Secure Web Services Using Identity Cloud Service
Use Oracle Identity Cloud Service and Oracle Web Services Manager to protect web service applications and clients that you deploy to Oracle WebLogic Server for OCI domains.
This configuration is applicable only for domains that you created with Oracle WebLogic Server for OCI, and that meet all of these requirements:
- Is JRF-enabled
- Includes a load balancer that is configured for HTTPS. For domains that were created before June 2020, see Configure SSL for a Domain.
- Uses Oracle Identity Cloud Service for authentication. See Access the Sample Application Using Identity Cloud Service.
All JRF-enabled domains include Oracle Web Services Manager (OWSM), which provides a policy framework to manage and secure web services consistently across your organization. Both Oracle Web Services Manager and Oracle Identity Cloud Service support the OAuth protocol. The web service client requests an access token by authenticating with the authorization server (Oracle Identity Cloud Service) and presenting the authorization grant. The Oracle Web Services Manager server-side agent validates the access token and then accepts the client request if valid.
See Using OAuth2 with Oracle Web Services Manager in Securing Web Services and Managing Policies with Oracle Web Services Manager.
When you secure web service communication, the following terms are used:
- Provider - The Oracle WebLogic Server for OCI stack (WebLogic Server domain, load balancer, and so on) that hosts your web service application.
- Client - The Oracle WebLogic Server for OCI stack that hosts your web service client application.
The following diagram illustrates this security configuration.
Description of the illustration architecture_idcs_owsm_diagram.png
Topics:
- Deploy a Sample Web Service Client Application
- Get Information About Identity Cloud Service
- Configure OAuth for the Web Services Provider
- Update the Confidential Application for the Web Services Provider
- Configure OAuth for the Web Services Client
- Update the Confidential Application for the Web Services Client
- Test the Sample Web Service Client
Deploy a Sample Web Service Client Application
To quickly verify the OAuth integration between Oracle Web Services Manager and Oracle Identity Cloud Service, you can build and deploy a sample client application.
This sample web application consists of a single page with an HTML form, and a single Servlet that invokes the specified web service URL. The client uses the OAuth policy oracle/http_oauth2_token_over_ssl_idcs_client_policy
.
Alternatively, you can deploy and test your own web service client application.
Get Information About Identity Cloud Service
Record configuration details about your Oracle Identity Cloud Service instance, and also download its certificates.
Before you begin, identify the confidential application in Oracle Identity Cloud Service that was created for your web services client domain. See Identity Resources for Oracle Identity Cloud Service.
Configure OAuth for the Web Services Provider
Establish trust between Oracle Web Services Manager in your provider domain and Oracle Identity Cloud Service by importing certificates and creating global policy attachments.
The global policy affects all web services deployed to this domain. Alternatively, you can create policies for individual web services.
Update the Confidential Application for the Web Services Provider
Update the resources that are protected by OAuth in the domain's confidential application found in Oracle Identity Cloud Service.
Configure OAuth for the Web Services Client
Establish trust between Oracle Web Services Manager in your client domain and Oracle Identity Cloud Service by importing certificates and creating global policy attachments.
The global policy affects all web service clients deployed to this domain. Alternatively, you can create policies for individual applications.