1. Administering Oracle Cloud Identity Management
  2. Securing Authorizations in Oracle Cloud
  3. Successful Authorization

Successful Authorization

During an authorization request, if the validations pass successfully, then the authorization server sends a response with an access token.

When the authorization server handles the request from the client, the following occur:

  • Validation of the client assertion, also ensuring that the client is authorized to make the request. This is done by using the client certificate that was imported when the client was registered with the authorization server.

  • Validation of the user, also ensuring that the user is authorized to make the request. Either the user’s credentials or the user assertion is validated.

  • Validation of the audience claim in the client profile in the OAuth service (information stored when the client is registered) against the scope in the incoming access token request.

Access Token in the Response

If the validations pass successfully, the authorization server sends a response with an access token.

In the body of the response, a JSON (or XML or other) object is included, representing the response, as shown in the following example:
{"expires_in":3600,
"token_type":"Bearer",
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIsImtpZCI6I
k9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9vcmlnaW5faWRfdH
lwZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2VyIiwiaXNzIjoiT0F1dGhUZXN0VGV
uYW50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQyNTQyNzc1
NjAwMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY
2Vzc190ayIsImV4cCI6MTQyNTQzMTM1NjAwMCwiYXVkIjpbImh0dHA6Ly93d3cuZXhhbXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2
VyIiwianRpIjoiZWM3ZWRhOWUtMTMyMS00MWI0LTg1MTYtMDQzNDRhMDY4MjE4Iiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiI
zMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29t
IiwidXNlci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbmFudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1N
jYifQ.maEhtSbOWqKZPj_Wb6vezEcusm8SHLLBrdqKRjh3aKyga4_vY8cYiug59gF7t9xeVY_wps2mOI6uaAm8J0Fw0jZo2_NZpS5nXq-PiUN
CTHWiUQkb8GFv8Gd6qGc2M7Y3cBLG5w-VVRCtRVBUtpTkaTg_VWzS_iygsSIBJjp6KsIqKRtE_DjGtp_E3AaBnfmB19r754NJl3_R8BQ1Wpbj
EL-8zFZzBa-4bTC0DQ58w4ssOOLT3aZWv9UhJ0Ok_pT-ZDcFxFLUGoMnTD-pms9h4m58mGDtrRi5WBPC8n3RuOrmZBJjzOWAjCC0Tb-ZdR65q
7ewaxX_V6PccCHeIoFPmg"
}

The fields that are a part of the response are:

  • expires_in: An optional and recommended parameter that specifies the lifetime of the access token in seconds. In the prior example, the access token is valid for 1 hour (or 3600 seconds).

  • token_type: A mandatory parameter that specifies the type of token that’s returned in the response. In the prior example, the token_type is Bearer

    .

  • access_token: A mandatory parameter that has the actual access token as its value. This is the access token, in JSON web token (JWT) format, that the client application may store and use later. The token can be decoded to see the various claims in the access token response.

An example of a decoded JWT:

{
 alg: "RS256",
 typ: "JWT",
 x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg",
 kid: "OAuthTestTenant125.cert"
}.
{
 sub: "tenantAdminUser",
 oracle.oauth.user_origin_id_type: "LDAP_UID",
 oracle.oauth.user_origin_id: "tenantAdminUser",
 iss: "OAuthTestTenant125",
 oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile",
 iat: 1425424318000,
 oracle.oauth.prn.id_type: "LDAP_UID",
 oracle.oauth.tk_context: "resource_access_tk",
 exp: 1425427918000,
 aud: [
  "http://www.example.com"
 ],
 prn: "tenantAdminUser",
 jti: "d385cc71-8f18-46a5-9ae4-6ab6f085badb",
 oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b",
 oracle.oauth.scope: "http://www.example.com",
 user.tenant.name: "OAuthTestTenant125",
 oracle.oauth.id_d_id: "13463675138302566"
}.
[signature]

Claims in the Access Token

An access token has a header, and standard and custom claims.

Claim Name Type Description Sample
alg Header The algorithm used to sign the token. RS256
typ Header The classification type of the token. The default value is JWT. This indicates that this is a JSON web token (JWT). JWT
x5t Header The X.509 certificate thumbprint (x5t) header parameter provides a base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate that can be used to match a certificate. _hVX9pXq7pUxkk5ry-8vK8qb8L8
kid Header The key ID (kid) header parameter is a hint indicating which specific key owned by the signer should be used to validate the signature. This allows signers to signal a change of the key to recipients explicitly. Omitting this parameter is equivalent to setting it to an empty string. The interpretation of the contents of the kid parameter is unspecified. oauth_psrtenantx3.cert
sub Standard Claim The subject (sub) claim identifies the principal that’s the subject of the JWT. MyAdmin@oracle1.com
prn Standard Claim The principal (prn) claim identifies the principal that is the subject of the JWT. MyAdmin@oracle1.com
iss Standard Claim The issuer (iss) claim identifies the principal that supplied the JWT. oauth_psrtenantx3
iat Standard Claim The issued at (iat) claim identifies the time at which the JWT was supplied. 1429128747000
exp Standard Claim The expiration time (exp) claim identifies the expiration time on or after which the JWT must not be accepted for processing. 1429128747000
aud Standard Claim The audience (aud) claim identifies the recipients for which the JWT is intended. (a list of audiences)
jti Standard Claim The JWT ID (jti) claim provides a unique identifier for the JWT. 0565e04e-3823-404f-b950-e970ea17f41f
oracle.oauth.svc_p_n Custom Claim IDM OAuth service profile name. oauth_psrtenantx3ServiceProfile
oracle.oauth.prn.id_type Custom Claim Principal ID type. For user assertion, the value is always LDAP_UID. LDAP_UID
oracle.oauth.sub.id_type Custom Claim Subject ID type. For user assertion, the value is always LDAP_UID. LDAP_UID
oracle.oauth.id_d_id Custom Claim IDM OAuth server domain ID. 20625897169639935
oracle.oauth.client_origin_id Custom Claim Subject ID for client used when user assertion is generated. 4457b326-fe88-4851-baad-b9488895e808
user.tenant.name Custom Claim User tenancy for the OAuth token generated by IDM OAuth server. oauth_psrtenantx3