Responding to the changing needs of the community, PeopleSoft is creating a foundational release for OAuth support with PeopleTools 8.58. I say “foundational” because in this release we are supporting limited use cases for OAuth.
Note: Throughout this text, “OAuth” is used as a general reference, the supported version is OAuth 2.
The current use cases are:
OAuth for REST services with Oracle Digital Assistant (ODA) for Chatbots. We have a portfolio of Chatbots to be released with upcoming PUM Images from PeopleSoft Applications. This is based on Oracle IDCS (subscription required.)
Our other use case is for Office 365 MCF Mail from Microsoft, based on Azure AD.
OAuth support means becoming familiar with many new terms and PeopleTools 8.58 PeopleBooks provides some background, but PeopleBooks are not intended to provide a deep level understanding of OAuth, some additional expertise is expected and required.
OAuth is sometimes referred to as an “Authentication” token, but the OAuth token can only be provided for an already authenticated user. It is not an SSO token. OAuth Clients use these tokens to access various resources on Resource Servers on-behalf of Resource Owners. [see note (1)]. While most of the operations related to OAuth use are intended to be transparent to the customer, there are some terms with which you should be familiar: Access Token; Refresh Token; Access Grant Types; Bearer token.
Additional terms to be familiar with are under the section, "Providing Runtime Authentication" the following page: https://docs.oracle.com/cd/F25244_01/pt858pbr1/eng/pt/tsec/concept_UnderstandingOAuth2_0.html
Configuring these pages will be largely based on information from the subscription with IDCS or IDP.
Security controls implemented across all OAuth participants, which includes the Authorization Server (Identity Cloud Service), the Resource Owner (user), the Client, and the Resource Server applications
Confidentiality of key information: code, access_token, refresh_token, client credentials, and user credentials
Server authentication established between OAuth participants (to avoid impersonation attacks)
Proper information validation for any request (especially for JSON Web Token (JWT) access tokens)
Use of tokens with reduced scopes and time out (to reduce the exposure in case of disclosure and to support the token revocation)
Use of typical information security principles such as least privilege
See the sections following on this page: Resources; Checklist.
As I said, we regard PeopleTools 8.58 as a foundational release for OAuth support. For future releases, we are investigating a broader use of OAuth and additional interoperable Identity Providers. Please consider the “Idea Space” if you have suggestions.