Using OAuth2 for Securing the Oracle Health Insurance Application’s RESTful services

Oracle Health Insurance application’s RESTful services support OAuth2 tokens. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header. Oracle Health Insurance applications do not support sending an access token as request parameter.

If the token is valid and a user can be identified from it the request is allowed; otherwise an HTTP 404 Unauthorized response is returned. Processing the request is subject to authorization verification.

The following ways of OAuth2 access token validation are currently supported:

  • JWKSET: OAuth2 access tokens are validated by the resource server. Assuming the token is a JWT, validates it against a JSON Web Key (JWK) Set as defined by RFC 7517. The source of the JWK Set is an endpoint exposed by an OAuth2 authorization server.

  • OAUTH2_ENDPOINT: validates the token using an OAuth2 authorization server’s token introspection endpoint as defined by RFC 7662.

By default, Oracle Health Insurance applications validate OAuth2 access tokens against a JWK Set.

Configuring for JWK Set Based Token Validation

In case the OAuth2 Authorization Server exposes a JWK Set endpoint configure that URL as value for system property ohi.oauth.jwk.set.url. Note that the endpoint must implement the JWK Set as defined by RFC 7517.

The value for property ohi.oauth.jwt.userid.claim specifies the claim in the JWT that can be used to identify the user for which the OAuth2 access token was created. Default value: sub.

Configuring for RFC 7662 Endpoint Based Token Validation

To validate an OAuth2 access token using an Authorization Server’s RFC 7662 token introspection endpoint set property ohi.oauth.token.validation.method to value "OAUTH2_ENDPOINT". Set the value for the URL of the token validation or introspection endpoint as the value for system property ohi.oauth.token.introspection.endpoint.url.

It is assumed that the endpoint supports Basic Authentication. The Basic Authentication credentials used by the Oracle Health Insurance application are identified by the Client ID that is configured as property ohi.oauth.token.introspection.endpoint.client_id. The password credential for that needs to be configured using the Credential Management resource.