A Quick Reference

The steps and commands below provide quick reference on how to get the required information for creating a trusted OAuth client and working with it. The information below can also be found through Google searches.

Generate a Key Pair Using OpenSSL

Use the command below to generate a public and private key ready for use:

#note: we can also provide a validity period e.g -days 365

openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -x509  -out myPublicCertificate.crt

Generate a Key Pair Using Java Keytool

  1. Generate the key store.

    #note: we can also provide a validity period e.g -days 365

    keytool -genkey -alias keyalias-keyalg RSA -keystore mykeystore.jks -storepass password
      -keysize 2048
    # you can optionally provide the keystore type ( JKS or PKCS12 format ) - ( for example  -storetype pkcs12 )
  2. Extract the public certificate and private key from the key store. (For all operations, provide the Import password when prompted.)

    1. Extract the public key certificate from the JKS.

      keytool -export -alias keyalias -keystore mykeystore.jks -rfc -file public.cert

    2. To export the private key from JKS, convert the JKS to PKCS12 format.

      keytool -v -importkeystore -srckeystore mykeystore.jks -srcalias keyalias -destkeystore myp12file.p12 -deststoretype PKCS12

      #extract private keyopenssl pkcs12 -in myp12file.p12 -nodes -nocerts -out private_key.pem

    3. Extract the private key from the PKCS12 Keystore.

      openssl pkcs12 -in myp12file.p12 -nodes -nocerts -out private_key.pem

    4. Extract the public certificate from the PKCS12 Keystore.

      openssl pkcs12 -in myp12file.p12 -nokeys -out myCertificate.crt

Obtain an x5t thumbprint of a public certificate

x5t is a base64 encoded SHA-1 thumbprint of a public certificate. It can be obtained from a .cert file using an openssl command. It is used to identify specific certificates.

echo $(openssl x509 -in mycertificate.crt -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64

Configure a Trusted OAuth Client in Oracle Identity Cloud Service

Below is a summary of steps to define a trusted OAuth client in Oracle Identity Cloud Service. See the Oracle Identity Cloud Service documentation.

  1. Sign in to Oracle Identity Cloud Service using administrator credentials.
  2. Click Add.
  3. Select Confidential Application.
  4. Enter an application name and click Next.
  5. Select the option configure this application as client now.
  6. Enable JWT Assertion and other required grant types.
  7. Select the Trusted Client checkbox and import a public certificate (refer to earlier section for details on how to obtain a public certificate).
  8. Click Add Scope and add the necessary scopes to your OAuth client.
  9. Click Next. Click Next again and click Finish.
  10. Activate the application.