X

An Oracle blog about PeopleSoft Technology

What PeopleSoft is doing with OAuth2 in 8.58

Greg Kelly
Product Strategy Manager - Security
Responding to the changing needs of the community, PeopleSoft is creating a foundational release for OAuth support with PeopleTools 8.58. I say “foundational” because in this release we are supporting limited use cases for OAuth.
 
Note: Throughout this text, “OAuth” is used as a general reference, the supported version is OAuth 2.
 
The current use cases are:
  • OAuth for REST services with Oracle Digital Assistant (ODA) for Chatbots. We have a portfolio of Chatbots to be released with upcoming PUM Images from PeopleSoft Applications. This is based on Oracle IDCS (subscription required.)
  • Our other use case is for Office 365 MCF Mail from Microsoft, based on Azure AD.
OAuth support means becoming familiar with many new terms and PeopleTools 8.58 PeopleBooks provides some background, but PeopleBooks are not intended to provide a deep level understanding of OAuth, some additional expertise is expected and required.
 
 
OAuth is sometimes referred to as an “Authentication” token, but the OAuth token can only be provided for an already authenticated user. It is not an SSO token. OAuth Clients use these tokens to access various resources on Resource Servers on-behalf of Resource Owners. [see note (1)]. While most of the operations related to OAuth use are intended to be transparent to the customer, there are some terms with which you should be familiar: Access Token; Refresh Token; Access Grant Types; Bearer token.
Additional terms to be familiar with are under the section, "Providing Runtime Authentication" the following page:
https://docs.oracle.com/cd/F25244_01/pt858pbr1/eng/pt/tsec/concept_UnderstandingOAuth2_0.html
Configuring these pages will be largely based on information from the subscription with IDCS or IDP.
 
Oracle documentation includes extensive information on OAuth security with REST Services, which provides a good overview:
REST API for Oracle Identity Cloud Service
https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/SecurityChecklist.html
 
A secure OAuth integration requires:
  • Security controls implemented across all OAuth participants, which includes the Authorization Server (Identity Cloud Service), the Resource Owner (user), the Client, and the Resource Server applications
  • Confidentiality of key information: code, access_token, refresh_token, client credentials, and user credentials
  • Server authentication established between OAuth participants (to avoid impersonation attacks)
  • Proper information validation for any request (especially for JSON Web Token (JWT) access tokens)
  • Use of tokens with reduced scopes and time out (to reduce the exposure in case of disclosure and to support the token revocation)
  • Use of typical information security principles such as least privilege
 
See the sections following on this page: Resources; Checklist.
 
You will also find it useful to review the Quick Start section:
https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/QuickStart.html
Configure and customize your identity domain, and create and manage Oracle Identity Cloud Service users, groups, and applications using the tasks described on the page.
 
As I said, we regard PeopleTools 8.58 as a foundational release for OAuth support. For future releases, we are investigating a broader use of OAuth and additional interoperable Identity Providers. Please consider the “Idea Space” if you have suggestions.
 
Note (1): Oracle Identity Cloud Service: Long-Lived OAuth Tokens
https://www.ateam-oracle.com/oracle-identity-cloud-service-long-lived-oauth-tokens
 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.