4.2.3.2 Configuring Oracle Access Management OAuth
OAA, OARM, and OUA need access to an Oracle Access Management (OAM) deployment with OAuth enabled.
The User Interface (UI) components of OAA, OARM, and OUA (the
Administration Console and Self-Service Portal) are protected by Oracle Access
Management (OAM) OAuth. The required OAuth components (Identity Domain, Resource,
Client) can be configured during the OAA, OARM, and OUA installation. However, the
following are the prerequisites steps that need to be performed before the
installation can configure the required OAuth components in OAM:
Note:
You can skip the OAuth configuration in this section if the UI components are not required or need to be disabled during the installation. If skipping OAuth configuration you must setoauth.enabled=false
along with associated properties in
installOAA.properties
. For more details, see OAM OAuth Configuration.
Enable OAuth
To enable OAuth:
- Log in to the OAM Administration Console
https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/
using your administrator credentials. - From the Welcome page, click Configuration and then click Available Services.
- Click Enable Service beside OAuth and OpenIDConnect Service (or confirm that the green status check mark displays).
Configure Oracle HTTP Server
Configure the Oracle HTTP Server for OAuth as follows:
- Open the mod_wl_ohs.conf file located at
<OHS_DOMAIN_HOME>/config/fmwconfig/components/OHS/<ohs_instance_name>
and add the following:#OAM OAuth entries <Location /oauth2> SetHandler weblogic-handler WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /oam> SetHandler weblogic-handler WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /.well-known/openid-configuration> SetHandler weblogic-handler WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> PathTrim /.well-known PathPrepend /oauth2/rest </Location> <Location /.well-known/oidc-configuration> SetHandler weblogic-handler WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> PathTrim /.well-known PathPrepend /oauth2/rest </Location> <Location /CustomConsent> SetHandler weblogic-handler WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location>
Note:
<OAM_Managed_Server_Host>
and<OAM_Managed_Server_Port>
is the host name and port of the OAM managed server. - Open the httpd.conf file (or ssl.conf if accessing
via SSL) located at
<OHS_DOMAIN_HOME>/config/fmwconfig/components/OHS/<ohs_instance_name>
and add the following:Note:
Specify a value for your OAuth Identity Domain in<DomainName>
. The<DomainName>
will be used later in the parameteroauth.domainname
in theinstallOAA.properties
.<IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^/oauth2/rest/authorize? /oauth2/rest/authorize?domain=<DomainName> [PT,QSA,L] RewriteRule ^/oauth2/rest/token? /oauth2/rest/token?domain=<DomainName> [PT,QSA,L] RewriteRule ^/oauth2/rest/token/info? /oauth2/rest/token/info?domain=<DomainName> [PT,QSA,L] RewriteRule ^/oauth2/rest/authz? /oauth2/rest/authz?domain=<DomainName> [PT,QSA,L] RewriteRule ^/oauth2/rest/userinfo? /oauth2/rest/userinfo?domain=<DomainName> [PT,QSA,L] RewriteRule ^/oauth2/rest/security? /oauth2/rest/security?domain=<DomainName> [PT,QSA,L] RewriteRule ^/oauth2/rest/userlogout? /oauth2/rest/userlogout?domain=<DomainName> [PT,QSA,L] </IfModule> <IfModule mod_headers.c> #Add Identity domain header always for OpenID requests RequestHeader set X-OAUTH-IDENTITY-DOMAIN-NAME "<DomainName>" </IfModule>
- Restart Oracle HTTP Server.
Define OAuth Policies in OAM
Define the OAuth policies in OAM as follows:
- Log in to the OAM Administration Console
https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/
using your administrator credentials. - In Application Security Launchpad -> Access Manager click on Application Domains.
- In the Application Domain tab click Search.
- Click on the WebGate you defined earlier in General OAM Requirements .
- In the Create Resource tab, create each of the following
resources and set the Protection Level as
Excluded
.- /oauth2/rest/**
- /oam/**
- /.well-known/openid-configuration
- /iam/access/binding/api/v10/oap/**
- /oam/services/rest/**
- /iam/admin/config/api/v1/config/**
- /oaa-admin/**
- /admin-ui/**
- /oaa/**
- /policy/**
- /oaa-policy/**
- /oaa-email-factor/**
- /oaa-sms-factor/**
- /oaa-totp-factor/**
- /oaa-yotp-factor/**
- /fido/**
- /oaa-kba/**
- /oaa-push-factor/**
- /risk-analyzer/**
- /risk-cc/**
- /consolehelp/**
- /otpfp/**
- Create each of the following resources and set the Protection
Level as
Protected
, and set the Authentication Policy and Authorization Policy asProtected Resource Policy
.- /oauth2/rest/approval (this is for
POST
operation) - /oam/pages/consent.jsp (this is for
GET
operation)
- /oauth2/rest/approval (this is for
Configure OHS as a Reverse Proxy in OAM
To configure OHS as a reverse proxy in OAM:
- In the OAM Administration console, navigate to Configuration and in the Settings tile, click View > Access Manager.
- From the Welcome page, click Configuration and in the Settings tile, click View > Access Manager.
- Under Load Balancing specify the OHS Host and OHS Port.
Validate OAuth
Run the following command to ensure OAuth is available and that Oracle
HTTP Server is directing requests to the OAuth
Server:
curl -s -k --location --request GET https://ohs.example.com:443/oauth2/rest/token
You should see the Method Not Allowed
message. This
means that you have successfully sent a request to the OAuth Server but it has
rejected the request. If you do not see this message, revisit the steps above and
check for mistakes.