Integration Security using OAuth and JWT

Integration Security used to be an important point for any project Implementation. Oracle Fusion Middleware components provide various type of Security features, commonly SSL Certificates, OSB Service Accounts, OWSM Security Policies like Username Token, SAML Token, HTTP Token etc. But there are few more security features which we can use out of the box for more secured integration design like OAuth and JWT Security.

For implementing OAuth and JWT we will first understand what are these related to and how it will contribute to Integration.

What is OAuth and JWT Security features?

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. Generally, OAuth provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

A JSON Web Token (JWT) is a JSON object which is composed of a token and is a safe way to represent a set of information between two parties. The token is composed of a header, a payload, and a signature.

The JWT Token should be build as a base64encoded string in format “header.payload.signature”.

As JWT is a Jason object so the JWT Header, will be a JSON format data with Key’s for Authorization and Algorithm Type (as below format)

{

    "typ": "JWT",

    "alg": "HS256"

}

In a similar way, JWT Payload will also be a JSON format data as below.

{

    "userId": "b08f86af-35da-48f2-8fab-cef3904660bd"

}

The JWT Signature will be computed with the algorithm as below,

data = base64urlEncode( header ) + “.” + base64urlEncode( payload )

signature = Hash( data, secret );

Implementing OAuth and JWT with Oracle SOA

OAuth uses digital signatures instead of sending the full credentials with each request. Digital signatures help the recipient to verify that the content of the request hasn’t changed in transit.

OAuth is an Out of the Box security functionality which can be embedded with Oracle SOA Rest Services. In Oracle Service Bus 12.2.1, we can secure services with REST endpoints by attaching OAuth OWSM policies, for which we must configure OWSM and the OAuth server to secure REST endpoints with OAuth policies in Service Bus.

Note: The Server Configurations for OAuth are described can be accessed from “Configure OAuth Server”

As OAuth being a authorization security feature only, so it uses JWT to secure the services. For OAuth and JWT configurations with OWSM policies are described here.

Post configuration of the OAuth Server with OWSM, we can attach the OWSM Security policies with the OSB Proxy and Business Services as below.

The oracle/http_jwt_token_service_policy or oracle/http_jwt_token_over_ssl_service_policy policies can be attached to proxy services, and the oracle/http_oauth2_token_client_policy or oracle/http_oauth2_token_over_ssl_client_policy policies can be attached to business services.

References:
https://docs.oracle.com/middleware/1221/osb/develop/toc.htm 
https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
https://en.wikipedia.org/wiki/OAuth