Using OAuth2 for Securing the Oracle Health Insurance Application’s RESTful services

Oracle Health Insurance application’s RESTful services support OAuth2 tokens. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header. Oracle Health Insurance applications do not support sending an access token as request parameter.

If the token is valid and a user can be identified from it the request is allowed; otherwise the application returns an HTTP 404 Unauthorized response. Processing the request is subject to authorization verification.

Oracle Health Insurance supports the following ways of OAuth2 access token validation:

JWK Set (JSON Web Key Set)

Assuming that the token is a JSON Web Token (JWT), the resource server validates the token against a JSON Web Key (JWK) Set. The source of the JWK Set is an endpoint exposed by an OAuth2 authorization server.

OAUTH2 Endpoint

The resource server validates the Oauth2 access token using an OAuth2 authorization server’s token introspection endpoint.

By default, Oracle Health Insurance applications validate OAuth2 access tokens against a JWK Set.

Configuring for JWK Set Based Token Validation

In case the OAuth2 Authorization Server exposes a JWK Set endpoint configure that URL as value for the system property ohi.oauth.jwk.set.url. Note that the endpoint must implement the JWK Set as defined by RFC 7517.

The value for property ohi.oauth.jwt.userid.claim specifies the claim in the JWT that can be used to identify the user for which the OAuth2 access token was created. The default value is sub.

Configuring for RFC 7662 Endpoint Based Token Validation

To validate an OAuth2 access token using an Authorization Server’s RFC 7662 token introspection endpoint, set the property ohi.oauth.token.validation.method to value OAUTH2_ENDPOINT.

Set the value for the URL of the token validation or introspection endpoint as the value for system property ohi.oauth.token.introspection.endpoint.url.

Oracle Health Insurance assumes that the token introspection endpoint supports Basic Authentication. Oracle Health Insurance uses the Basic Authentication credentials identified by the Client ID that is configured as property ohi.oauth.token.introspection.endpoint.client_id. Configure the password credentials for that Client ID using the Credential Management resource.