3 Securing RESTful Web Services Using OWSM OAuth 2.0 with IDCS OAuth 2.0

You can refer to the use case description, solution summary, components involved, and the linked documentation resources to secure RESTful web services using OWSM OAuth 2.0 with IDCS OAuth 2.0 Server.

This chapter contains the following sections:

• Use Case: Secure RESTful Web Services Using OWSM OAuth 2.0 with IDCS OAuth2 Server

• Implementing Web Services for IDCS - Prerequisites

• Configuring IDCS Security provider with WLS

• IDCS OAuth2 Configuration

• Secure JAX-RS REST Service using OWSM OAuth2 security policy

• Secure JAX-RS REST Client using OWSM OAuth2 security policies

3.1 Use Case: Secure RESTful Web Services Using OWSM OAuth 2.0 with IDCS OAuth2 Server

You can develop a RESTful web services and secure them to the resource and client applications on IDCS using OWSM policies.

Use Case

Secure RESTful Web Services Using OWSM OAuth 2.0 with IDCS OAuth2 Server.

Implementation Summary

Develop a RESTful web services and secure them to the resource and client applications on IDCS using OWSM policies

Components

• Oracle WebLogic Server

• Oracle Fusion Middleware

• Oracle Web Services Manager (OWSM)

• IDCS

Required Documentation

To complete this use case, see the following documentation resources:

• Developing RESTful Web Services

This use case includes the following steps:

• Configuring IDCS Security provider with WLS

• IDCS OAuth2 Configuration

• Secure JAX-RS REST Service using OWSM OAuth2 security policy

• Secure JAX-RS REST Client using OWSM OAuth2 security policies

3.2 Implementing Web Services for IDCS - Prerequisites

Before implementing Web Services for IDCS, download and install IDCS, configure WebLogic domain, start the Administration Server, and get the access to Oracle Enterprise Manager Fusion Middleware Control and Oracle WebLogic Server Administration Console.

Before you begin, ensure the following:

• Download and install Web Logic Server and create the domain.

• Download and install Oracle Fusion Middleware—includes OWSM.

  For more information, see "Preparing for Oracle Fusion Middleware Installation" in Planning an Installation of Oracle Fusion Middleware.

  For more information about locating and downloading Oracle Fusion Middleware products, see the Oracle Fusion Middleware Download, Installation, and Configuration Readme Files on OTN.

• Configure IDCS.

  For more information, see "Getting Started with Oracle Identity Cloud Service” in Administering Oracle Identity Cloud Service.

• Configure OPSS SCIM based Identity Store Service.

  For more information, see “Configuring the Identity Store” in Fusion Middleware Securing Applications with Oracle Platform Security Services.

3.3 Configuring IDCS Security provider with WLS

A single security provider named OracleIdentityCloudIntegrator combines identity assertion and authentication. This security provider is associated with an OAuth Client for WLS to authenticate users with IDCS.

Install the IDCS Security Provider

Note:

The WebLogic boot user is not present in IDCS by default, so an authentication provider which contains the boot user is required. If the boot user is stored in embedded LDAP, the DefaultAuthenticator will be required for boot.

Follow the steps below to install and configure OracleIdentityCloudIntegrator in WLS:

The OracleIdentityCloudIntegrator security provider is included with WLS.

Obtain an OAuth Client from IDCS

The IDCS security provider is associated with an OAuth Client to enable WLS to authenticate users with IDCS . This OAuth client is registered with the IDCS instance and allows the security provider to access IDCS. An OAuth Client provides atleast three properties listed below required by the IDCS security provider:

Property Name	Type	Comment
ClientTenant	String	Tenant name where the OAuth Client was provisioned
ClientId	String	OAuth Client Id used to access the IDCS user store
ClientSecret	String	OAuth Client Secret (i.e. Password) to generate access tokens

Note:

The OAuth Client is used within the specific IDCS tenant that it was provisioned. When a requirement to use this client to access other IDCS tenants is raised, the Cross Tenant IDCS AppRole is granted to the client.

1. Setup the OAuth Client with Identity Domain Administrator IDCS AppRole

   1. Login to the IDCS Admin console as Tenant Administrator

   2. Access the Applications tab and select Add

   3. Select the Trusted Application option and follow steps listed below in the setup wizard:

      • Type a client name and description and select Next

      • Select Configure this application as a client now

      • Select Client Credentials option for Allowed Grant Types only

      • Select the box Grant the client access to Identity Cloud Service Admin APIs

      • Click on the white drop down box and select Identity Domain Administrator

      • Select Next keeping other options blank

      • Select Finish.

   4. Record the Client Id, Client Secret and Tenant Name for the login

   5. Activate the new application and ensure your OAuth Client is activated by following the steps below:

      • Access Applications tab

      • Select the newly created application

      • Click Activate in the menu bar.

2. Setup the OAuth Client for access to additional IDCS tenants, if required. Access to additional IDCS tenants can be granted by any of the following options:

   Option 1: Grant using CTAppRoleGranter JSON

   CTAppRoleGranter.json
   {
       "schemas": [
           "urn:ietf:params:scim:schemas:oracle:idcs:CrossTenantAppRoleGranter"
       ]
   }

3. Option 2: Grant the Cross Tenant IDCS AppRole via PUT operation

   % curl -X PUT -H "Content-type: application/json"
          -H "Authorization: Bearer <access-token>"
    --data @CTAppRoleGranter.json http://tenant1.identity.c9dev0.oc9qadev.com/admin/v1/CrossTenantAppRoleGranter/a28132cdfdf5367a9f7810a3f47bbdf6

Configure the IDCS Security Provider

You can configure the installed IDCS security provider using WLST online, WLST offline, or WLS Admin Console.

To configure using WLST online and WLST offline, see Configuring the Oracle Identity Cloud Integrator Provider: Main Steps and Examples.

To configure using the Admin Console, see Manage Security Providers.

Configure SSL for the IDCS Security Provider

You have to configure SSL in the IDCS security provider and make sure the outbound http connections to the IDCS instance over SSL work properly.

See Configuring TLS/SSL for the Oracle Identity Cloud Integrator Provider.

3.4 IDCS OAuth2 Configuration

OAuth2 Client and OAuth2 Service are registered on IDCS.

See the following sections:

• Registering OAuth2 Service on IDCS

• Configuring OAuth2 Client on IDCS

3.4.1 Registering Oauth2 Service on IDCS

New Resource Applications are configured on IDCS and URL of resources are added to the resource application.

Configuring New Resource Application on IDCS

Follow the steps below to configure new resource application on IDCS:

1. Login in to the IDCS Admin Console

2. Select the Applications tab

3. Add New Application

4. In the application wizard, select Web Application and provide details

5. In the wizard select Skip Client Configuration and go to the next page

6. On resources page provide scope, primary audience and secondary audiences

7. Finish the wizard

8. Save the application

9. Click Activate to activate the application.

Note:

"RSApp" application is created for testing. You can add more resource URLs as secondary audience(s) to integrate with test resources.

Add URL of Resources to Resource Application on IDCS

Follow the steps below to add URL of Resources to Resource Application on IDCS:

1. Login in to the IDCS Admin Console

2. Go to the Applications tab

3. Select "RSApp" application

4. Go to the Configuration Tab

5. Expand Resource section

6. Type URL against Secondary Audience

7. Click on Add (against secondary audience) to add secondary audience

8. Click on Save , to save changes to application.

3.4.2 Configuring OAuth2 Client on IDCS

OAuth2 Client is configured on IDCS.

You can configure OAuth2 client on IDCS by following the steps below:

1. Login in to the IDCS Admin Console

2. Go to the Applications tab

3. Add New Application

   Note:

   Client application is different form resource application.

4. In Application wizard, select Web Application and provide details

5. In Client Configuration, register the client and provide the following information:

   • Grant Types

   • Client Type

   • Import Client Certificate

   • Add Allowed Scope

     Note:

     Scope is selected from resource applications that are already added.

   • Grant the Client Access to Identity Cloud Service Admin APIs. - Select Identity Domain Administrator.

6. Finish the wizard

7. Save the application

8. Click Activate to activate the application.

Note:

"ClientApp" application is created for testing. Note the client ID and secret.

3.5 Secure JAX-RS REST Services using OWSM OAuth2 security policies

Secure REST Service using following service side OWSM WS Policy.

Policy	Description
oracle/multi_token_over_ssl_rest_service_policy	Enforces one of the authentication policies - saml, http, spnego, jwt etc, based on the token sent by the client.

Attach OWSM Policy Globally

wls:/service_domain/serverConfig> beginWSMSession()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. 
For more help, use help('domainRuntime')
Session started for modification.
wls:/service_domain/serverConfig> createWSMPolicySet('oauth-ps', 'rest-resource', 'Domain("*")', 'Policy set for All Rest Resources', 'true')

The policy set was created successfully in the session.

true
wls:/service_domain/serverConfig> attachWSMPolicy('oracle/multi_token_over_ssl_rest_service_policy')
Policy reference "oracle/multi_token_over_ssl_rest_service_policy" added.
wls:/service_domain/serverConfig> commitWSMSession()

Import IDCS Signing Certificate

1. Use the following client ID/secret and scope urn:opc:idm:__myscopes__,

   to get the Access token. The Access Token obtained is used to get IDCS signing certificate.

   Note:

   Encode (ClientID:ClientSecret) into base64 through https://www.base64encode.org/

   Curl to get Access Token

   $ curl -i -H 'Content-Type:application/x-www-form-urlencoded; charset=utf-8' -H
   'Authorization:Basic MzhlZjQyZmRiOTJlNDY3YjkzNWIxMzhmNmIwMmQyMTE6MDQwN2ViYjMtZWM3NS00Y2FlLTkxMzItODI0M2FiM2Q4NTNj'
   --request POST 'https://owsm.identity.c9dev0.oc9qadev.com:443/oauth2/v1/token' -d 'grant_type=client_credentials&
   scope=urn:opc:idm:__myscopes__'
   #response
   HTTP/1.1 200 OK
   Server: Oracle-Traffic-Director/11.1.1.9
   Date: Mon, 11 Jul 2016 11:50:27 GMT
   X-xss-protection: 1; mode=block
   X-content-type-options: nosniff
   Cache-control: no-store
   Pragma: no-cache
   Content-type: application/json;charset=UTF-8
   Content-length: 1915
   Via: 1.1 net-idcs-config
   Proxy-agent: Oracle-Traffic-Director/11.1.1.9
   
   {"access_token":"eyJ4NXQjUzI1NiI6Ijg1a3E1MFVBVmNSRDJOUTR6WVZMVDZXbndUZmVidjBhNGV2YUJGMjFqbU0iLCJ4NXQiOiJNMm1hRm0zVllsTUJPbjNHZXRWV0dYa3JLcmsiLCJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIzOGVmNDJmZGI5MmU0NjdiOTM1YjEzOGY2YjAyZDIxMSIsInVzZXIudGVuYW50Lm5hbWUiOiJvd3NtIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMzhlZjQyZmRiOTJlNDY3YjkzNWIxMzhmNmIwMmQyMTEiLCJ1c2VyX2lzQWRtaW4iOnRydWUsImF1ZCI6WyJodHRwczpcL1wvb3dzbS5pZGVudGl0eS5jOWRldjAub2M5cWFkZXYuY29tOjQ0MyIsInVybjpvcGM6bGJhYXM6bG9naWNhbGd1aWQ9b3dzbSJdLCJjbGllbnRBcHBSb2xlcyI6WyJBdXRoZW50aWNhdGVkIENsaWVudCJdLCJzY29wZSI6InVybjpvcGM6aWRtOnQuc2VjdXJpdHkuY2xpZW50IiwiY2xpZW50X3RlbmFudG5hbWUiOiJvd3NtIiwiZXhwIjoxNDg5MDc1NzAwLCJpYXQiOjE0ODkwNzIxMDAsImNsaWVudF9uYW1lIjoiMTJfMl8xXzIgaWRjcyB0ZXN0IG5vbi1zc2wgY2xpZW50IiwidGVuYW50Ijoib3dzbSIsImp0aSI6IjY3ZWEzZDk5LWNiNGEtNDlkYS1iNWE5LWYyZjM4OTA0ODQ2OCJ9.dzKdnUS5hPMduP3jJ-G-v56qmagLNMjKNPsilQuAbxf8uj2z2ZB5I-RjOocihhahbqlsBZUOOMuzhTZHzFy5AGBKv-mMeraFl87c3Xhjmw3r2phC9T-YfGgRUSEwxrRsKF0FkIi4TX9Kwi0hdrKiMCMFV1gav5v1dGmklwCfNjQ","token_type":"Bearer","expires_in":3600}
   

2. Use Access Token obtained above to get the signing certificates.

   Curl to get Signing Certificates

   $ curl -X GET -H 'Content-Type:application/scim+json' -H 'Authorization:Bearer eyJ4NXQjUzI1NiI6Ijg1a3E1MFVBVmNSRDJOUTR6WVZMVDZXbndUZmVidjBhNGV2YUJGMjFqbU0iLCJ4NXQiOiJNMm1hRm0zVllsTUJPbjNHZXRWV0dYa3JLcmsiLCJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIzOGVmNDJmZGI5MmU0NjdiOTM1YjEzOGY2YjAyZDIxMSIsInVzZXIudGVuYW50Lm5hbWUiOiJvd3NtIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMzhlZjQyZmRiOTJlNDY3YjkzNWIxMzhmNmIwMmQyMTEiLCJ1c2VyX2lzQWRtaW4iOnRydWUsImF1ZCI6WyJodHRwczpcL1wvb3dzbS5pZGVudGl0eS5jOWRldjAub2M5cWFkZXYuY29tOjQ0MyIsInVybjpvcGM6bGJhYXM6bG9naWNhbGd1aWQ9b3dzbSJdLCJjbGllbnRBcHBSb2xlcyI6WyJBdXRoZW50aWNhdGVkIENsaWVudCJdLCJzY29wZSI6InVybjpvcGM6aWRtOnQuc2VjdXJpdHkuY2xpZW50IiwiY2xpZW50X3RlbmFudG5hbWUiOiJvd3NtIiwiZXhwIjoxNDg5MDc1NzAwLCJpYXQiOjE0ODkwNzIxMDAsImNsaWVudF9uYW1lIjoiMTJfMl8xXzIgaWRjcyB0ZXN0IG5vbi1zc2wgY2xpZW50IiwidGVuYW50Ijoib3dzbSIsImp0aSI6IjY3ZWEzZDk5LWNiNGEtNDlkYS1iNWE5LWYyZjM4OTA0ODQ2OCJ9.dzKdnUS5hPMduP3jJ-G-v56qmagLNMjKNPsilQuAbxf8uj2z2ZB5I-RjOocihhahbqlsBZUOOMuzhTZHzFy5AGBKv-mMeraFl87c3Xhjmw3r2phC9T-YfGgRUSEwxrRsKF0FkIi4TX9Kwi0hdrKiMCMFV1gav5v1dGmklwCfNjQ' https://owsm.identity.c9dev0.oc9qadev.com:443/admin/v1/SigningCert/jwk

   #GET response
   {"keys":[{"kty":"RSA","e":"AQAB","x5t":"M2maFm3VYlMBOn3GetVWGXkrKrk","kid":"SIGNING_KEY","x5c":["MIICUDCCAbmgAwIBAgIELfGcXDANBgkqhkiG9w0BAQUFADBXMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGb3JhY2xlMRUwEwYKCZImiZPyLGQBGRYFY2xvdWQxETAPBgNVBAMTCENsb3VkOUNBMB4XDTE1MTEyMDA5MzI0OFoXDTI1MTExNzA5MzI0OFowXzETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBm9yYWNsZTEVMBMGCgmSJomT8ixkARkWBWNsb3VkMRkwFwYDVQQDDBBvcmNsTVQxMjMyMzJfaWRtMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLVvyue+qFraxwM5LxaNLt2QH3wHn/n0+yk2jmP7mpYkz1xrKuEk2e2SCggzK8MT9jJ5VUaNlF0MwhIZ8/naxA5LPCzGEVfZ/41GPtGNADFyspqGHkdsNv+M2eCBme7MDp9L3noBtt2peqGqxSu0DHyt1wgNr6p6EXqTT4AbLdyQIDAQABoyEwHzAdBgNVHQ4EFgQU2rtogHKC0/ws2dS3Zq7s9wwMofkwDQYJKoZIhvcNAQEFBQADgYEAK1jtcbRpYFAl2Bp9X02MaA/igq3WXykizH7uQvrWgNQluf7ADbxaB7J96jaIN2GLQFxl6cbPwOvBIu7xd9a26eK6F5gq4iJKm7GeOgV5PZ4r5umvSZgA0aLOAbhZ/gwy40RauF0X+4I7JqamnV0DizM2YEDsFWKfTSvCy90ZizM=","MIICXjCCAcegAwIBAgIEYHXCUDANBgkqhkiG9w0BAQUFADBXMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGb3JhY2xlMRUwEwYKCZImiZPyLGQBGRYFY2xvdWQxETAPBgNVBAMTCENsb3VkOUNBMCAXDTE1MTExOTEyMDA0MloYDzIxMTUxMDI2MTEwMDQyWjBXMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGb3JhY2xlMRUwEwYKCZImiZPyLGQBGRYFY2xvdWQxETAPBgNVBAMTCENsb3VkOUNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXl3J0Xln1SIanXnUCsvqovrTKdjbLYMR1orCejmX+zvigvVsz/l/lMIkEzFM6fgeFFlBG6RjVu3b+44sinbIGBq56cCDZejk+MK5Sg/K9vu8kCzQbLw0I1XlpoR06hX4Kk33f8ItzAtorX7fiONDuBp0i9/1Q3E0sSWTGooCoswIDAQABozUwMzASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBT8Km+50GihFXPqEmu6IbzsSBjH1zANBgkqhkiG9w0BAQUFAAOBgQA8nRvd8/whkVX1MlXw/1C0/3fkWH5t7K4hoDz2ZRDvonQoAOrRDHJyDhX95T+QhQHRauspJhRzDn9eQmL6pL+42VC4i98zIMuzoAeCNItFjFAAMm6nomZVPdMvOs3dsnwIEBDOJ3FAh4Pg8H9lxdKpmCtFyxewkm/4UhCSaeFtow=="],"alg":"RS256","n":"i1b8rnvqha2scDOS8WjS7dkB98B5_59PspNo5j-5qWJM9cayrhJNntkgoIMyvDE_YyeVVGjZRdDMISGfP52sQOSzwsxhFX2f-NRj7RjQAxcrKahh5HbDb_jNnggZnuzA6fS956AbbdqXqhqsUrtAx8rdcIDa-qehF6k0-AGy3ck"}]}
   

3. Create certificate file for each certificate part of the above response by placing the same between “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----”

4. Save first certificate as idcs.cert and second as idcs-ca.cert

5. Import certificate to KSS keystore of OWSM.

   Importing Certificate to KSS

   wls:/jrfServer_domain/serverConfig/> svc = getOpssService(name='KeyStoreService')
   wls:/jrfServer_domain/serverConfig/> svc.importKeyStoreCertificate(appStripe='owsm', name='keystore', password='', alias='idcs', keypassword='', type='TrustedCertificate', filepath='/scratch/ankianja/idcs.cert')
   Already in Domain Runtime Tree
   Certificate imported.
   wls:/jrfServer_domain/serverConfig/> svc.importKeyStoreCertificate(appStripe='owsm', name='keystore', password='', alias='idcs-ca.cert', keypassword='', type='TrustedCertificate', filepath='/scratch/ankianja/idcs-ca.cert')
   Already in Domain Runtime Tree
   Certificate imported.
   

Configuring Trusted Issuers in Service Domain Trust

Trusted issuers are configured in service domain and trust entries are added in agent trust documents for trusted issuer by following the steps below:

1. Print the cert

   keytool -printcert -file idcs.crt
   Entry type: trustedCertEntry
   Owner: CN=orclMT123232_idm, DC=cloud, DC=oracle, DC=com
   Issuer: CN=Cloud9CA, DC=cloud, DC=oracle, DC=com
   Serial number: 2df19c5c
   Valid from: Fri Nov 2001:32:48PST 2015until: Mon Nov 1701:32:48PST 2025
   Certificate fingerprints:
            MD5:  08:82:9E:3B:E1:2B:D3:0B:A1:9A:EC:32:1A:03:EC:05
            SHA1: 33:69:9A:16:6D:D5:62:53:01:3A:7D:C6:7A:D5:56:19:79:2B:2A:B9
            Signature algorithm name: SHA1withRSA
            Version: 3
   Extensions:
   #1: ObjectId: 2.5.29.14Criticality=false
   SubjectKeyIdentifier [
   KeyIdentifier [
   0000: DA BB 68807282D3 FC   2C D9 D4 B7 66AE EC F7  ..h.r...,...f...
   0010: 0C 0C A1 F9                                        ....
   ]
   ]
   

   Note:

   • Use the owner of certificate obtained above in to configure the trusted issuers in OWSM. For example the owner here is - 'CN=orclMT123232_idm, DC=cloud, DC=oracle, DC=com'

   • Trusted Issuer will be "https://identity.oraclecloud.com" for IDCS.

   • In scenarios where trust document with same name exists in domain, an error message shows while executing createWSMTokenIssuerTrustDocument('trust-doc',None), ignore it and proceed with next command.

2. Configuring trust document in OWSM using WLST

   wls:/jrfServer_domain/serverConfig/> beginWSMSession()
   Session started for modification.
   true
   wls:/jrfServer_domain/serverConfig/> createWSMTokenIssuerTrustDocument('trust-doc',None)
   New Token Issuer Trust document named "trust-doc" created.
   To use the new document in the domain configuration,you must run the setWSMConfiguration command where category = "TokenIssuerTrust", property name = "name" and value = "trust-doc".
   true
   wls:/jrfServer_domain/serverConfig/> setWSMConfiguration(None, 'TokenIssuerTrust', 'name', None, ['trust-doc'])  
   A new property "name" within category "TokenIssuerTrust" has been added.
   The values "[trust-doc]" have been added to property "name" within category "TokenIssuerTrust".
   Configuration properties associated with the context "/WLS/jrfServer_domain" has been created.
   true
   wls:/jrfServer_domain/serverConfig/> selectWSMTokenIssuerTrustDocument('trust-doc')
   Token Issuer Trust document named "trust-doc" selected in the session.
   true
   wls:/jrfServer_domain/serverConfig/> setWSMTokenIssuerTrust('dns.jwt','https://identity.oraclecloud.com/',['CN=orclMT123232_idm, DC=cloud, DC=oracle, DC=com'])
   New issuer - "https://identity.oraclecloud.com/" added to the document.
   Issuer set with the given trusted keys.
   The issuer and trusted DN values have been updated successfully.
   true
   wls:/jrfServer_domain/serverConfig/> setWSMTokenIssuerTrustAttributeFilter('CN=orclMT123232_idm, DC=cloud, DC=oracle, DC=com', 'user.tenant.name',['owsm'])
   New TokenAttributeRule added for DN: CN=orclMT123232_idm, DC=cloud, DC=oracle, DC=com.
   true
   wls:/jrfServer_domain/serverConfig/> commitWSMSession()
   The tokenissuertrust trust-doc is valid.
   Updating tokenissuertrust trust-doc in repository.
    
   Session committed successfully.
   true
   

3.6 Secure JAX-RS REST Client using OWSM OAuth 2.0 Security Policies

Secure REST Service using following Client side OWSM Policy.

Setup Keystore at Client Domain

keystore.sig.csf.key is used to sign the jwt token issued to OAuth server during request of access token. The default value is orakey.

Creating KSS in client domain

wls:/o ffline> connect('weblogic','gumby1234','10.229.140.110:11926')
Connecting to t3://10.229.140.110:11926 with userid weblogic ...
wls:/jrfServer_domain/serverConfig/> svc = getOpssService(name='KeyStoreService')
wls:/jrfServer_domain/serverConfig/> svc.createKeyStore(appStripe='owsm', name='keystore', password='', permission=true)
Location changed to domainRuntime tree. This is a read-only tree 
with DomainMBean as the root MBean. 
For more help, use help('domainRuntime')
Keystore created

KeyPair is generated using KSS generateKeyPair Keystore Operations directly in KSS store.

Generating KeyPair using generateKeyPair

wls:/jrfServer_domain/serverConfig/> svc = getOpssService(name='KeyStoreService') 
wls:/jrfServer_domain/serverConfig/> svc.generateKeyPair(appStripe='owsm', name='keystore', password='', dn='CN=weblogic,OU=MT Orakey Test Encryption Purposes Only,O=Oracle,C=US', keysize='2048', alias='orakey12212ssl', keypassword='')
Already in Domain Runtime Tree 
Key pair generated

Import Sign Certificate from Client Domain to OAuth Client in OAuth Server

1. Export the signing certificate from KSS keystore. Use the alias with which the keypair is generated.

   Export the Certificate

   wls:/jrfServer_domain/serverConfig/> svc = getOpssService(name='KeyStoreService') 
   wls:/jrfServer_domain/serverConfig/> svc.exportKeyStoreCertificate(appStripe='owsm', name='keystore', password='', alias='orakey12212ssl', keypassword='', type='TrustedCertificate',filepath='/scratch/ankianja/orakey12212nonssl.pem')
   Already in Domain Runtime Tree 
   Certificate exported.
   

2. Go to OAuth Configuration and modify the client. Click on "Trusted" and upload the certificate file created above by clicking "Import" button.

Create OAuth Client csf key at Client Domain Credential Store

oauth2.client.csf.key is used for authentication with OAuth Server while requesting access token. The default value is "basic.client.credentials".

Note:

Username and Password used for creation of password credential is the client id and secret obtained in "Configuring OAuth Client on IDCS".

Create OAuth Client Credential

wls:/jrfServer_domain/serverConfig/> createCred(map="oracle.wsm.security",key="idcs.oauth2.client.credentials",user="38ef42fdb92e467b935b138f6b02d211",password="0407ebb3-ec75-4cae-9132-8243ab3d853c",desc="OAuth Client user for MT")
Credential created successfully.

Securing REST Client using OAuth Client OWSM WS Policies

The OAuth Client OWSM WS Policies for securing REST Client are as follows:

Policy	Description
oracle/http_oauth2_token_over_ssl_idcs_client_policy	This policy includes OAuth2 access token in the HTTP header. The access token is obtained from IDCS OAuth Server. This policy can be attached to any HTTP-based, SOAP or REST client, invoking service over ssl.
oracle/oauth2_config_client_policy	This policy provides OAuth2 Server information on the client side. This policy is enforced only when an OAuth2 token client policy is also attached. Otherwise, it is ignored. This policy is usually attached globally.

Attach oauth2_config_client_policy as GPA

Connect to WLST and run following commands to create GPA for oauth2 config policy.

Note:

Provide the value of OAuth2 server token endpoint as the "token.uri". In example below the ‘token.uri’ is set to - https://owsm.identity.c9dev0.oc9qadev.com:443/oauth2/v1/token

wls:/jrfServer_domain/serverConfig/> beginWSMSession()
Session started for modification.
true
wls:/jrfServer_domain/serverConfig/> createWSMPolicySet('oauth-ps', 'rest-client', 'Domain("*")', 'Policy set forAll Rest Clients', 'true')
The policy set was created successfully in the session.
true
wls:/jrfServer_domain/serverConfig/> attachWSMPolicy('oracle/oauth2_config_client_policy')
Policy reference "oracle/oauth2_config_client_policy" added.
true 
wls:/jrfServer_domain/serverConfig/> setWSMPolicyOverride('oracle/oauth2_config_client_policy','token.uri','https://owsm.identity.c9dev0.oc9qadev.com:443/oauth2/v1/token')
The configuration override property "token.uri" having value "https://owsm.identity.c9dev0.oc9qadev.com:443/oauth2/v1/token" has been added to the reference to policy with URI "oracle/oauth2_config_client_policy".
wls:/jrfServer_domain/serverConfig/> setWSMPolicyOverride('oracle/oauth2_config_client_policy', 'oauth2.client.csf.key', 'idcs.oauth2.client.credentials')
wls:/jrfServer_domain/serverConfig/> commitWSMSession()
INFO: Attachment of an oauth2 config policy without any oauth2 client policy is invalid. Ensure you attach a valid oauth2 policy either via Direct Policy Attachment or via Global Policy Attachment along with an oauth2 config policy.
The policy set oauth-ps is valid.
Creating policy set oauth-ps in repository. 
Session committed successfully.
true

Give WSM Identity Permission to Client App

grantPermission(appStripe=None,codeBaseURL='file:${common.components.home}/modules/oracle.wsm.common/wsm-agent-core.jar',principalClass=None,principalName=None,permClass='oracle.wsm.security.WSIdentityPermission',permTarget='resource=idcsclientapp', permActions='assert')

Note:

Create user with clientId/clientsecret in webogic security realm in case of Client Only Flow.

Update your servlet client code with http_oauth2_token_over_ssl_idcs_client_policy

public void testJaxRsHttpOAuth2ClientCredsJwtMT(
Map<, String> config) {
String BASE_URI = "https://den01zxb.us.oracle.com:7002/idcsserviceapp/test/helloworld";
PropertyFeature scope = new PropertyFeature(
SecurityConstants.ConfigOverride.CO_SCOPE, "http://owsm/idcs_test"); 
PropertyFeature signCsfKey =
                  new PropertyFeature(SecurityConstants.ConfigOverride.CO_SIG_CSF_KEY, "orakey12212ssl");

PolicyReferenceFeature[] clientPRF = new PolicyReferenceFeature[] {
                  new PolicyReferenceFeature("oracle/http_oauth2_token_over_ssl_idcs_client_policy", scope, signCsfKey) };    
    ClientConfig cc = new ClientConfig();
		cc.property(AbstractPolicyFeature.ABSTRACT_POLICY_FEATURE,new PolicySetFeature(clientPRF));
    Client client = ClientBuilder.newClient(cc);
    WebTarget webTarget = client.target(BASE_URI);
    String res = webTarget.request("text/plain").header("X-RESOURCE-IDENTITY-SERVICE-GUID","owsm").get(String.class);
    PrintWriter out = response.getWriter();
		out.println("<html>");
		out.println("<head><title>IDCSClientServlet</title></head>");
		out.println("<body>");
		out.println("<p>The servlet has received a GET. This is the reply.</p>");
		out.println("<p>" + res + "</p>");
		out.println("</body></html>");
		 out.close();
 }