You can use OAuth 2.0 protocol in the Siebel REST API to authenticate users accessing incoming requests.

Note: REST outbound support for OAuth or any other security mechanism is supported by way of Filter Services. For more information, see Overview of the REST Outbound Filter Service.

In general, the Siebel REST API layer contacts the OAuth server over a secure channel (for example, HTTPS) to validate the access token received or to obtain additional token information. The Siebel Server only requires a USERID to establish a Siebel Server session since authentication takes place outside of Siebel Server in either SSO or OAuth, and does not require a password.

Siebel supports only the introspection method when validating incoming tokens. Using the signature method to validate incoming tokens is unavailable. However, if you are using JWT tokens and the signature method is required for validation, then you must do the following:

• Configure Siebel REST API for SSO. For more information about configuring SSO, see Siebel Security Guide.

• Configure the OAuth token validation using an API Gateway. This must be done before the request reaches the Siebel application. For more information on Oracle API Gateway, see your supporting documentation.