11.13 Configuring OAuth JWT for REST APIs
OAA is configured to use API Key Security for REST API's by default. Administrators can enable OAuth JSON Web Tokens (JWT) to access REST APIs, which provides improved security using short-lived access tokens.
Note:
Administrators should use API Key Security only mode during initial installation. Once the installation is complete and all the use-cases are verified, if you require OAuth JWT security, you should upgrade to API Key Security and OAuth combined mode, and verify the use-cases again. If all the use-cases are successful then, if required, you can upgrade to use OAuth only.- Internal communication between OAA pods and services.
- Performing tasks in the OAA Administration Console.
- External applications that use REST API's to communicate with OAA. The REST API's available are:
- API Key Security only
- API Key Security and OAuth combined
- OAuth only
Note:
If you are using OAA with Oracle Universal Authenticator (OUA) and you want to use OAuth JWT, you must use API Key Security and OAuth combined mode.API Key Security Only
API Key Security mode is the default configuration and should be used during initial installation. When API Key Security mode is configured, internal communication, OAA Administration console tasks, and external REST API access is performed using API Key Security.
To configure API Key Security only mode, see Configuring API Key Security Only.
curl -i -X GET -H Authorization:Basic <Base64Encoded(<username>:<password>)> -H <request-header>:<value> <PolicyUrl>/<resource-path>
API Key Security and OAuth combined
- Internal communication and OAA Administration console tasks uses API Key Security.
- External REST API access is available using either API Key Security or OAuth JWT.
To configure API Key Security and OAuth combined mode, see Configuring API Key Security and OAuth combined.
When accessing a REST API using an external application, you
can pass an access token for OAuth using
Authorization:Bearer <Token>
, or for
API Key Security pass the username and password using
Authorization:Basic
<Base64Encoded(<username>:<password>)>
.
OAuth Only
When OAuth only mode is used, internal OAA communication, OAA Administration console tasks, and external REST API access is performed using OAuth JWT tokens only.
To configure OAuth only mode, see Configuring OAuth Only.
Authorization:Bearer
<Token>
. The example below shows using the
OAA Admin
API to perform a GET
request:curl -i -X GET -H Authorization:Bearer <Token> -H <request-header>:<value> <PolicyUrl>/<resource-path>
11.13.1 Configuring API Key Security Only
Note:
This is the default installation method configured in theinstallOAA.properties
.
- Set the following parameters under ##3. OAUTH
configuration## in the
installOAA.properties
file:install.global.service.security.basic.enabled=true install.global.service.security.oauth.enabled=false
For more information on the installOAA.properties
file,
see Preparing the Properties file for Installation.
11.13.2 Configuring API Key Security and OAuth combined
The following sections show how to configure API Key Security and OAuth combined mode.
Preparing the installOAA.properties File
- Set the following parameters under ##3. OAUTH
configuration## in the
installOAA.properties
file:install.global.service.security.basic.enabled=true install.global.service.security.oauth.enabled=true
For more information on the installOAA.properties
file,
see Preparing the Properties file for Installation.
Updating OAA Using OAA.sh
After updating the installOAA.properties
file you must
run OAA.sh
to update OAA with the configuration:
- Connect to the OAA management pod, for
example:
This will take you into a bash shell inside the OAA management pod:kubectl exec -n oaans -ti oaamgmt-oaa-mgmt-6f4c9cd56f-std6l -- /bin/bash
[oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l /]$
- Inside the OAA management pod run the following to update OAA with
the
configuration:
[oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l /]$ cd ~ [oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l ~]$ ./OAA.sh -f installOAA.properties
Note:
This will use the<NFS_CONFIG_PATH>/installOAA.properties
file.
11.13.3 Configuring OAuth Only
The following sections show how to configure OAuth only mode.
Preparing the installOAA.properties File
- Set the following parameters under ##3. OAUTH
configuration## in the
installOAA.properties
file:
where:install.global.service.security.basic.enabled=false install.global.service.security.oauth.enabled=true oauth.tokenexpiry=3600 api.oauth.tokenexpiry=3600 oauth.adminname=<adminuser> oauth.adminpassword=<adminuserpwd> oauth.appusername=<appuser> oauth.appuserpassword=<appuserpwd>
oauth.tokenexpiry
is the expiry time for the UI token in seconds. The UI token is used when tasks are performed using the OAA Administration Console. The default value is 3600 seconds (1 hour).-
api.oauth.tokenexpiry
is the expiry time for the API OAuth token in seconds. The API OAuth token is used for internal communications. The default value is 3600 seconds (1 hour). oauth.adminname
should be set to an Administration user that is a member of theOAA-Admin-Role
group. For more information, see Creating Users and Groups in the LDAP Store.oauth.adminpassword
is the base64 encoded password for the user defined inoauth.adminname
.-
oauth.appusername
should be set any user that is a member of theOAA-App-User
group. For more information, see Creating Users and Groups in the LDAP Store.Note:
This user can be the same user asoauth.adminname
as long as that user exists in both theOAA-Admin-Role
andOAA-App-User
groups. oauth.appuserpassword
is the base64 encoded password for the user defined inoauth.appusername
.
install.global.service.security.basic.enabled=false install.global.service.security.oauth.enabled=true oauth.tokenexpiry=3600 api.oauth.tokenexpiry=3600 oauth.adminname=oaaadmin oauth.adminpassword=bXlvYWFhZG1pbnB3ZA== oauth.appusername=testuser oauth.appuserpassword=bXl0ZXN0dXNlcnB3ZA==
For more information on the installOAA.properties
file,
see Preparing the Properties file for Installation.
Updating OAA Using OAA.sh
After updating the installOAA.properties
file you must run
OAA.sh
to update OAA with the configuration:
- Connect to the OAA management pod, for
example:
This will take you into a bash shell inside the OAA management pod:kubectl exec -n oaans -ti oaamgmt-oaa-mgmt-6f4c9cd56f-std6l -- /bin/bash
[oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l /]$
- Inside the OAA management pod run the following to update OAA with
the OAuth JWT
configuration:
[oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l /]$ cd ~ [oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l ~]$ ./OAA.sh -f installOAA.properties
Note:
This will use the<NFS_CONFIG_PATH>/installOAA.properties
file.
Configuring the Token Refresh Cronjob
- Inside the OAA management pod run the following script to
create a cronjob to renew the tokens
automatically:
where "[oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l /]$ cd ~/scripts [oracle@oaamgmt-oaa-mgmt-6f4c9cd56f-std6l ~]$ ./tokenRefresh.sh -f {CONFIG_DIR}/installOAA.properties -c "<Your_Cronjob_Schedule>"
<Your_Cronjob_Schedule>
is in the format defined at CronJob.For example, the cronjob schedule below will renew tokens every 45 minutes:./tokenRefresh.sh -f /u01/oracle/scripts/settings/installOAA.properties -c "*/45 * * * *"
Note:
You should set your token renewal interval such that tokens are renewed well in advance ofapi.oauth.tokenexpiry
to ensure no downtime.
kubectl get cronjob -n oaans
The output will
look similar to the
following:NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
oaamgmt-oaa-mgmt-r */45 * * * * False 0 3m48s 1h
Note:
Tokens that need to be retired should be revoked by invoking the appropriate OAM API. For more details, see Revoke Tokens REST Endpoints.Troubleshooting the Token Refresh Cronjob
- The cronjob will fail under the following product
conditions:
- OAuth is not enabled in OAA, for example
install.global.service.security.oauth.enabled=false
- The job is not able get the token from the OAM Server
The above conditions will result in cronjob pods moving to Error status. If the cronjob pod errors, the job is retried a configurable number of times with increasing back-off intervals. The retry attempts are stopped once
backoffLimit
is reached. When the jobs have stopped due to errors, deleting the failed jobs will restart the cronjob. See Pod backoff failure policy . - OAuth is not enabled in OAA, for example
- To view the status of the cronjob jobs and pods run the following
commands:
- Inside the management container get the name of the
cronjob:
The output will look similar to the following:kubectl get cronjob -n oaans
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE oaamgmt-oaa-mgmt-r */45 * * * * False 0 3m48s 1h
- Run the following command to get the list of jobs associated with
the cronjob :
The output will look similar to the following:kubectl get jobs -l cronjob=oaamgmt-oaa-mgmt-r
NAME COMPLETIONS DURATION AGE oaamgmt-oaa-mgmt-r-28646612 1/1 5s 3m9s
- Run the following command to get the name of the pods associated
with the
job:
The output will look similar to the following if the job pod(s) completed successfully:kubectl get pods -l cronjob=oaamgmt-oaa-mgmt-r
If there are problems with the job pod(s) you will see anNAME READY STATUS RESTARTS AGE oaamgmt-oaa-mgmt-r-28646620-brnk5 0/1 Completed 0 2m42s
Error
status, for example:NAME READY STATUS RESTARTS AGE oaamgmt-oaa-mgmt-r-28646620-brnk5 0/1 Error 0 2m42s oaamgmt-oaa-mgmt-r-28646620-5495n 0/1 Error 0 15s oaamgmt-oaa-mgmt-r-28646620-ftndp 0/1 Error 0 3s
- If the pod(s) status is
Error
you can diagnose the problem by viewing the logs of the most recent pod that ran. For example:kubectl logs oaamgmt-oaa-mgmt-r-28646620-ftndp
- Inside the management container get the name of the
cronjob:
Accessing REST API's Using OAuth JWT from OAM
Note:
Internal communications and tasks performed in the OAA Administration console use the tokens configured in OAA and are refreshed by the cronjob.- In order to use REST API's with OAuth JWT, you need to get an access token from OAM using either a 2-legged or 3-legged flow. See Runtime REST APIs for OAuth 12c.
- This access token should be passed using
Authorization:Bearer <Token>
. The example below shows using the OAA Admin API to perform a GET request:curl -i -X GET -H Authorization:Bearer <Token> -H <request-header>:<value> <PolicyUrl>/<resource-path>