke'
$ curl -i -H 'Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<base64_encoded_credential> &client_assertion=<client_jwt_assertion or client_saml2_assertion> &client_assertion_type=<client_assertion_type> &oracle_requested_assertions=<Oracle_Requested_Assertion_Type>'
This section documents how to use a JWT assertion to get the following token types: a JWT user token, a JWT access token, an OAM user token and master token, or an OAM access token.
The following topics are covered in this section:
Requests in this section use the following basic template.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host:port/ms_oauth/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_oracle_credentials=<base64_encoded_credentials> &client_assertion=eyJhbGciOiJSUzUxMiIsjiRZ1_3edKknPTCEtQS79h_44H_8VbGvnA6Dr3M0 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Ajwt-bearer &oracle_requested_assertions=oracle-idm%3A%2Foauth%2Fassertion-type%2F user-identity%2Fjwt'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials& &user_assertion=<JWT User assertion Value> &user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzUxMiIsInR5cCI6Ik...j5mZJrfrwxgXxzwVcNbjRgi7uM8 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_assertion=<JWT User assertion Value> &user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type %3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzUxMiIsInR5cCI6Ik...j5mZJrfrwxgXxzwVcNbjRgi7uM8 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A client-assertion-type%3Ajwt-bearer &oracle_device_profile=eyJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ6c2Rrd...1zOmNvc3ZlcnNpb24iOiI0LjAifQ== &oracle_use_server_device_store=true'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_use_server_device_store=true &user_assertion_type=oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2oam &client_assertion=eyJhbGciOiJSR5cCI6IkpXVCIsIm...UBaJkagXsLbqb_fNJHqNfwe3QCr7Uk &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=eyJvcmFjbtczpjbGllbnQ6c2Rrdm...pc3ZlcnNpb24iOiI0LjAifQ== &scope=oracle.security.oauth.oam.resource_access &oracle_oam_application_context=dfsdfsdfsdfsdf &oracle_oam_application_resource=http%3A%2F%2Fhost123.example.com%3A12884%2Findex.html'
This section documents how to use a JWT user assertion and a PIN (or PIN-like user credential) to get an OAM user token and OAM master token. The client can specify the PIN or passcode value (as an additional credential) together with a JWT user assertion in the request.
The following topics are covered in this section:
Requests in this section use the following basic template:
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –request http://host.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<Base64 encoded PIN Value> &client_assertion=<JWT Client Assertion> &client_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_user_credentials=<BASE64 ENCODED USER CREDENTIALS> &user_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type%3Ajwt-bearer &oracle_device_profile=<BASE64 ENCODING DEVICE PROFILE>'
The oracle_user_credentials
parameter is optional. It is a Base64-encoded value of JSON data that can contain any pair of name and value. For example:
{"pin":"pinvalue123"}
encodes to eyJwaW4iOiJwaW52YWx1ZTEyMyJ9
{ "oracle_aux_tokens":{ "oam_mt":{ "oracle_tk_context":"oam_mt", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/oam\/master-token", "access_token":"" } }, "oracle_tk_context":"oam_ut", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam", "access_token":"" }
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" request http://host.us.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d ' grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &user_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type%3Ajwt-bearer &oracle_user_credentials=eyJwaW4iOiJwaW52YWx1ZTEyMyJ9 &client_assertion=eyJhbGciOiJSUzI1NiIs...jOGVj0GXMCA &client_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &oracle_device_profile=ew0KICAgIm9yYWNsZTppZG0...fQ0K &user_assertion=eyJhbGciOiJSUzI1NiIsInR5...UyFT7Y9eeo5af4OA '
{ "oracle_aux_tokens": { "oam_mt": { "oracle_tk_context":"oam_mt", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/oam\/master-token", "access_token":"VERSION_4%7ELw3jGjxe...F6wouV7ow" } }, "oracle_tk_context":"oam_ut", "oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam", "access_token":"E6Fyeco+F0GgucHJuLmlkX3R5c...DC0dsLVdJYyJ3Su2xpZWB3"}
This section documents how to use a SAML2 assertion to get the following token types: a JWT user token, a JWT access token, an OAM user token and master token, or an OAM access token.
The following topics are covered in this section:
Requests in this section use the following basic template.
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host123.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<base64_encoded_value> &client_assertion=<client_jwt_assertion or client_saml2_assertion> &client_assertion_type=<client_assertion_type> &oracle_requested_assertions=<Oracle_Requested_Assertion_Type>'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<base64_encoded_value> &client_assertion=PHNhbWw6QXNzZXJ0aW9uI...2ln%0AbmF0dXJltbDpBc3NlcnRpb24%2B%0A &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Asaml2-bearer &oracle_requested_assertions=oracle-idm%3A%2Foauth%2Fassertion-type %2Fuser-identity%2Fjwt'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<base64_encoded_value> &client_assertion=PHNhbWw6QXNzZXJ0aW9...uIHhtbG5zOnNhhbWwc3NlcnRpb24%2B%0A &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Asaml2-bearer&scope=ConsentManagement.retrieve'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &oracle_user_credentials=<base64_encoded_value> &client_assertion=PHNhbWw6QXNzZXJ0aW9uIHhtb9InVyb...2BPC9zYW1sOkF0dHJpYnV0ZT48 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Asaml2-bearer'
This section documents how to get an OAM user token and master token, or an OAM access token on mobile devices.
The following topics are covered in this section:
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=client_credentials &oracle_device_profile=eyJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ6c2RrdmVyc2l...OmNsaWVudDpvc3ZlcnNpb24iOiI0LjAifQ== &client_id=<MobileAgent1> &oracle_requested_assertions=oracle-idm%3A%2Foauth%2Fassertion-type %2Fclient-identity%2Fmobile-client-pre-authz-code-client'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=password&username=userAbc123 &password=passwordAbc123 &client_id=<MobileAgent1> &oracle_pre_authz_code=eyJhbGci...SsLRxbAt8Yl473vBACuH2Ms2fR_HwhQGVu_zgI3W3a_c &oracle_device_profile=eyJvcmFjbGU6aWRtOmNsYWl...G06Y2xhaW1zOmNsaWViI0LjAifQ== &oracle_requested_assertions=urn%3Aietf%3Aparams%3Aoauth %3Aclient-assertion-type%3Ajwt-bearer'
$ curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth9%2Fgrant-type%2Foam_credentials &user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzUxMiIsInR5cCI...qwzcgoh5t7sfZInGkbprlA5UswMzqk &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Ajwt-bearer &oracle_device_profile=eyJvcmFjbGU6aWRtOmNsYWltczpjbG...udDnNpb24iOiI0LjAifQ== &oracle_use_server_device_store=true'
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST http://host.example.com:18001/ms_oauth/oauth2/endpoints/ oauthservice/tokens -d 'grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Foam_credentials &client_assertion=eyJhbGciOiJSUzUxMiIs...6NxPv0x_Ng2pEcjVJf42p-tiBFClavI56ycCg &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type %3Ajwt-bearer &oracle_device_profile=eyJvcmFjbGU64czpjbGllbnQ6c...ivc3ZlcnNpb24iOiI0LjAifQ== &user_assertion_type=oracle-idm%3A%2Foauth%2Fassertion-type%2Fuser-identity %2Foam &scope=oracle.security.oauth.oam.resource_access &oracle_oam_application_context=fdsfsdfsdfsdf &oracle_oam_application_resource=http%3A%2F%2Fhost123.example.com %3A12884%2Findex.html &oracle_use_server_device_store=true'