This doc covers the steps for configuring Oracle Access Manager 12c Webgate as OIDC client to OAM, with this cofigurations Webgate will make http(s) call directly to OAM from browser and also directly to perform authentication using OIDC Protocol.
Pre-requisites.
- OAM 12.2.1.3 with April 2018 Bundle Patch or latest.
- OAM12.2.1.3 Webgate for OHS with April 2018 Bundle Patch or latest.
- OHS1 with Webgate configured for front ending OAM.
- OHS2 with webgate (OIDC) will act as Client (similarly can say Service Provider where SP will be consuming the OAuth Token), In real-time scenario this will be webserver hosting application going to integrate with OAM using OIDC protocol.
Configure the OAM for OIDC.
- Login to OAM Console > Configuration > Available Services.
- Click Enable Service button for OAuth and OpenIDConnect Services.
- This will prompt to enable service pop-up, click Enable.
- Now its time to create an Identity Domain. OAM12c doesn’t have any more GUI for creating Domain for OAuth/OpenIDC/Mobile Authenticator, in OAM12c we have to use command lines to create domains or use Postman Tool , this will be using OAM APIs to create domains.
- Run below commands to create IdentityDomain for OAuth Partners.
- Create Identity Domain: Below commands will create an Identity OAuth Domain , Resource Server & Client
OAuth DomainName: OIDCWebgateDomain
consent page: /oam/pages/consent.jsp (OOTB. this can be customized ,will be explained in next blog)
curl -k -u username:Password -H ‘Content-Type: application/json’ ‘http://oam.example.com:7001/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain’ -d ‘{“name”:”OIDCWebGateDomain”,”identityProvider”:”UserStoreName”,”description”:”OIDC WebGate Domain”,”tokenSettings”:[{“tokenType”:”ACCESS_TOKEN”,”tokenExpiry”:3600,”lifeCycleEnabled”:false,”refreshTokenEnabled”:false,”refreshTokenExpiry”:86400,”refreshTokenLifeCycleEnabled”:false}, {“tokenType”:”AUTHZ_CODE”,”tokenExpiry”:3600,”lifeCycleEnabled”:false,”refreshTokenEnabled”:false,”refreshTokenExpiry”:86400,”refreshTokenLifeCycleEnabled”:false}, {“tokenType”:”SSO_LINK_TOKEN”,”tokenExpiry”:3600,”lifeCycleEnabled”:false,”refreshTokenEnabled”:false,”refreshTokenExpiry”:86400,”refreshTokenLifeCycleEnabled”:false}],”errorPageURL”:”/oam/pages/servererror.jsp”,”consentPageURL”:”/oam/pages/consent.jsp”,”customAttrs”:”Attribute of user in IDStore to store the encrypted secretkey for TOTP”}’
- Configure Resource Server
ResourceServerName: OIDCWebGateRS
curl -k -u username:Password -H ‘Content-Type: application/json’ ‘http://oam.example.com:7001/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application’ -d ‘{“name”:”OIDCWebGateRS”,”description”:”OIDC WebGate Resource Server”,”scopes”:[{“scopeName”:”printenv”,”description”:”/cgi-bin directory”}],”tokenAttributes”:[{“attrName”:”sessionId”,”attrValue”:”$session.id”,”attrType”:”DYNAMIC”},{“attrName”:”StaticAttr”,”attrValue”:”StaticAttrValue”,”attrType”:”STATIC”}],”idDomain”:”WebGateDomain”,”audienceClaim”:{“subjects”:[“ab0”]}}’
- Configure Client
curl -k -u username:Password -H ‘Content-Type: application/json’ ‘http://oam.example.com:7001/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client’ -d ‘{“attributes”:[{“attrName”:”customAttr1″,”attrValue”:”CustomValue”,”attrType”:”static”}],”secret”:”WGPassword”,”id”:”OIDCWebGateClient”,”scopes”:[“OIDCWebGateRS.printenv”],”clientType”:”CONFIDENTIAL_CLIENT”,”idDomain”:”WebGateDomain”,”description”:”Client entry for OIDC WebGate”,”name”:”OIDCWebGateClient”,”grantTypes”:[“PASSWORD”,”CLIENT_CREDENTIALS”,”JWT_BEARER”,”REFRESH_TOKEN”,”AUTHORIZATION_CODE”],”defaultScope”:”OIDCWebGateRS.printenv”,”redirectURIs”:[{“url”:”https://ohs2.example.com:443/oauth/callback”,”isHttps”:true}]}’
Configure OAM Polices
- Login to oamconsole , navigate to Application Security > Application Domain > IAMSuite > Authentication Polices > OAuth Authentication Policy.
- Validate Authentication Scheme = LDAPScheme.
- Navigate to Authentication Scheme and validate LDAPScheme should have LDAP Authentication module.
- Navigate to Authentication Module and vaidate LDAP module should have userstore(UserStoreName) same as IdentityProvider parameter used in 1st curl command.
- Navigate to Authentication Module and validate LDAPNoPasswordAuthModule have same userstore (UserStoreName).
Configure OHS1 to reverseproxy the OAM for OAuth Modules.
- OHS1 must be shutdown.
- Navigate to /moduleconf (eg. /u01/Oracle/Middleware/Oracle_Home/user_projects/domains/webtier_domain/config/fmwconfig/components/OHS/ohs1), create a file named oamproxy.conf with below contents:
SetHandler weblogic-handler
WebLogicHost oam.example.com
WebLogicPort 14100SetHandler weblogic-handler
WebLogicHost oam.example.com
WebLogicPort 14100SetHandler weblogic-handler
WebLogicHost oam.example.com
WebLogicPort 14100
PathTrim /.well-known
PathPrepend /oauth2/restSetHandler weblogic-handler
PathTrim /.well-known
WebLogicHost oam.example.com
WebLogicPort 14100
PathPrepend /oauth2/rest - Deploy the the webgate (using standard webgate configuration steps .i.e configurign agent and copying artifacts obaccessclient.xml & cwallet.sso etc)
- Restart the whole OHS including OHS Weblogic Domain.
Configure OHS2 as OIDC
- Configure the Webgate same as we do with standard way for configuring webgate, just skip the steps for copying artifacts (obaccessclient.xml & cwallet.sso etc) from from OAM to OHS Server.
- Navigate to path $ORACLE_HOME/user_projects/domains/webtier_domain/config/fmwconfig/components/OHS/ohs1/webgate/config/
- Create cloud.config & cloud.policy files as below.cloud.config: contents{
“cloudgateConfig” :
{“gateName” : “oam”,
“bootstrap” :
{
“callbackPrefix” : “https://ohs2.example.com/oauth/callback”,
“externalIdUrl” : “https://ohs1.example.com”,
“discovery_endpoint” : “/.well-known/oidc-configuration”,
“refresh_token” : true,
“domain” : “WebGateDomain”
},
“rest” :
{
“httpsVerifyHost” : true,
“httpsVerifyServer” : true,
“httpsCertAuthFile” : “/refresh/home/cert/ca.pem”,
“httpsCrlFile” : “”
}
}(Note: /oauth/callback not required to be an existing application url , user will be redirected after authentication and code will be sent back, it has to be same url which was used during Client configuration curl command).
cloud.policy contents:
{
“cloudgatePolicy”: {
“webtierPolicy” : [
{
“policyName” : “default”,
“resourceFilters” : [
{
“comment” : “Test Application Unsupported Filter”,
“type” : “text”,
“filter” : “/test/unsupported”,
“method” : “unsupported”
},
{
“comment” : “Test Anonymous Filter”,
“type” : “regex”,
“filter” : “/img/*”,
“method” : “anonymous”
},
{
“comment” : “Test Application OAuth+Logout Filter”,
“type” : “text”,
“filter” : “/test/logout”,
“method” : “oauth+logout”,
“oauthPostLogoutUrl” : “https://ohs2.example.com/oauth/landing.html ”
},
{
“comment” : “Test Application OAuth Filter”,
“type” : “regex”,
“filter” : “/cgi-bin/.*”,
“method” : “oauth”,
“authorize” : true,
“scope” : “OIDCWebGateRS.printenv”,
“aud”: “OIDCWebGateRS”,
“headers” : [ { “X_TEST” : “testvalue” },
{ “UserName” : “$subject.user.name” },
{ “PrimaryEmail” : “$subject.user.emails” },
{ “PolicyName” : “$request.policy_name” },
{ “PolicyResourceMatched” : “$request.policy_res” }
]
},
]
}
]
}
} - Create a wallet file for OIDC Webgate SSL Communication.$ export JAVA_HOME=/u01/jdk1.8.0_144
$ cd $ORACLE_HOME/oracle_common/bin
$ ./orapki wallet create -wallet $ORACLE_HOME/user_projects/domains/webtier_domain/config/fmwconfig/components/OHS/ohs2/webgate/config/cwg_wallet -auto_login
Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.Enter password: Welcome1
Enter password again: Welcome1
Operation is successfully completed. - Add the Client credentials to the wallet file. These are the id and secret used when creating the client using the curl command or Postman.$ ./mkstore -wrl $ORACLE_HOME/user_projects/domains/webtier_domain/config/fmwconfig/components/OHS/ohs2/webgate/config/cwg_wallet -createUserCredential CWG id_secret_key OIDCWebGateID WGPassword
Oracle Secret Store Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.Enter wallet password: Welcome1 - Generate an encryption key to be used by the WebGate. $ openssl enc -aes-128-gcm -k “My WebGate Passphrase” -P -md sha256 (-aes-128-gcm cipher might not work on latest version of OS so can use some other exsiting cipher)
- Import the encryption key into the wallet file$ ./mkstore -wrl $ORACLE_HOME/user_projects/domains/webtier_domain/config/fmwconfig/components/OHS/ohs2/webgate/config/cwg_wallet -createUserCredential CWG enc_key enc 9D7F6A028C9E3F6CCFE4F6D6F2BDD335 (this is the key output from previous command)
Oracle Secret Store Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.Enter wallet password: Welcome1 - Restart the OHS Instance including Weblogic Domain of this OHS.
How the request flow will look like. Here is the HTTP Trace.
- Hit the https://ohs2.example.com/cgi-bin/printenv, following cloud.policy Webgate will understand uri is protected with oauth policy, using cloud.config it will start communicating with OAM Server. GET https://ohs2.example.com/cgi-bin/printenv HTTP/1.1
Host: ohs2.example.com:
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9 - Webgate will pass the request to OAM including query parameter ClientID, responsetype, redirect_uri, state & scope. HTTP/1.1 302 Found
Date: Sun, 23 Sep 2018 16:07:35 GMT
Server: Oracle-HTTP-Server
Location: https://ohs1.example.com/oauth2/rest/authorize?client_id=OIDCWebGateID&response_type=code&redirect_uri=https://ohs2.example.com/oauth/callback&domain=OIDCWebGateDomain&&state=https%3A%2F%2Fohs2.example.com%2Fcgi-bin%2Fprintenv&scope=OIDCWebGateRS.printenv
Content-Length: 504
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1 - OAM will request that the user consent to access by redirecting to the consent page configured for the identity domain. The consent.jsp is called with an opaque state value as well as the requested scope and client_id making the request. HTTP/1.1 302 Moved Temporarily
Date: Sun, 23 Sep 2018 16:07:36 GMT
Server: Oracle-HTTP-Server
Location: https://ohs1.example.com:443/oam/pages/consent.jsp?state=ajJUU2ZTSC9PSWVGMExkSHYzS1R4UT09fmxnK3BORlA1ejFzVmhEY3dlcUd6K05jcUtYYkg5OHZwN2xSeFJSS0VseVg2UXpUN1FyTDhSNmVOV05FY2VoQnU1RDY3YjVEbnRLNjMvRmtXRjZmMm5vam4rQnMvOG53UFh2RWhBOWNsVEhyV3FaZk9UUTRRbWVWK2pXNWZCR1dhalYzTVdIQ0dDT2JGVHRjZnVXZTd3MnJNbnJCZXZQbWZQZ0VReWE2NW55b2swdUJaNlZma1dzUVp1ZmtPZk5ucmpFdGVmMHdqdjFVOGxrNGwvci9nWC93aURCaWhCTHBodzhZbCt6WWlsOVpzM3l6YWlOZllEK1RXZUhDd2k1enZaTVpDYXhZdHZaSjBmV2lFSGdWcDlRPT0=&scopes=OIDCWebGateRS.printenv&client_id=OIDCWebGateClient
Content-Length: 0
X-ORACLE-DMS-ECID: 005TckIBfdjFw00Fzzx0g00005dx0001oK
X-ORACLE-DMS-RID: 0:4
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive - As consent.jsp is protected by OAM will through the Login page to end user.
- Post submitting user credentials and on authentication/authorization success, user will be request to give his/her consent with approval/rejection.
- When the user clicks the Allow button on the consent page, OAM performs a POST to the /oauth2/rest/approval endpoint, posting the state and user allowed access POST https://ohs1.example.com/oauth2/rest/approval HTTP/1.1
Host: ohs1.example.com:443
Connection: keep-alive
Content-Length: 434
Cache-Control: max-age=0
Origin: https://dev.login.security.gov.on.ca:4443
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://ohs1.example.com/oam/pages/consent.jsp?state=ME<TRIMMED>T0=&scopes=OIDCWebGateRS.printenv&client_id=OIDCWebGateClient
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: OAM_REQ_COUNT=VERSION_4~2; OAM_ID=VERSION_5~u/fAOHhy8Y5; OAM_REQ_0=invalid; OAM_REQ_1=invalid; OAMAuthnCookie_ohs1.exmaple.com_443=6f<TRIMMED>%3D
state=ME<TRIMMED>T0 - OAM will respond back by redirecting the user to redirect_uri callback for the OIDC webgate with authorization code. HTTP/1.1 302 Moved Temporarily
Date: Sun, 23 Sep 2018 16:45:11 GMT
Server: Oracle-HTTP-Server
Cache-Control: no-cache
Pragma: no-cache
Location: https://ohs2.example.com/oauth/callback?code=ZnpD<TRIMMED>WFI&state=https%3A%2F%2Fohs2.example.com%3A4444%2Fcgi-bin%2Fprintenv
Content-Length: 0
X-ORACLE-DMS-ECID: 005TcmOcRhuFw00Fzzx0g00005dx0000PT
X-ORACLE-DMS-RID: 0:3
Set-Cookie: JSESSIONID=HToHUhUDu3Y-iGUqg8LP3G1puHl8HzaK4auXw-VqatETSbZwMLYq!404543133; path=/; HttpOnly
Set-Cookie: _WL_AUTHCOOKIE_JSESSIONID=nLpxrc1L55MLEz7MR5dT; path=/; secure; HttpOnly
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive - OIDC Webgate will intercept the request and pulls out the authorization code and make HTTPS REST API call to Token endpoint using above authorization code, grant type, scope, clientid & secret. To explain using Postman tool to make REST calls to OAM using above authorization code.
- OAM responded with valid access token.
- Upon getting the valid access token webgate will redirect the user to originally request url https://ohs2.example.com/cgi-bin/printenv
Oracle Access Manager 