What PeopleSoft is doing with OAuth2 in 8.58

February 24, 2020 | 2 minute read
Greg Kelly
Product Strategy Director - Security
Text Size 100%:
Responding to the changing needs of the community, PeopleSoft is creating a foundational release for OAuth support with PeopleTools 8.58. I say “foundational” because in this release we are supporting limited use cases for OAuth.
Note: Throughout this text, “OAuth” is used as a general reference, the supported version is OAuth 2.
The current use cases are:
  • OAuth for REST services with Oracle Digital Assistant (ODA) for Chatbots. We have a portfolio of Chatbots to be released with upcoming PUM Images from PeopleSoft Applications. This is based on Oracle IDCS (subscription required.)
  • Our other use case is for Office 365 MCF Mail from Microsoft, based on Azure AD.
OAuth support means becoming familiar with many new terms and PeopleTools 8.58 PeopleBooks provides some background, but PeopleBooks are not intended to provide a deep level understanding of OAuth, some additional expertise is expected and required.
OAuth is sometimes referred to as an “Authentication” token, but the OAuth token can only be provided for an already authenticated user. It is not an SSO token. OAuth Clients use these tokens to access various resources on Resource Servers on-behalf of Resource Owners. [see note (1)]. While most of the operations related to OAuth use are intended to be transparent to the customer, there are some terms with which you should be familiar: Access Token; Refresh Token; Access Grant Types; Bearer token.
Additional terms to be familiar with are under the section, "Providing Runtime Authentication" the following page:
Configuring these pages will be largely based on information from the subscription with IDCS or IDP.
Oracle documentation includes extensive information on OAuth security with REST Services, which provides a good overview:
REST API for Oracle Identity Cloud Service
A secure OAuth integration requires:
  • Security controls implemented across all OAuth participants, which includes the Authorization Server (Identity Cloud Service), the Resource Owner (user), the Client, and the Resource Server applications
  • Confidentiality of key information: code, access_token, refresh_token, client credentials, and user credentials
  • Server authentication established between OAuth participants (to avoid impersonation attacks)
  • Proper information validation for any request (especially for JSON Web Token (JWT) access tokens)
  • Use of tokens with reduced scopes and time out (to reduce the exposure in case of disclosure and to support the token revocation)
  • Use of typical information security principles such as least privilege
See the sections following on this page: Resources; Checklist.
You will also find it useful to review the Quick Start section:
Configure and customize your identity domain, and create and manage Oracle Identity Cloud Service users, groups, and applications using the tasks described on the page.
As I said, we regard PeopleTools 8.58 as a foundational release for OAuth support. For future releases, we are investigating a broader use of OAuth and additional interoperable Identity Providers. Please consider the “Idea Space” if you have suggestions.
Note (1): Oracle Identity Cloud Service: Long-Lived OAuth Tokens

Greg Kelly

Product Strategy Director - Security

I joined PeopleSoft in 1998. In Oracle I am now with the PeopleTools Strategy team with responsibility for PeopleTools security, the security of PeopleSoft in the broader enterprise, Enterprise Manager plug-in for PeopleSoft, PeopleSoft Health Center, PeopleSoft Performance Monitor, PeopleSoft Data Archiving Manager and other bits and pieces!!

Previous Post

The Value of Personalized Analytic Notifications

Matthew Haavisto | 5 min read

Next Post

Are you curious about what is top of mind for PeopleSoft customers in Europe?

Robbin Velayedam | 6 min read