Configuring Oracle Access Management OAuth

The User Interface (UI) components of OAA, OARM, and OUA (the Administration Console and Self-Service Portal) are protected by Oracle Access Management (OAM) OAuth. The required OAuth components (Identity Domain, Resource, Client) can be configured during the OAA, OARM, and OUA installation. However, the following are the prerequisites steps that need to be performed before the installation can configure the required OAuth components in OAM:

Note:

You can skip the OAuth configuration in this section if the UI components are not required or need to be disabled during the installation. If skipping OAuth configuration you must set oauth.enabled=false along with associated properties in installOAA.properties. For more details, see OAM OAuth Configuration.

Enable OAuth

To enable OAuth:

Log in to the OAM Administration Console https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/ using your administrator credentials.
From the Welcome page, click Configuration and then click Available Services.
Click Enable Service beside OAuth and OpenIDConnect Service (or confirm that the green status check mark displays).

Configure Oracle HTTP Server

Configure the Oracle HTTP Server for OAuth as follows:

Open the mod_wl_ohs.conf file located at <OHS_DOMAIN_HOME>/config/fmwconfig/components/OHS/<ohs_instance_name> and add the following:


#OAM OAuth entries
<Location /oauth2>
SetHandler weblogic-handler
WebLogicHost <OAM_Managed_Server_Host>
WebLogicPort <OAM_Managed_Server_Port>
</Location>

<Location /oam>
 SetHandler weblogic-handler
 WebLogicHost <OAM_Managed_Server_Host>
 WebLogicPort <OAM_Managed_Server_Port>
</Location>

<Location /.well-known/openid-configuration>
 SetHandler weblogic-handler
 WebLogicHost <OAM_Managed_Server_Host>
 WebLogicPort <OAM_Managed_Server_Port>
 PathTrim /.well-known
 PathPrepend /oauth2/rest
</Location>

<Location /.well-known/oidc-configuration>
SetHandler weblogic-handler
WebLogicHost <OAM_Managed_Server_Host>
WebLogicPort <OAM_Managed_Server_Port>
PathTrim /.well-known
PathPrepend /oauth2/rest
</Location>

<Location /CustomConsent>
SetHandler weblogic-handler
WebLogicHost <OAM_Managed_Server_Host>
WebLogicPort <OAM_Managed_Server_Port>
</Location>

Note:

<OAM_Managed_Server_Host> and <OAM_Managed_Server_Port> is the host name and port of the OAM managed server.

Open the httpd.conf file (or ssl.conf if accessing via SSL) located at <OHS_DOMAIN_HOME>/config/fmwconfig/components/OHS/<ohs_instance_name> and add the following:

Note:

Specify a value for your OAuth Identity Domain in <DomainName>. The <DomainName> will be used later in the parameter oauth.domainname in the installOAA.properties.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/oauth2/rest/authorize? /oauth2/rest/authorize?domain=<DomainName> [PT,QSA,L]
RewriteRule ^/oauth2/rest/token? /oauth2/rest/token?domain=<DomainName> [PT,QSA,L]
RewriteRule ^/oauth2/rest/token/info? /oauth2/rest/token/info?domain=<DomainName> [PT,QSA,L]
RewriteRule ^/oauth2/rest/authz? /oauth2/rest/authz?domain=<DomainName> [PT,QSA,L]
RewriteRule ^/oauth2/rest/userinfo? /oauth2/rest/userinfo?domain=<DomainName> [PT,QSA,L]
RewriteRule ^/oauth2/rest/security? /oauth2/rest/security?domain=<DomainName> [PT,QSA,L]
RewriteRule ^/oauth2/rest/userlogout? /oauth2/rest/userlogout?domain=<DomainName> [PT,QSA,L]
</IfModule>

<IfModule mod_headers.c>
#Add Identity domain header always for OpenID requests
RequestHeader set X-OAUTH-IDENTITY-DOMAIN-NAME "<DomainName>"
</IfModule>

Restart Oracle HTTP Server.

Define OAuth Policies in OAM

Define the OAuth policies in OAM as follows:

Log in to the OAM Administration Console https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/ using your administrator credentials.
In Application Security Launchpad -> Access Manager click on Application Domains.
In the Application Domain tab click Search.
Click on the WebGate you defined earlier in General OAM Requirements .
In the Create Resource tab, create each of the following resources and set the Protection Level as Excluded.
- /oauth2/rest/**
- /oam/**
- /.well-known/openid-configuration
- /iam/access/binding/api/v10/oap/**
- /oam/services/rest/**
- /iam/admin/config/api/v1/config/**
- /oaa-admin/**
- /admin-ui/**
- /oaa/**
- /policy/**
- /oaa-policy/**
- /oaa-email-factor/**
- /oaa-sms-factor/**
- /oaa-totp-factor/**
- /oaa-yotp-factor/**
- /fido/**
- /oaa-kba/**
- /oaa-push-factor/**
- /risk-analyzer/**
- /risk-cc/**
- /consolehelp/**
- /otpfp/**
Create each of the following resources and set the Protection Level as Protected, and set the Authentication Policy and Authorization Policy as Protected Resource Policy.
- /oauth2/rest/approval (this is for POST operation)
- /oam/pages/consent.jsp (this is for GET operation)

Configure OHS as a Reverse Proxy in OAM

To configure OHS as a reverse proxy in OAM:

In the OAM Administration console, navigate to Configuration and in the Settings tile, click View > Access Manager.
From the Welcome page, click Configuration and in the Settings tile, click View > Access Manager.
Under Load Balancing specify the OHS Host and OHS Port.

Validate OAuth

Run the following command to ensure OAuth is available and that Oracle HTTP Server is directing requests to the OAuth Server:

curl -s -k --location --request GET https://ohs.example.com:443/oauth2/rest/token

You should see the Method Not Allowed message. This means that you have successfully sent a request to the OAuth Server but it has rejected the request. If you do not see this message, revisit the steps above and check for mistakes.