Oracle® Fusion Middleware

Oracle API Gateway OAuth User Guide

11g Release 2 (11.1.2.3.0)

Oracle API Gateway OAuth User Guide, 11g Release 2 (11.1.2.3.0)

Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. This documentation is in prerelease status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

The information contained in this document is for informational sharing purposes only and should be considered in your capacity as a customer advisory board member or pursuant to your beta trial agreement only. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle.

This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. Your access to and use of this confidential material is subject to the terms and conditions of your Oracle Software License and Service Agreement, which has been executed and with which you agree to comply. This document and information contained herein may not be disclosed, copied, reproduced, or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.

27 May 2014

Contents

1. API Gateway as an OAuth server
Introduction to API Gateway OAuth 2.0 server
Overview
OAuth 2.0 concepts
OAuth 2.0 example workflow
API Gateway OAuth features
API Gateway OAuth scopes
OAuth 2.0 authentication flows
Further information
Set up API Gateway OAuth 2.0
Overview
Enable OAuth 2.0 management
Import client applications
Migrate client applications
Upgrade API Gateway configuration
Manage OAuth 2.0 client applications
Overview
Manage registered client applications
Run the sample client applications
Manage access tokens and authorization codes
Manage OAuth scopes
Relational database-backed Client Application Registry
Generate a certificate and private key for a client application
API Gateway OAuth 2.0 authentication flows
Overview
Authorization code (or web server) flow
Implicit grant (or user agent) flow
Resource owner password credentials flow
Client credentials grant flow
JWT flow
Revoke token
Token information service
2. OAuth server filters
Get access token information
Overview
Token settings
Monitoring settings
Advanced settings
Get access token using authorization code
Overview
Application validation settings
Access token settings
Monitoring settings
Get access token using client credentials
Overview
Application validation settings
Access token settings
Monitoring settings
Get access token using JWT
Overview
Application validation settings
Access token settings
Monitoring settings
Get access token using SAML assertion
Overview
SAML assertion validation settings
Access token settings
Monitoring settings
Consume authorization requests
Overview
Validation settings
Authorization code settings
Access token settings
Monitoring settings
Authorize transaction
Overview
Template settings
Authorization code settings
Access token settings
Monitoring settings
Refresh access token
Overview
Application validation settings
Access token settings
Monitoring settings
Get access token using resource owner credentials
Overview
Application validation settings
Access token settings
Monitoring settings
Revoke token
Overview
Revoke token settings
Monitoring settings
Validate access token
Overview
General settings
Response codes
OAuth 2.0 server message attributes
Overview
accesstoken methods
accesstoken.authn methods
authzcode methods
oauth.client.details methods
Example of querying a message attribute
OAuth scope attributes
OAuth SAML Bearer
3. API Gateway as an OAuth client
Introduction to API Gateway OAuth 2.0 client
Overview
API Gateway OAuth client features
OAuth 2.0 example client workflow
Set up API Gateway OAuth 2.0 client
Overview
Configure OAuth 2.0 client applications
Overview
Add application
Add OAuth 2.0 provider
Creating a callback URL listener
4. OAuth client filters
Retrieve OAuth client access token from token storage
Overview
General settings
Authorize client with server
Overview
General settings
SSL settings
Additional settings
Refresh an OAuth client access token
Overview
General settings
SSL settings
Additional settings
OAuth 2.0 client message attributes
Overview
oauth.client.accesstoken methods
oauth.client.application methods
     Next