Integration Security used to be an important point for any
project Implementation. Oracle Fusion Middleware components provide various
type of Security features, commonly SSL Certificates, OSB Service Accounts,
OWSM Security Policies like Username Token, SAML Token, HTTP Token etc. But
there are few more security features which we can use out of the box for more
secured integration design like OAuth and JWT Security.
For implementing OAuth and JWT we will first understand what
are these related to and how it will contribute to Integration.
What is OAuth and JWT Security features?
OAuth is
an open standard for access delegation, commonly used as a way for
Internet users to grant websites or applications access to their information on
other websites but without giving them the passwords. Generally, OAuth provides
to clients a "secure delegated access" to server resources on behalf
of a resource owner. It specifies a process for resource owners to authorize
third-party access to their server resources without sharing their credentials.
Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth
essentially allows access tokens to be issued to third-party clients by an
authorization server, with the approval of the resource owner. The third party
then uses the access token to access the protected resources hosted by the
resource server.
A JSON Web Token (JWT)
is a JSON object which is composed of a token and is a safe way to represent a
set of information between two parties. The token is composed of a header, a
payload, and a signature.
The JWT Token should be build as a base64encoded string in
format “header.payload.signature”.
As JWT is a Jason object so the JWT Header, will be a JSON format data with Key’s for Authorization
and Algorithm Type (as below format)
{
"typ": "JWT",
"alg": "HS256"
}
In a similar way, JWT
Payload will also be a JSON format data as below.
{
"userId":
"b08f86af-35da-48f2-8fab-cef3904660bd"
}
The JWT Signature
will be computed with the algorithm as below,
data =
base64urlEncode( header ) + “.” + base64urlEncode( payload )
signature = Hash(
data, secret );
Implementing OAuth and JWT with Oracle SOA
OAuth uses digital signatures instead of sending the full
credentials with each request. Digital signatures help the recipient to verify
that the content of the request hasn’t changed in transit.
OAuth is an Out of the Box security functionality which can
be embedded with Oracle SOA Rest Services. In Oracle Service Bus 12.2.1, we can
secure services with REST endpoints by attaching OAuth OWSM policies, for which
we must configure OWSM and the OAuth server to secure REST endpoints with OAuth
policies in Service Bus.
Note: The Server Configurations for OAuth are described can
be accessed from “Configure
OAuth Server”
As OAuth being a authorization security feature only, so it
uses JWT to secure the services. For OAuth and JWT configurations with OWSM
policies are described here.
Post configuration of the OAuth Server with OWSM, we can
attach the OWSM Security policies with the OSB Proxy and Business Services as
below.
The
oracle/http_jwt_token_service_policy
or oracle/http_jwt_token_over_ssl_service_policy
policies can be attached to proxy services, and the oracle/http_oauth2_token_client_policy or oracle/http_oauth2_token_over_ssl_client_policy policies can be
attached to business services.References:
https://docs.oracle.com/middleware/1221/osb/develop/toc.htm
https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
https://en.wikipedia.org/wiki/OAuth