Offline Mediation Controller REST Services Manager Security

6 Offline Mediation Controller REST Services Manager Security

Learn how to implement the security capabilities supported by the Oracle Communications Offline Mediation Controller REST Services Manager. Offline Mediation Controller REST Services Manager supports stringent authorization and authentication requirements.

Topics in the document:

About Authentication and Authorization

Offline Mediation Controller REST Services Manager uses the OAuth 2.0 protocol to authenticate a client application's identity and to authorize the client application to access its REST API. It does this by validating an OAuth access token that is passed in the header of the client's HTTP/HTTPS request to the Offline Mediation Controller REST Services Manager. See REST API Reference for Offline Mediation Controller for more information.

Your client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to Offline Mediation Controller REST Services Manager. To set up authentication and authorization for your client, you can use either Oracle Identity Cloud Service or Oracle Access Management.

Setting Up OAuth Using Oracle Identity Cloud Service

You can set up your client application to use OAuth authentication at either the user or the application level to access the Offline Mediation Controller REST Services Manager API. For a typical Offline Mediation Controller setup, you create several integrated applications in Oracle Identity Cloud Service (IDCS).

To set up OAuth authentication using IDCS, perform the following steps:

Creating a Confidential OAuth Application

You use the Administration Application to create other Oracle Identity Cloud Service applications that are used by the Offline Mediation Controller.

To create the Administration Application in IDCS:

Open your Oracle Identity Cloud Service domain.

The Overview in the Domain window appears.
From the Identity domain navigation pane, click Integrated applications and then Add application.
Select Confidential Application and then click Launch workflow.

The Add Confidential Application window appears.
Click Next or Configure OAuth.
Specify the name of the application, such as OCOMC Admin App, and add an optional description.
In the Client configuration card, select Configure this application as a client now.

The Client configuration area expands.
Under Allowed grant types, select the Client Credentials option.
Under Token issuance policy, select Add app roles.

The App roles area appears.
Click Add roles.

The Add app roles dialog box appears.
Select the Application Administrator role and click Add.
Click Next or Configure policy.
Under Web tier policy, select Skip and do later and click Finish.

The application is created.
Click Activate and then, in the confirmation pop-up, click Activate application.

The application is activated.

Write down the clientId and clientSecret. You will need it for the following procedures.

Creating Groups

You manage user access to the Offline Mediation Controller functionality using groups. The Offline Mediation Controller resource server contains scopes for Designer, Operator, and Viewer users.

To create groups on the IDCS Cloud Console:

Open your Oracle Identity Cloud Service domain.

The Overview in the Domain window appears.
From the Identity domain navigation pane, click Groups.

The Groups in the Domain window appears.
Click Create Group.

The Create Group dialog box appears.
Create the Designer group by doing the following:
1. In the Name field, enter Designer.
2. Select the users to assign to the group.
3. Click Create.
Note:

You can edit the group and assign users at a later stage as well.
Repeat step 4 to create the Operator and Viewer groups.

Creating a Resource Server

To create a Resource Server on IDCS:

Generate an access token using this cURL command:
```
curl --location 'https://idcs_hostname/oauth2/v1/token' 
--header 'Content-Type: application/x-www-form-urlencoded' 
--header 'Authorization: Basic *******encoded_client' 
--data-urlencode 'grant_type=client_credentials' 
--data--urlencode 'scope=urn:opc:idm:__myscopes__'
```
where:
- idcs_hostname is the hostname of your Identity Cloud Service instance.
- encoded_client is the base64-encoded string of the clientId:clientSecret that you created.
For more information, see "Generate Access Token and Other OAuth Runtime Tokens to Access the Resource" in REST API for Oracle Identity Cloud Service.

Create an Offline Mediation Controller Resource Server application. This example creates a confidential application named OCOMC-ResourceServer with the following values:

The allowed grants are client_credentials and refresh_token
The audience is ocomc
The application scopes are Designer, Operator, and Viewer

curl --location 'https://idcs_hostname/admin/v1/Apps' 
--header 'Authorization: Bearer *******access_token' 
--header 'Content-Type: application/json' 
--data '{"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:App"],
"basedOnTemplate":{"value":"CustomWebAppTemplateId"},
"displayName":"OCOMC-ResourceServer","description":"Resource Server for protecting the mediation backend API","name":"OCOMC-ResourceServer",
"clientType":"confidential","isAliasApp":false,"isOPCService":false,"active":true,
"isOAuthClient":true,"isUnmanagedApp":true,"isWebTierPolicy":false,
"isOAuthResource":true,"allowedGrants":["client_credentials","refresh_token"],
"allowOffline":true,"allUrlSchemesAllowed":true,"trustScope":"Account",
"accessTokenExpiry":1800,"refreshTokenExpiry":3600,"audience":"ocomc",
"scopes":[{"description":"Scope for Operator role in OCOMC","requiresConsent":false,"value":"Operator"}, {"description":"Scope for Designer role in  OCOMC","requiresConsent":false,"value":"Designer"},{"description":"Scope for Viewer role in OCOMC","requiresConsent":false,"value":"Viewer"}]}'

where:

idcs_hostname is the hostname of your Identity Cloud Service instance.
access_token is the access token returned in step 1.

For more information, see "Create an App" in REST API for Oracle Identity Cloud Service.

Creating a Confidential Client Application

To create a confidential client application, use cURL to send an HTTP/HTTPS request to the Oracle IDCS URL. The following command creates a confidential client application named OCOMC-RestClient with the following values:

The allowed grants are client_credentials and refresh_token.
The allowed operation is introspect.
The application scopes are Designer, Operator, and Viewer.
The allowed scopes specify the fully qualified server (FQS) value in the format AudienceScope. If you have changed the default audience, update it here. The default value is ocomcScope. For example, ocomcDesigner, or ocomcOperator.

curl --location 'https://idcs_hostname/admin/v1/Apps' 
--header 'Authorization: Bearer *******access_token' 
--header 'Content-Type: application/json' 
--data '{"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:App"],
"basedOnTemplate":{"value":"CustomWebAppTemplateId"},"displayName":"OCOMC-RestClient","name":"OCOMC--RestClient","clientType":"confidential","isAliasApp":false,
"isOPCService":false,"active":true,"isOAuthClient":true,"isUnmanagedApp":false,"isWebTierPolicy":false,"isOAuthResource":false,"allowedGrants":["client_credentials","refresh_token"],"allowOffline":true,
"allUrlSchemesAllowed":true,"trustScope":"Explicit",
"redirectUris":["https://omdUI_hostname/webApps/mediation"],
"postLogoutRedirectUris":["https://omdUI_hostname/webApps/mediation"],
"allowedOperations":["introspect"],
"allowedScopes":[{"fqs":"ocomcOperator","value":"Operator","description":"RSM Operator scope","requiresConsent":false},{"fqs":"ocomcDesigner","designer_value":"Designer","description":"RSM Designer scope","requiresConsent":false},{"fqs":"ocomcViewer","value":"Viewer","description":"RSM Viewer scope","requiresConsent":false}]}'

where:

idcs_hostname is the hostname of your Identity Cloud Service instance.
access_token is the access token.
omdUI_hostname is the hostname of the server where the Offline Mediation Controller UI is deployed. If this is specified incorrectly, you will get errors from IDCS after logging in.
designer_value is the scope or role of the user.

Write down the clientId, which appears as the name field, once you create your Confidential Client Application. You will need it for the following procedures as clientId_conf_app.

For information, see "Create an App" in REST API for Oracle Identity Cloud Service.

Assigning the Authenticator App Role to the Confidential Client Application

You need to assign the App Role Authenticator Client to the Confidential Application once it has been created. To assign the Authenticator App Role:

Generate an access token.

Create the Authenticator Client role using this cURL command:

curl --location 'https://idcs_hostname/admin/v1/AppRoles?filter=displayName%20eq%20%22Authenticator%20Client%22' 
--header 'Authorization: Bearer access_token*****' 
--header 'Content-Type: application/json'

If successful, you will see a response similar to this:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 1,
    "Resources": [
        {
            "id": "1234567890abcdef1234567890abcdef",
            "meta": {
                "resourceType": "AppRole",
                "location": "https://www.example.com/admin/v1/AppRoles/1234567890abcdef1234567890abcdef"
            },
            "adminRole": true,
            "availableToUsers": false,
            "uniqueName": "IDCSAppId_Authenticator Client",
            "app": {
                "value": "IDCSAppId",
                "name": "IDCSApp",
                "display": "IDCS Application",
                "$ref": "https://www.example.com/admin/v1/Apps/IDCSAppId"
            },
            "availableToGroups": false,
            "displayName": "Authenticator Client",
            "public": false,
            "availableToClients": true,
            "ocid": "ocid1.domainapprole.oc1.phx.xxxx",
            "idcsLastModifiedBy": {
                "value": "UnAuthenticated"
            },
            "idcsCreatedBy": {
                "value": "UnAuthenticated"
            },
            "schemas": [
                "urn:ietf:params:scim:schemas:oracle:idcs:AppRole"
            ]
        }
    ],
    "startIndex": 1,
    "itemsPerPage": 50
}

Write down the resource ID value. This is the ID for the Authenticator Client role. For information, see "Create an AppRole" in REST API for Oracle Identity Cloud Service.

Assign the Authenticator Client role to the Confidential Client application using this command:
```
curl --location 'https://idcs_hostname/admin/v1/Grants' 
--header 'Authorization: Bearer access_token*******' 
--header 'Content-Type: application/json' 
--data '{"app":{"value":"IDCSAppId"},
"entitlement":{"attributeName":"appRoles","attributeValue":"auth_client_roleID"},
"grantMechanism":"ADMINISTRATOR_TO_APP","grantee":{"value":"clientId_conf_app","type":"App"},
"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]}'
```
where:
- auth_client_roleID is the resource ID of the Authenticator client role from 2.
- clientId_conf_app is the client ID of the Confidential Application that you received in response, when creating your Confidential Client Application.
For information, see "Add a Grantee to an AppRole" in REST API for Oracle Identity Cloud Service.

Note:

REST Services Manager caches the roles of the Confidential Application at startup. If you add or remove the Authenticator Client role after REST Services Manager has been started, restart the REST Services Manager to ensure that the new role is picked up correctly.

Creating the Public Client

The Offline Mediation Controller UI uses the Public Client when the UI is deployed with client-side authentication enabled to manage the user login flow.

To create the Public Client:

Generate an access token.

Create a Public Client using cURL.

This example command creates a public client named OCOMC-Public-Client with the following values:

The allowed grants are refresh_token and authorization_code
The application scopes are Designer, Operator, and Viewer

curl --location 'https://idcs_hostname/admin/v1/Apps' 
--header 'Authorization: Bearer access_token********' 
--header 'Content-Type: application/json' 
--data '{"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:App"],
"basedOnTemplate":{"value":"CustomWebAppTemplateId"},"displayName":"OCOMC-Public-Client","description":"Public client used by OCOMC Web UI","name":"OCOMC-Public-Client","clientType":"public","isAliasApp":false,"isOPCService":false,"active":true,"isOAuthClient":true,"isUnmanagedApp":false,"isWebTierPolicy":false,"isOAuthResource":false,"allowedGrants":["authorization_code","refresh_token"],"allowOffline":true,"allUrlSchemesAllowed":true,"trustScope":"Explicit","redirectUris":["https://omdUI_hostname/webApps/mediation"],
"postLogoutRedirectUris":["https://omdUI_hostname/webApps/mediation/"],
"allowedScopes":[{"fqs":"ocomcOperator"},{"fqs":"ocomcDesigner"},{"fqs":"ocomcViewer"}]}'

Once the applications have been created, ensure that the appropriate users have been assigned to their respective groups.

Generating Two-Legged Access Tokens

To generate two-legged access tokens, use cURL to send an HTTP/HTTPS request to the Oracle IDCS URL.

curl --location 'https://domain_url/oauth2/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic encoded_client********\ \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=scope'

where:

domain_url is the hostname of your Identity Cloud Service instance.
encoded_client is the base64-encoded string of the clientId:clientSecret that you created.
scope is the concatenation of the primary audience (that you set when creating the Resource Server, for example ocomc) and the scope, such as Designer.

If successful, IDCS generates a token specific to the user with the specified scope. For information, see "Generate Access Token and Other OAuth Runtime Tokens to Access the Resource" in REST API for Oracle Identity Cloud Service.

Configuring IDCS in REST Services Manager

To configure Oracle IDCS in your REST Services Manager cloud native environment:

Open your override-values.yaml file for oc-cn-ocomc-helm-chart.
Set the rsm.security.provider key to IDCS.

Note:

Do not leave the key empty, or RSM will run without authentication.
Set the rsmOAuthToken key to the RSM OAuth 2.0 token.
Add your security information under the security.configuration.idcs section:
- idcsUri: Set this to the IDCS domain URL.
- idcsClientId:Set this to the client ID for your IDCS client application.
- idcsClientSecret: Set this to the client secret in Base64-encoded format.
- idcsIntrospectEndpointUri: Set this to the IDCS introspect URL for token validation.
To enable rsm-automation jobs, add the valid RSM OAuth token to the jobs.requestAutomation.config.rsmAuthToken key.

Setting Up OAuth Using Oracle Access Management

Setting up OAuth using Oracle Access Management involves these high-level steps:

Preparing the Environment

Ensure that both Oracle Access Management and Oracle Unified Directory are installed and configured before integrating with Offline Mediation Controller.

When installing Oracle Access Management, ensure that:

OAuth 2.0 and REST Endpoints are public.
- You must configure all /oauth2/rest/** endpoints as public resources.
- You use these endpoints for token introspection, which allows Oracle Access Management to validate and process OAuth tokens.
OpenID Configuration Endpoint is public.
- The /.well-known/openid-configuration endpoint must be public.
- This endpoint provides metadata about the OpenID Provider, which is essential for the Offline Mediation Designer UI.

When installing Oracle Unified Directory, ensure that you enable the HTTP service and expose port 8080. For more information, see "Getting Started with Oracle Access Management 12c Series – Overview" in the Oracle Access Management documentation.

Configuring Oracle Unified Directory as the Identity Store

To configure Oracle Unified Directory as the identity store in Oracle Access Management:

Launch a browser and log in to the Oracle Access Management Console: http://oam_hostname:7001/oamconsole.
Click the Configuration tab on the top right and then click User Identity Stores.

The OCOMCStore tab appears.
Set the following values in the OCOMCStore tab:
1. Store Name: Set this to OUDStore
2. Store Type: Set this to OUD: Oracle Unified Directory
3. Location: Set this to hostName:hostLDAPPort
4. Bind DN: Set this to cn=Directory Manager
5. Password: Set this to the Oracle Unified Directory password
6. Login ID Attribute: Set this to uid
7. User Password Attribute: Set this to userPassword
8. User Search Base: Set this to ou=People,dc=ocomcexample.com
9. Group Name Attribute: Set this to cn
10. Group Search Base: Set this to ou=Groups,dc=ocomcexample.com
Click Test Connection on the top right side of the tab.

If the connection works, click OK in the Connection Status window. If not, correct the values and test again.
Click Apply on the top right to save the definition.
Click the User Identity Store tab.
From the Default Store list, select OUDStore and then click Apply.
Under the Plug-ins tile, click Application Security and then Authentication Modules.
Click Search.

The LDAP module appears.
Click the LDAP module and set User Identity Store to OUDStore.
Click the Launch Pad tab and, in the Access Manager tile, click the Authentication Schemes link.
On the Search Authentication Schemes page, click Search.

The search results appear.
Select the LDAPScheme row in the search results and click Edit.
In LDAPScheme, click Duplicate.

This creates a new scheme with the name 'Copy of LDAP Scheme'.
Set the following values in the scheme:
1. Name: Set this to LDAPOUDScheme
2. Description: Set this to LDAP Scheme Over OUD
3. Authentication Module: Set this to LDAP
Click Apply.
Click the Set As Default option and then click OK in the confirmation pop-up box.

Note:

Oracle Unified Directory must be running over either HTTP or HTTPS. This is a required configuration for the Offline Mediation Controller service to establish successful communication with Oracle Unified Directory endpoints.

Creating a User Using Oracle Unified Directory

To create a user using Oracle Unified Directory:

Create a user.ldif file:

dn: uid=ocomcuser,ou=People,dc=Distinguished Name
sn: ocomcuser
cn: ocomcuser
userPassword: password
objectClass: top
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
uid: ocomcuser

To create a user in the OUD Store, run the following commands:

cd oud_home/instance_name/OUD/bin
./ldapmodify -a -h OUD_hostname -p OUD_port -D "cn=Directory Manager" -w password -f path/add_user.ldif

Create an add_group.ldif file to create a group:

dn: ou=Designer,ou=groups,dc=ocomcexample.com
objectclass: top
objectclass: groupOfUniqueNames
cn: Designer
ou: groups
description: example description.

To add the group in the OUD Store, run the following commands:

cd oud_home/instance_name/OUD/bin
./ldapmodify -a -h OUD_hostname -p OUD_port -D "cn=Directory Manager" -w password -f path/add_user.ldif

Create an add_user_to_group.ldif file:

dn: ou=PSA Designer,ou=Groups,dc=ocomcexample.com
changetype: modify
add: member
member: uid=ocomcuser,ou=People,dc=ocomcexample.com

or with the values:

dn: ou=Designer,ou=Groups,dc=ocomcexample.com
changetype: modify
add: member
member: uid=ocomcuser,ou=People,dc=ocomcexample.com

To add the user to the group in the OUD Store, run the following commands:

cd oud_home/instance_name/OUD/bin
./ldapmodify -a -h OUD_hostname -p OUD_port -D "cn=Directory Manager" -w password -f path/add_user_to_group.ldif

Fetching User Details from Oracle Unified Directory

To fetch user details from Oracle Unified Directory, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl -X POST \
  http://OUD_hostname:OUD_port/rest/v1/directory \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic encoded_password" \
  -d '{
        "msgType": "urn:ietf:params:rest:schemas:oracle:oud:1.0:SearchRequest",
        "base": "ou=Groups,dc=ocomcexample.com",
        "scope": "sub",
        "filter": "(&(objectclass=*)(member=uid=<UID>,ou=People,dc=ocomcexample.com))"
      }'

where:

OUD_hostname and OUD_port are the hostname and port where Oracle Unified Directory is running.
encoded_password is the Base64-encoded password in the format BindDN:password.

You will receive a response similar to this sample:

{
  "msgType": "urn:ietf:params:rest:schemas:oracle:oud:1.0:SearchResponse",
  "totalResults": 1,
  "searchResultEntries": [
    {
      "dn": "ou=PSA Operators,ou=Groups,dc=ocomcexample.com",
      "attributes": {
        "cn": "All Operator Users",
        "ou": [
          "PSA Users",
          "PSA Operators"
        ],
        "member": "uid=ocomcuser,ou=People,dc=ocomcexample.com",
        "objectClass": [
          "top",
          "groupofNames"
        ]
      }
    }
  ]
}

Or you may receive a response similar to this sample:

{
  "msgType": "urn:ietf:params:rest:schemas:oracle:oud:1.0:SearchResponse",
  "totalResults": 1,
  "searchResultEntries": [{
      "dn": "ou=Operator,ou=Groups,dc=ocomcexample.com",
      "attributes": {
        "cn": "All Operator Users",
        "ou": [
          "PSA Users",
          "PSA Operators"
        ],"member": "uid=ocomcuser,ou=People,dc=ocomcexample.com",
        "objectClass": [
          "top",
          "groupofNames"
        ]
      }
    }
  ]
}

For more information, see "Add, Delete, Search, Modify or Compare an OUD entry" in REST API for Oracle Unified Directory Data Management.

Note:

You can create the User in any format but it should contain one of these:

"dn" : "ou=PSA Scope,...."
"dn" : "ou=Scope,..."

For example:

ou = PSA Operators
ou = PSA Designer
ou = PSA Viewers

Testing Oracle Unified Directory as the Identity Store in Oracle Access Management

To test whether Oracle Unified Domain has been successfully integrated with Oracle Access Management, go to http://OAM_hostname:OAM_port/. This action redirects you to the login page. If you can log in using any user from Oracle Unified Domain, the integration is successful.

Generating the Access Token

To generate an access token, you must create an OAuth identity domain, an OAuth resource server, and an OAuth client.

To enable OAuth service in Oracle Access Management:

Go to the Available Services option in the Configuration tab in the OAM Console.
Click Enable Service for OAuth and OpenIDConnect Service.

Creating an OAuth Identity Domain

An identity domain corresponds to the notion of a tenant. All clients and resource servers are created under an identity domain.

To create an identity domain, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl --location 'http://OUD_hostname:OAM_hostname:OAM_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic encoded_password' \
--data '{
    "name": "domain_name",
    "identityProvider": "oud_storename",
    "description": "domain_name",
    "tokenSettings": [
        {
            "tokenType": "SSO_LINK_TOKEN",
            "tokenExpiry": 3600,
            "lifeCycleEnabled": false,
            "refreshTokenEnabled": false,
            "refreshTokenExpiry": 3600,
            "refreshTokenLifeCycleEnabled": false
        },
        {
            "tokenType": "ACCESS_TOKEN",
            "tokenExpiry": 3600,
            "lifeCycleEnabled": false,
            "refreshTokenEnabled": true,
            "refreshTokenExpiry": 3600,
            "refreshTokenLifeCycleEnabled": false
        },
        {
            "tokenType": "AUTHZ_CODE",
            "tokenExpiry": 3600,
            "lifeCycleEnabled": false,
            "refreshTokenEnabled": true,
            "refreshTokenExpiry": 3600,
            "refreshTokenLifeCycleEnabled": false
        }
    ],
    "errorPageURL": "/oam/pages/servererror.jsp",
    "consentPageURL": "/oam/pages/consent.jsp"
}'

where:

encoded_password is the Base64-encoded format of username:password.
domain_name is the name of the Oracle Access Management identity domain that you want to create.
oud_storename is the name of Oracle Unified Directory store added in Oracle Access Management server.

For more information, see "Add a new OAuth Identity Domain" in REST API for OAuth in Oracle Access Manager.

Creating a Resource Server

A resource server hosts protected resources. The resource server can accept and respond to protected resource requests using access tokens.

To create a resource server, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl --location 'http://OAM_hostname:OAM_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic encoded_password' \
--data '{
    "name": "resource_server",
    "description": "OIDC Resource Server for OCOMC",
    "scopes": [
        {
            "scopeName": "Operator",
            "description": "Scope for Operator role in OCOMC"
        },
        {
            "scopeName": "Designer",
            "description": "Scope for Designer role in OCOMC"
        },
        {
            "scopeName": "Viewer",
            "description": "Scope for Viewer role in OCOMC"
        }
    ],
    "resourceServerNameSpacePrefix": "ResourceServer",
    "tokenAttributes": [
        {
            "attrName":"sessionId",
            "attrValue":"$session.id",
            "attrType":"DYNAMIC"
        },
        {
            "attrName":"resSrvAttr",
            "attrValue":"RESOURCECONST",
            "attrType":"STATIC"
        }
    ],
    "idDomain": "domain_name",
    "audienceClaim": {
        "subjects": [
            "ab0",
            "ResourceServer"
        ]
    }
}'

where:

encoded_password is the Base64-encoded password in the format username:password.
resource_server is the name of the resource server that you want to create.

For more information, see "Add a new Resource Server" in REST API for OAuth in Oracle Access Management.

Creating an OAuth Client

A client is an application that makes protected resource requests on behalf of the resource owner and with the resource owner's authorization.

To create an OAuth client, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl 
--location 'http://OAM_hostname:OAM_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic encoded_password' \
--data '{
    "id": "client_id",
    "secret": "client_secret",
    "scopes": [
        "ResourceServer.Operator",
        "ResourceServer.Designer",
        "ResourceServer.Viewer"
    ],
    "defaultScope": "ResourceServer.Operator",
    "clientType": "client_type",
    "idDomain": "id_domain",
    "description": "Client entry for OAUTH OIDC Domain",
    "name": "client_name",
    "grantTypes": [
        "PASSWORD",
        "CLIENT_CREDENTIALS",
        "JWT_BEARER",
        "REFRESH_TOKEN",
        "AUTHORIZATION_CODE"
    ],
    "redirectURIs": [
        {
            "url": "redirect_url",
            "isHttps": True
        }
    ]
}'

where:

encoded_password is the Base64-encoded authorization password in form of username : password.
client_id and client_secret are the client ID and client secret.
client_type is one of these client types:
- CONFIDENTIAL_CLIENT is a client that requires a secret for authentication.
- PUBLIC_CLIENT is a client that does not require a secret. This is used by UI applications to exchange an authorization code for a token.
id_domain is the name of the identity domain under which the client is created.
client_name is the name of the client.
redirect_url is the URL for your client application.

For more information, see "Add a new OAuth Client" in REST API for OAuth in Oracle Access Management.

Generating Access Tokens with Two-Legged Flows

To generate an access token with two-legged flow, using client credentials, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl --location 'http://OAM_hostname:OAM_port'/oauth2/rest/token' \
--header 'X-OAUTH-IDENTITY-DOMAIN-NAME: domain_name' \
--header 'Authorization: Basic encoded_password' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=resource_server.Scope_name'

For more information, see "Create Access Token Flow" in REST API for OAuth in Oracle Access Management.

Generating Access Tokens with Three-Legged Flow

To generate three-legged OAuth authentication:

Open the following URL in a browser:

http://OAM_hostname:OAM_port/oauth2/rest/authorize?response_type=code&domain=domain_name&client_id=client_name&scope=Scope&state=code1234&redirect_uri=redirect_url

Enter your user credentials in the Oracle Access Manager login screen.
Click Allow.
Copy the authorization code from the browser URL.

Generate the OAuth access token by submitting a cURL request to the Create Access Token Flow endpoint in the Oracle Access Manager OAuth REST API. For example:

curl --location 'http://OAM_hostname:OAM_port/oauth2/rest/token' \
--header 'X-OAUTH-IDENTITY-DOMAIN-NAME: domain_name' \
--data-urlencode 'client_id=client_name' \
--data-urlencode 'grant_type=AUTHORIZATION_CODE' \
--data-urlencode 'code=authorization_code' \
--data-urlencode 'code_verifier=zY6trXrusqzdjIQ6v8WsSiHZ5kPKUlqiCagRLnv' \
--data-urlencode 'redirect_uri=http://localhost:8080/webApps/mediation/'

For more information, see REST API for OAuth in Oracle Access Manager.

Configuring Offline Mediation Controller Cloud Native for Oracle Access Management

To configure the Offline Mediation Controller cloud native environment to connect with Oracle Access Management, add the following keys to your override-values.yaml file for oc-cn-ocomc-helm-chart:

provider: "OAM"
configuration:
  oam:
    clientId: client_id
    clientSecret: client_secret
    tokenEndpointUri: http://OAM_hostname:14100/oauth2/rest/token
    authorizationEndpointUri: http://OAM_hostname:7777/oauth2/rest/authorize
    introspectEndpointUri: http://OAM_hostname:7777/oauth2/rest/token/introspect
    oauthIdentityDomainName: IDStore
    oudHostName: oud_hostname
    oudAdminUserName: oud_adminuser
    oudAdminUserPassword: oud_password
    oudHttpPort: oud_httpport
    oudHttpsPort: oud_httpsport
    oudUsersBaseDn: user_basedn
    oudGroupsBaseDn: group_basedn

where:

client_id is the client ID to be used for connecting with the OAM server.
client_secret is the client secret to be used for connecting with the Oracle Access Management server. This must be encoded in Base64 format.
OAM_hostname is the host name of the server where Oracle Access Management is running.
oud_hostname is the host name of the Oracle Unified Directory server.
oud_adminuser is the admin username for the Oracle Unified Directory server.
oud_password is the admin password encoded in Base64 format.
oud_httpport is the HTTP port for the Oracle Unified Directory server.
user_basedn is the Oracle Unified Directory server Base-DN to be used by Offline Mediation Controller REST Services Manager.
group_basedn is the Oracle Unified Directory server groups-DN to be used by Offline Mediation Controller REST Services Manager.

Note:

Accessing an Offline Mediation Controller REST Services Manager Endpoint

After your system is configured, you can access an Offline Mediation Controller REST Services Manager endpoint using the access token with the required scope.

You can pass the generated access token as part of the request header. For example:

curl --location 'http://ocomc_host:port/v1/nodeManagers' \
     --header 'Authorization: Bearer access_token

where:

ocomc_host and port are the host name and port for the Offline Mediation Controller REST server.
access_token is the OAuth access token for your Offline Mediation Controller API client.

For more information, see REST API Reference for Offline Mediation Controller.

SSL-Enabled Actions for IDCS and Oracle Access Management

If you are running Oracle Access Management or IDCS with SSL enabled, you can communicate with external services using the following commands:

echo | openssl s_client -showcerts -servername serverName -connect serviceName:servicePort 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > certs.pem
# example
echo | openssl s_client -showcerts -servername idcs-12345678.identity.oraclecloud.com -connect idcs-12345678.identity.oraclecloud.com:443 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > idcs_certs.pem
# command to import cert to trustStore
keytool -importcert -trustcacerts -keystore trustStoreName -storepass password -alias aliasName -file fileName
# example
keytool -importcert -trustcacerts -keystore idcs_trustStore.jks -storepass storePass -alias idcs-certs -file idcs_certs.pem
# if user have couple of certificates in .pem file, they can split certificates and then import them individually
#example
csplit -z idcs_certs.pem '/-----BEGIN CERTIFICATE-----/' '{*}'

Ensure that the required certificates are imported into the TrustStore. The following fields must be updated in the REST Services Manager charts under the rsmTrustStore section:

rsmTrustStore:
  enabled: enabledValue
  trustStoreName: trustStoreName
  extRsmTruststoreSecret: extRsmTruststoreSecret
  trustStorePassPhrase: trustStorePassPhrase

where:

enabledValue is the action to enable or disable the TrustStore configuration.
trustStoreName is the name of the TrustStore file containing the trusted certificates. This file should include CA (Certificate Authority) certificates necessary for establishing secure SSL/TLS connections with external services. Ensure the file is present at oc-cn-ocomc-rsm/ocomc-rsm-keystore.
extRsmTruststoreSecret is the secret name containing the external RSM TrustStore file.
trustStorePassPhrase is the Base64-encoded passphrase for accessing the TrustStore.