Using OAuth2 for securing OHI Application’s RESTful services

Oracle Health Insurance application’s RESTful services can be OAuth2 protected. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header. Oracle Health Insurance applications do not support sending an access token as request parameter.

If the token is valid and a user can be identified from it the request is allowed; otherwise an HTTP 404 Unauthorized response is returned. Processing the request is subject to authorization verification.

The following ways of OAuth2 access token validation are currently supported:

  • JWKSET: OAuth2 access tokens are validated by the resource server. Assuming the token is a JWT, validates it against a JSON Web Key (JWK) Set as defined by RFC 7517. Possible sources of the JWK Set are: an endpoint exposed by an OAuth2 authorization server; or a set of public key certificates that are managed in a local key store.

  • OAUTH2_ENDPOINT: validates the token using an OAuth2 authorization server’s token introspection endpoint as defined by RFC 7662.

By default Oracle Health Insurance applications validate OAuth2 access tokens against a JWK Set.

Configuring for JWK Set based token validation

In case the OAuth2 Authorization Server exposes a JWK Set endpoint configure that URL as value for system property "ohi.oauth.jwk.set.url". Note that the endpoint must implement the JWK Set as defined by RFC 7517.

Alternatively, it is possible to configure a Key Store that contains public key aliases from which the system constructs a JWK Set. Follow these steps:

  • Set the name of the domain specific Key Store that holds the public key certificates that are the source for the JWK Set. The default name for the Key Store is "jsonwebkeys". The Key Store does not exist yet, it has to be created via the Key Store management resource before it can be used.

  • Use the Key Store management resource to import public key certificates into the Key Store.

  • A number of properties control how the JWK Set is filtered to find a matching public key certificate for verification of the JWT signature, for example:

For either JWKSet validation option, the value for property "ohi.oauth.jwt.userid.claim" specifies the claim in the JWT that can be used to identify the user for which the OAuth2 access token was created. Default value: sub.

Configuring for RFC 7662 endpoint based token validation

To validate an OAuth2 access token using an Authorization Server’s RFC 7662 token introspection endpoint set property "ohi.oauth.token.validation.method" to value "OAUTH2_ENDPOINT". Set the value for the URL of the token validation or introspection endpoint as the value for system property "ohi.oauth.token.introspection.endpoint.url".

It is assumed that the endpoint supports Basic Authentication. The Basic Authentication credentials used by the Oracle Health Insurance application are identified by the Client ID that is configured as property "ohi.oauth.token.introspection.endpoint.client_id". The password credential for that needs to be configured using the Credential Management resource.