Using OAuth2 for Securing the Oracle Health Insurance Application’s RESTful services
Oracle Health Insurance application’s RESTful services support OAuth2 tokens. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header. Oracle Health Insurance applications do not support sending an access token as request parameter.
If the token is valid and a user can be identified from it the request is allowed; otherwise an HTTP 404 Unauthorized response is returned. Processing the request is subject to authorization verification.
The following ways of OAuth2 access token validation are currently supported:
-
JWKSET: OAuth2 access tokens are validated by the resource server. Assuming the token is a JWT, validates it against a JSON Web Key (JWK) Set as defined by RFC 7517. The source of the JWK Set is an endpoint exposed by an OAuth2 authorization server.
-
OAUTH2_ENDPOINT: validates the token using an OAuth2 authorization server’s token introspection endpoint as defined by RFC 7662.
By default, Oracle Health Insurance applications validate OAuth2 access tokens against a JWK Set.
Configuring for JWK Set Based Token Validation
In case the OAuth2 Authorization Server exposes a JWK Set endpoint configure
that URL as value for system property ohi.oauth.jwk.set.url
. Note that the
endpoint must implement the JWK Set as defined by
RFC 7517.
The value for property ohi.oauth.jwt.userid.claim
specifies the claim in
the JWT that can be used to identify the user for which the OAuth2 access
token was created. Default value: sub.
Configuring for RFC 7662 Endpoint Based Token Validation
To validate an OAuth2 access token using an Authorization Server’s
RFC 7662 token introspection
endpoint set property ohi.oauth.token.validation.method
to value
"OAUTH2_ENDPOINT". Set the value for the URL of the token validation or
introspection endpoint as the value for system property
ohi.oauth.token.introspection.endpoint.url
.
It is assumed that the endpoint supports Basic Authentication. The Basic
Authentication credentials used by the Oracle Health Insurance application are identified by the
Client ID that is configured as property
ohi.oauth.token.introspection.endpoint.client_id
. The password credential for
that needs to be configured using the Credential Management resource.