Lab 08 Oracle Access Management - Access Manager 11G R2 Ps3 2 Legged Mobile Oauth

Oracle Access Management Suite Plus 11g R2 PS3 Bootcamp
Lab 08
Oracle Access Management -

Access Manager 11g R2 PS3
2 Legged Mobile OAuth
Following servers needs to be running before you start this Lab (start if not running - refer to
Lab 0 for more details on starting/stopping servers):
 Admin Server (startAdmin.sh)
 OAM Server (startOAM.sh)
You may have to start/stop/restart additional servers as per instructions in this lab.
All passwords used during this Lab are Oracle123 unless otherwise specified
Disclaimer : The Virtual Machine (or hosted) Image and other software are provided for use only
during the workshop. Please note that you are responsible for deleting them from your
computers before you leave. If you would like to try out any of the Oracle products, you may
download them from the Oracle Technology Network
(http://www.oracle.com/technology/index.html) or the Oracle E-Delivery Web Site
(http://edelivery.oracle.com)
Oracle Access Management Access Manager 11g R2 PS3

Lab xx - 1 | P a g e
Contents
Lab Introduction ......................................................................................................................... 3

Pre Requisite for the Lab .............................................................................................................. 3
Exercise 1 – Configure OAuth Service ............................................................................................. 3
Exercise 2 – Create Mobile Client Profiles ....................................................................................... 7
Exercise 3 – Mobile Device Profile Sample .................................................................................... 12
Exercise 4 – Get Application Profile.............................................................................................. 13
Exercise 5 – Create Mobile Device Verification code for App1 .......................................................... 14
Exercise 6 - Create Mobile Device Verification code for App2 .......................................................... 15
Exercise 7 - Register Mobile App1 using username/password (Create Client & User Assertion) ............. 16
Exercise 8 – Register Mobile App2 using JWT User assertion grant ................................................... 19
Exercise 9 – Create Access Token using JWT user assertion and Mobile Client Assertion ...................... 20
Exercise 10 – Create Access Token using Refresh Token .................................................................. 22
Exercise 11 – Terminate JWT User Assertion ................................................................................. 23
Exercise 12 – Login (Create a JWT User Session) ............................................................................ 23
Exercise 13 – Create OAM UT and OAM MT using JWT User Token (Token Exchange) ......................... 25
Exercise 14 – Create OAM MT and OAM UT using JWT User Token + PIN (Token Exchange) ................. 26
Exercise 15 – Create OAM MT using OAM Credential Grant ............................................................. 28
Exercise 16 – Enable Server Side SSO ........................................................................................... 29
Exercise 17 – Register Mobile App1 using UserName and Password ................................................. 31
Exercise 18 – Register App2 using Server side JWT user assertion. .................................................... 32
Exercise 19- Create Access Token using JWT Client Assertion and Server Side JWT User Assertion......... 33
Exercise 20- Create Access Token using Refresh Token ................................................................... 34
Exercise 21 – Create OAM AT using OAM UT ................................................................................. 36
Exercise 22- Logout ................................................................................................................... 38
Exercise 23- Login ..................................................................................................................... 39

Lab Introduction
In this lab we will examine the typical OAuth Calls an Mobile application can do for 2 legged
mobile client flow. We will also examine these calls both with Server Side SSO featured disabled
and enabled.
When you design mobile apps it will use the same flow and OAuth calls.
Pre Requisite for the Lab

You should have completed the following sections
Lab1 – Exercise 1 & Exercise 2

Lab3 – Exercise1 & Completed Enabling Mobile part of Exercise 2
Exercise 1 – Configure OAuth Service

Introduction – In this section we will configure the OAuth Service in OAM for Lab.
Steps
1. Login to OAM console as DCRANE/Oracle123

2. Click on Mobile Security -> Mobile OAuth Services

3. Click on DefaultDomain to open it

4. Click on Service Profiles -> Oauth Service Profile
5. Open the section Plug-Ins
For the Adaptive Access, remove the existing plug-in and make it blank

6. Open the section Mobile Service Settings.
Click on iOS for Supported Platform.

Click Standard for iOS Security Level.
Uncheck the Enable Server Side Single Sign on
7. Open Configuration Settings -> Token Settings
Update Client Verification code to 120 minutes

Update the Authorization Code to 120 Minutes
Note: We are setting high enough value so that we can perform the lab.
8. Also for User Assertion, click on Refresh Token Enabled Checkbox

9. Click Apply to save the update.
10. Click on Resource Servers -> User Profile
11. Change the Identity Store Name to OUDStoreIDSProfile
Note: This might have already been done if you have completed earlier labs

12. Update the Offline Scope to UserProfile.users
13. Click on Apply to Save the change
Summary – In this section we have update the OAuth Service configuration.
Exercise 2 – Create Mobile Client Profiles

Introduction – In this section we will create 2 mobile client profiles which will be used in the lab.
These two profiles represent 2 mobile apps which will interact with OAM OAuth Service.
Steps
1. Make sure that you are in Default Domain ->Clients

2. Click on New under OAuth Mobile Clients

3. Define a new as following
Name : App1
Client Id : App1
Mobile Redirect URIs: app1://
Select “Allow Token Attributes Retrieval”
Allowed Scopes: UserProfile.* (Click Add to add this scope)
Grant Types : Resource Owner Credentials, Client Credentials, Refresh Token, JWT Bearer,
Client Verification Code, OAM Credentials
Click “Create” button to create the mobile profile.

4. Similarly define the second application as shown below
Name : App2
Client Id : App2
Mobile Redirect URIs: app2://
Select “Allow Token Attributes Retrieval”
Allowed Scopes: UserProfile.* (Click Add to add this scope)
Grant Types : Resource Owner Credentials, Client Credentials, Refresh Token, JWT
Bearer, Client Verification Code, OAM Credentials

Click “Create” button to create the mobile profile.
5. Now click on Default Domain -> Service Profiles -> OAuthService Profile.
Verify that both the apps (App1 & App2) are showing up as clients in this profile.

Summary – In this section we have defined two mobile app profiles.

Exercise 3 – Mobile Device Profile Sample

Introduction – We will use the below defined profile for mobile device. For the labs we need to
use the base64 encoded profile as shown below
JSON Payload
{
"oracle:idm:claims:client:ostype":"iPhone OS",
"oracle:idm:claims:client:phonecarriername":"AT&T",
"oracle:idm:claims:client:geolocation":"+40.689060,-74.044636",
"oracle:idm:claims:client:networktype":"WIFI",
"oracle:idm:claims:client:sdkversion":"11.1.2.0.0",
"hardwareIds":{
"oracle:idm:claims:client:udid":"733C6B45-6624-4966-982A-D414A7B64AF6",
"oracle:idm:claims:client:iosidforvendor":"60B06F46-D27D-40AA-BDB9-71423F192253",
"oracle:idm:claims:client:macaddress":"00:23:32:91:A6:99",
"oracle:idm:claims:client:phonenumber":"1-408-571-9116",
"oracle:idm:claims:client:imei":"010113006310121",
"oracle:idm:claims:client:iosidforad":"2A86B03E-DD2F-4850-BA1D-61F15E453441"
},
"oracle:idm:claims:client:vpnenabled":false,
"oracle:idm:claims:client:locale":"en_US",
"oracle:idm:claims:client:osversion":"7.0.3",
"oracle:idm:claims:client:jailbroken":true
}
Base64 Encoded Device Profile
ew0KICAgIm9yYWNsZTppZG06Y2xhaW1zOmNsaWVudDpvc3R5cGUiOiJpUGhvbmUgT1MiLA0KICAgIm9yYWNsZ
TppZG06Y2xhaW1zOmNsaWVudDpwaG9uZWNhcnJpZXJuYW1lIjoiQ VQmVCIsDQ ogICAib3JhY2xlO mlkbTpjbG Fp
bXM6Y2xpZW50Omdlb2xvY2F0aW9uIjoiKzQwLjY4O TA2MCwtNzQuMDQ0NjM2IiwNCiAgICJvcmFjbGU6aWRtOm
NsYWltczpjbGllbnQ6bmV0d29ya3R5cGUiOiJXSUZJIiwNCiAgICJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ 6c2Rrdm
Vyc2lvbiI6IjExLj EuMi4wLjAiLA0KICAgImhhcmR3YXJlSWRzIjp7DQogICAgICAib3JhY2xlO mlkbTpjbG FpbXM6Y2x
pZW50OnVkaWQiOiI3MzNDNkI0NS02NjI0LTQ 5NjYtO TgyQ S1ENDE0Q TdCNjRBRjYiLA0KICAgICAgIm9yYWNsZ
TppZG06Y2xhaW1zOmNsaWVudDppb3NpZGZvcnZlbmRvciI6IjYwQjA2RjQ2LUQyN0Q tNDBBQS1CREI5LTcxNDIz
RjE5 MjI1MyIsDQ ogICAgICAib3JhY2xlOmlkbTpjbG FpbXM6Y2xpZW50O m1hY2FkZHJlc3MiOiIwMDoyMzozMjo5M
TpBNjo5OSIsDQ ogICAgICAib3JhY2xlOmlkbTpjbG FpbXM6Y2xpZW50OnBob25l bnVtYmVyIjoiMS00MDgtNTcxLTkx
MTYiLA0KICAgICAgIm9yYWNsZTppZG06Y2xhaW1zO mNsaWVudDppbWVpIjoiMDEwMTEz MDA2Mz EwMTIxIiw
NCiAgICAgICJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ 6aW9zaWRmb3JhZCI6IjJBO DZCMDNFLUREMkYtNDg1M
C1CQ TFELTYxRj E1RTQ 1MzQ 0MSINCiAgIH0sDQ ogICAib3JhY2xlO mlkbTpj bG FpbXM6Y2xpZW50OnZwbmVuYW
JsZWQiOmZhbHNlLA0KICAgIm9yYWNsZTppZG06Y2xhaW1zOmNsaWVudDpsb2NhbGUiOiJlbl9VUyIsDQogICAib
3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50O m9zdmVyc2lvbiI6IjcuMC4zIiwNCiAgICJvcmFjbGU6aWRtOmNsYWltczpj
bGllbnQ6amFpbGJyb2tlbiI6dHJ1ZQ 0KfQ 0K

Exercise 4 – Get Application Profile

Introduction – Open a Terminal and execute the following command.
Note: Make sure that you cut and paste the command onto notepad/text pad first to avoid
single quote format issues. Check the single quote (‘) and (--) first and format if required in
notepad before issuing the command
===================== HTTP Request ====================================
curl -i --request GET

'http://identity.oracleads.com:14100/ms_oauth/oauth2/endpoints/oauthservice/appprofiles/App1?device_os=i
Phone%20OS&os_ver=7.000000'
===================== HTTP Response ==================================

{
"allowedGrantTypes": [
"oracle-idm:/oauth/grant-type/oam_credentials",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"refresh_token",
"client_credentials",
"oracle-idm:/oauth/grant-type/mobile-client-registration-key",
"password",
"oracle-idm:/oauth/grant-type/challenge-answer"
],
"client_id": "App1",
"mobileAppConfig": {
"claimAttributes": [
"oracle:idm:claims:client:sdkversion",
"oracle:idm:claims:client:networktype",
"oracle:idm:claims:client:fingerprint",
"oracle:idm:claims:client:phonenumber",
"oracle:idm:claims:client:iosidforad",
"oracle:idm:claims:client:ostype",
"oracle:idm:claims:client:imei",
"oracle:idm:claims:client:phonecarriername",
"oracle:idm:claims:client:iosidforvendor",

"oracle:idm:claims:client:udid",
"oracle:idm:claims:client:jailbroken",
"oracle:idm:claims:client:geolocation",
"oracle:idm:claims:client:vpnenabled",
"oracle:idm:claims:client:deviceid",
"oracle:idm:claims:client:locale",
"oracle:idm:claims:client:osversion",
"oracle:idm:claims:client:containerid"
]
},
"oauthAuthZService": "/ms_oauth/oauth2/endpoints/oauthservice/authorize",
"oauthNotificationService": "/ms_oauth/oauth2/endpoints/oauthservice/push",
"oauthTokenService": "/ms_oauth/oauth2/endpoints/oauthservice/tokens",
"oracleConsentServiceProtection": "OAM",
"oracleMobileSecurityLevel": "LOW",
"server_side_sso": false,
"sharedKeyAttributeName": "secret_key",
"userConsentService": [
"/ms_oauth/resources/consentmanagement"
],
"userProfileService": [
"/ms_oauth/resources/userprofile"
]
}
Exercise 5 – Create Mobile Device

Verification code for App1
Introduction – We will create a mobile device verification code for App1 so that app1 can make
calls to OAUTH Server.

===================== HTTP Request ====================================
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST

http://identity.oracleads.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d
'grant_type=client_credentials&oracle_device_profile=<base64 device
profile>&client_id=App1&oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-
identity/mobile-client-pre-authz-code-client'
Note: Paste the base64 encoded device profile from Exercise 3 in the above command
&oracle_device_profile= <base64 device profile> before issuing the command
===================== HTTP Response ====================================

{
"expires_in":7200,
"token_type":"Bearer",
"oracle_tk_context":"pre_azc",
"access_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsIng1dCI6Ilh0em9yVUdfWmtOVDZRUUg2eElMYXl0UENnTSIsImtpZCI6Im
9yYWtleSJ9.eyJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6InByZV9hemMiLCJvcmFjbGUub2F1dGgucHJlX2F6Yy50dGMiOiJjbGllbnRf
YXNzZXJ0aW9uIiwiZXhwIjoxNDUzNDk0NzI5LCJzdWIiOm51bGwsImlzcyI6Ind3dy5vcmFjbGUuZXhhbXBsZS5jb20iLCJwcm4iOm51bG
wsImp0aSI6IjUzMDA5YTk0LTMw NDItNDQzYy1hYTZiLWIzNDI1YTI5Y2IwNSIsIm9yYWNsZS5vYXV0aC5jbGllbnRfb3JpZ2luX2lkIjoiQX
BwMSIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQ1MzQ5MTEyOSwib3JhY2xlLm9hd
XRoLmlkX2RfaWQiOiIxMjM0NTY3OC0xMj M0LTEyMzQtMTIzNC0xMj M0NTY3 ODkwMTIiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYX
VsdERvbWFpbiJ9.CELYAXv_T6S6D84kImUzAUC Z1TLCaRq1FjPlOcWITCMhGz8XYbcpqL -
fmy1braF14XSWObHxbB_7ai3zglVivb7jLu9x5Q6d9gBoaks89C8SdMJ -
btKms_CAefrA4OEcumHUzXnEsarC6EGpfHrm39jO2Y0sue0CBcvu1dkWVyQ"
Exercise 6 - Create Mobile Device

Verification code for App2
Introduction – Now let’s created mobile device verification code for App2
===================== HTTP Request ====================================

'grant_type=client_credentials&oracle_device_profile=<base 64 device profile>
&client_id=App2&oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-identity/mobile-client-
pre-authz-code-client'

Note: Paste the base64 encoded device profile from Exercise 3 in the above command
&oracle_device_profile= <base64 device profile> before issuing the command
===================== HTTP Response ====================================

{
"expires_in":7200,
"oracle_tk_context":"pre_azc",
9yYWtleSJ9.eyJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6InByZV9hemMiLCJvcmFjbGUub2F1dGgucHJlX2F6Yy50dGMiOiJjbGllbnRf
YXNzZXJ0aW9uIiwiZXhwIjoxNDUzNDkzODg3LCJzdWIiOm51bGwsImlzcyI6Ind3dy5vcmFjbGUuZXhhbXBsZS5jb20iLCJwcm4iOm51b
GwsImp0aSI6ImI2NGRjNjM1LTJhOTktNDZlNC05MWQ0LTIzODY3 MDExNjZkOCIsIm9yYWNsZS5vYXV0aC5jbGllbnRfb3JpZ2luX2lkIjoi
QXBwMiIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQ1MzQ5MDI4Nywib3JhY2xlLm9h
dXRoLmlkX2RfaWQiOiIxMjM0NTY3OC0xMj M0LTEyMzQtMTI zNC0xMjM0NTY3 ODkwMTIiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmY
XVsdERvbWFpbiJ9.FgViDd2RAgzYepC4tVHPdlN_3uaNhyfk-r3ph_aNA3xByKCs8xAPxhmbXl4JEJ9MF15qh-jBXfeCjYUPE-
VKBdk8SAxHmXS6aI-7W0l3Isl8916yVl6DuZGhFEfRWYYcKnfD2oWm0G7J0HgIbf-Okwofl69nd470Cks2EvWAio4"
Exercise 7 - Register Mobile App1 using

username/password (Create Client & User
Assertion)
Introduction – Lets register the App1 using username and password
===================== HTTP Request ====================================

'grant_type=password&username=JDOE&password=Oracle123&client_id=App1&oracle_pre_authz_code=<Pre
Auth Code Response (access_token) from Exercise 5 >&oracle_device_profile=<base64 device pforile from
Exercise3>&oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
Note: we will be using user JDOE in OUD for this use case.
If the auth code has expired, get a new one by executing exercise 5

===================== HTTP Response ====================================

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Date: Fri, 22 Jan 2016 20:04:29 GMT
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa58a63:1526a57ea2b:-8000-0000000000002b47
X-Powered-By: Servlet/2.5 JSP/2.1
{
"oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"oracle_aux_tokens":
{"user_assertion":
{"expires_in":28800,
"oracle_tk_context":"user_assertion",
"refresh_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsIng1dCI6Ilh0em9yVUdfWmtOVDZRUUg2eElMYXl0UENn TSIsImtp ZCI6I
m9yYWtleSJ9.eyJzdWIiOm51bGwsIm9yYWNsZS5vYXV0aC51c2VyX29yaWdpbl9pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1d
GgudXNlcl9vcmlnaW5faWQiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNsZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0aC5ydC50dGMiOiJ1
c2VyX2Fzc2VydGlvbiIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQ1MzQ5Mzg4MCwib
3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Omlvc2lkZm9ydmVuZG9yIjoiNjBCMDZGNDYtRDI3RC00MEFBLUJEQjktNzE0 MjNGMTkyMjU
zIiwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJyZWZyZXNoX3Rva2VuIiwiZXhwIjoxNDUzNjA5MDgwLCJvcmF jbGU6aWRtOmNsYWlt
czpjbGllbnQ6bWFjYWRkcmVzcyI6IjAwOjIzOjMyOjkxOkE2Ojk5IiwicHJuIjpudWxsLCJqdGkiOiIwNGNiYmYwYy04MWUzLTQ3 MDAtYj
EzZS0yMzAwODZiOGY0MzkiLCJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6IkFwcDEiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRG
VmYXVsdERvbWFpbiIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTIzNDU2NzgtMTIzNC0x MjM0LTEyMzQtMTIzND U2Nzg5MD EyIn0.u
qnW0KjP_lBDIxcHc9bNr0VqwzzSIqP2SSLwPbOxrxfQ1NvUoPIVZ7w1edUzyuZwMbFZX1FZzsxGkz -
J_IAcO_sndyrQ70H2mxDhGtmTErYXIR11RzS4nL3gNbQ3-_w8oh3_1QEkDLKy0NqASZVgZkw5hRRqF59BUD5JIfqksLU",
"oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer",
9yYWtleSJ9.eyJzdWIiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNsZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0a C5zdmNfcF9uIjoiT0F1dGh
TZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQ1MzQ5 Mzg4 MCwib3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Omlvc2lkZm9ydmVuZG9yIjoiNj
BCMDZGNDYtRDI3RC00MEFBLUJEQjktNzE0 MjNGMTkyMjUzIiwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJleHAi
OjE0NTM1MjI2ODAsIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoidXNlcl9hc3NlcnRpb24iLCJvcmFjbGU6aWRtOmNsYWltczpjbGllbn
Q6bWFjYWRkcmVzcyI6IjAwOjIzOjMyOjkxOkE2Ojk5IiwicHJuIjoiSkRPRSIsImp0aSI6ImVlY2JhZTY1LWI2OGQtNGRlYS1hYjliLWEwYTky
ZGZkZDdiOSIsIm9yYWNsZS5vYXV0aC5jbGllbnRfb3JpZ2luX2lkIjoiQXBwMSIsI nVzZXIudGVuYW50Lm5hbWUiOiJEZWZhdWx0RG9tY
WluIiwib3JhY2xlLm9hdXRoLmlkX2RfaWQiOiIxMjM0NTY3OC0xMjM0LTEyMzQt MTIzNC0xMjM0NTY3ODkw MTIifQ.Pk1IX0ef7mMe
EpUCBeXFYNLp1dWahOMjXk2MQL-
FqIHBclS7Ac3alt1DwMXW7wdDNWWwVWHh6wNUYMc McB5MxFDglkwdqvUcJeLEAVvbfwsUUYi551lxwjdlsH -
NQ7hcjUsnkJhYVmlWPNdZlSRba5j_5bOeU0-rfEMd QBxwhB8"
}
},
"expires_in":604800,

"oracle_tk_context":"client_assertion",
9yYWtleSJ9.eyJvcmFjbGUub2F1dGguY3QucmVnX3VzZXJfaWRfdHlwZSI6IkxEQVBfVUl EIiwic3ViIjoiQXBwMSIsImlzcyI6Ind3dy5vcmF
jbGUuZXhhbXBsZS5jb20iLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoU2VydmljZVByb2ZpbGUiLCJpYXQiOjE0NTM0OTM4ODAsI
m9yYWNsZS5vYXV0aC5wcm4uaWRfdHlwZSI6IkNsaWVudElEIiwib3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Omlvc2lkZm9ydmVuZG9
yIjoiNjBCMDZGNDYtRDI3RC00MEFBLUJEQjktNzE0 MjNGMTkyMjUzIiwiZXhwIjoxNDU0MDk4NjgwLCJvcmFjbGUub2F1dGguY3Quc
mVnX3VzZXIiOiJKRE9FIiwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJjbGllbnRfYXNzZXJ0aW9uIiwib3JhY2xlOmlkbTpjbGF pbXM6Y2x
pZW50Om1hY2FkZHJlc3MiOiIwMDoyMzozMjo5MTpBNjo5OSIsInBybiI6IkFwcDEiLCJqdGkiOiI3MzUyMzA3YS0zODdmLTQ4NGItOW
I4My0zOTUw OGI2ZjU1MDIiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYXVsdERvbWFpbiIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTIz
NDU2NzgtMTIzNC0xMj M0LTEyMzQtMTIzNDU2Nzg5MDEyIn0.QMfWId7hLX2uuZPfIOX4SA7OteiFcZhL70E09e7beepWy-
hDC5M04HokZCwyAeeTY00J4qcAqvMZd2jCsSau99NTTocezw9gNEWNbcOIJYj_WCea37qlXj -
kz1SeoODHBFIvhHAHnUd3bbAu _nC6qBGbSeL012wr3KUNNsV-XyQ"
}
Note: You would have a refresh token and access token as out put. Make a note of both we will be using it later.
Note: There are 3 tokens . For user assertion you will have refresh_token and access_token. You will also have a client_
assertion. Make a note of these. We will be using them both.
Note: If you get the below error
==========================================================
HTTP/1.1 401 Unauthorized

Date: Fri, 22 Jan 2016 20:28:51 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa58a63:1526a57ea2b:-8000-0000000000002f7c
{"error":"invalid_client","error_description":"'oracle_pre_authz_code' validation failed: Thi s token has been revoked "}
Then get a fresh Pre Auth Code for App2 again and use that code (Repeat Exercise 5)

Exercise 8 – Register Mobile App2 using JWT

User assertion grant
Introduction – We will now register the second app (App2) using the JWT user assertion we got
in last step. Since the user is already authenticated and has user assertion, we need not provide
the user credentials rather we can use the JWT user assertion.
===================== HTTP Request ====================================

'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=App2&oracle_pre_authz_code=<Mobile
Device Verification Code (access_token) obtained in Exercise 6>&oracle_device_profile=<Base 64 Device Profile
from Exercise 3>&oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-
bearer&assertion=<JWT User Assertion (user_assertion -> access_token) obtained in Exercise 7>’
Note: If the auth code has expired, get a new one by executing exercise 6
If the user assertion has expired get a new one by executing Exercise 7
===================== HTTP Response ====================================
H TTP/1.1 200 OK
Date: Fri, 22 Jan 2016 19:46:47 GMT

Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa58a63:1526a57ea2b:-8000-0000000000002685
{
9yYWtleSJ9.eyJvcmFjbGUub2F1dGguY3QucmVnX3VzZXJfaWRfdHlwZSI6IkxEQVBfRlFETiIsInN1YiI6IkFwcDIiLCJpc3MiOiJ3d3cub3Jh
Y2xlLmV4YW1wbGUuY29tIiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDUzNDk0NjA

1LCJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJDbGllbnRJRCIsIm9yYWNsZTppZG06Y2xhaW1zOmNsaWVudDppb3NpZGZvcnZlb
mRvciI6IjYwQjA2RjQ2LUQyN0QtNDBBQS1CREI5LTcxNDIzRjE5MjI1MyIsImV4cCI6MTQ1NDA5OTQwNSwib3JhY2xlLm9hdXRoLmN0
LnJlZ191c2VyIjoiSkRPRSIsIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoiY2xpZW 50X2Fzc2VydGlvbiIsIm9yYWNsZTppZG06Y2xhaW1z
OmNsaWVudDptYWNhZGRyZXNzIjoiMDA6MjM6 MzI6OTE6QTY6OTkiLCJwcm4iOiJBcHAyIiwianRpIjoiMGExYzM1OW EtOThmZC00Y
mQ4LTk4N2EtYzIzNDJkN2 Q0NDdmIiwidXNlci50ZW5hbnQubmFtZSI6IkRlZmF1bHREb21haW4iLCJvcmFjbGUub2F1dGguaWRfZF9p
ZCI6IjEyMzQ1Njc4LTEyMzQtMTI zNC0xMj M0LTEyMzQ1Njc4OTAxMiJ9.glMYZlsqDEvXkAE1u4De -
fKP6xKCnpdpD_swelq3KCWPgu5AeLW07jyae7U2VhQyulbTedOG98RBNPLN0WUipwtAfb751e1b -
C9kbtN1W25DOoaaPDjWtXVleBxyA_ZXp0zPZbv4fM4D4vbz7fHUMJtotgjA8iScEtPxYrJC94M"
}
Note: If you get the below error
==========================================================
HTTP/1.1 401 Unauthorized
Date: Fri, 22 Jan 2016 20:28:51 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa58a63:1526a57ea2b:-8000-0000000000002f7c
{"error":"invalid_client","error_description":"'oracle_pre_authz_code' validation failed: Thi s token has been revoked "}
Then get a fresh Pre Auth Code for App2 again and use that code (Repeat Exercise 6)
Exercise 9 – Create Access Token using JWT

user assertion and Mobile Client Assertion
Introduction – Now that we have the mobile client assertion for mobile app and JWT user
assertion since the user is authenticated, let’s create the Access Token.

===================== HTTP Request ====================================

'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_assertion_type=urn:ietf:params:oauth:client-
assertion-type:jwt-bearer&assertion=<JWT User Assertion (user_assertion -> access_token) from Exercise
7>&client_id=App1&client_assertion=<Mobile Client Assertion got in Exercise 7 (client_assertion ->
access_token)>&scope=UserProfile.users'
Note: If the user assertion OR client assertion has expired get a new one by executing Exercise 7
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Fri, 22 Jan 2016 20:46:58 GMT
Pragma: no-cache
{
"expires_in":3600,
"refresh_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsIng1dCI6Ilh0em9yVUdfWmtOVDZRUUg2eElMYXl0UENn TSIsImtpZCI6I
GgudXNlcl9vcmlnaW5faWQiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNs ZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0aC5ydC50dGMiOiJy
ZXNvdXJjZV9hY2Nlc3NfdGsiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoU2VydmljZVByb2ZpbGUiLCJpYXQiOjE0NTM0OTU2Mj A
sIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoicmVmcmVzaF90b2tlbiIsImV4cCI6MTQ1MzUxMDAyMCwicHJuIjpudWxsLCJqdGkiOiJk
MTNl MjkyNC03Nzc4LTRhM2MtYjcxMy04OWVmNm M4MGU2MjgiLCJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6IkFwcD
EiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJVc2VyUHJvZmlsZS51c2VycyIsInVzZXIudGVuYW50Lm5hbWUiOiJEZWZhdWx0RG9tYWluIiw
ib3JhY2xlLm9hdXRoLmlkX2RfaWQiOiIxMjM0NTY3OC0xMjM0LTEyMzQt MTIzNC0xMjM0NTY3ODkw MTIifQ.tKD9z_CrfGzRNS4IaerJ
VellHNExcbeOc0sMug5ySUw15lamVwWfb98c0QOlN8KJDJ_DvjymP9n321ZJjmzepJYKyYcYr0xsDPhe -
UjJ4M2E2OdBlDqu_yH_mp1ZYq6O8mfgbdDae8ezA74yEOXxF_3il_iNT5I8MbfyFr Yg9lw",
9yYWtleSJ9.eyJzdWIiOiJKRE9FIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkX3R5cGUiOiJMREFQX1VJRCIsIm9yYWNsZS5vYXV0aC5
1c2VyX29yaWdpbl9pZCI6IkpET0UiLCJpc3MiOiJ3d3cub3JhY2xlLmV4YW1wbGUuY29tIiwib3JhY2 xlLm9hdXRoLnN2Y19wX24iOiJPQ
XV0aFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDUzNDk1NjIwLCJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJMREFQX1VJRCIsImV4c
CI6MTQ1MzQ5OTIyMCwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJyZXNvdXJjZV9hY2Nlc3NfdGsiLCJwcm4iOiJKRE9FIiwianRpIjoiZ
GI0MWY1YjItNGY1My00ZmFiLTlkMmYtNzQzYjQ3OD Y5ZTU0Iiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiJBcHAxIiwi
b3JhY2xlLm9hdXRoLnNjb3BlIjoiVXNlclByb2ZpbGUudXNlcnMiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYXVsdERvbWFpbiIsIm9yYWN
sZS5vYXV0aC5pZF9kX2lkIjoiMTIzNDU2NzgtMTIzNC0xMj M0LTEyMzQtMTIzNDU2Nzg5MDEyIn0.YKzZMsxCXpd59ve71i1ipA3BtDSv
qBPB0vDBQaSfjkEzy3_O41d41zt8TIE5fzXFPjyMRoBuWLIf3IxqBsrpY9nl -
EQtO6G3HdeX1cUxrHvl6l9Ja_DFZwXqZLa4Rx_sWtHsYezI5s -nE-uYgeeLnFgkrr5q8tQtXhHXsW7Ji-Y"

}
Note that you will get both refresh_token and access_token
Exercise 10 – Create Access Token using

Refresh Token
Introduction – Now we will see how to create a fresh access token from OAM using the refresh
token. Idea here is refresh token is long lived compared to access token. If your access token is
expired you can get a new one using the long lived access token.
===================== HTTP Request ====================================

'grant_type=refresh_token&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-
bearer&client_id=App1&client_assertion=<Mobile Client Assertion got in Exercise 7 (client_assertion->access
token)>&scope=UserProfile.users&refresh_token=<Refresh Token got in Exercise 9 (refresh_token)>'
===================== HTTP Response ====================================
{
"expires_in":3600,
GgudXNlcl9vcmlnaW5faWQiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNsZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0aC5ydC50dGMiOiJy
ZXNvdXJjZV9hY2Nlc3NfdGsiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoU2VydmljZVByb2ZpbGUiLCJpYXQiOjE0NTM0OTYwOTc
sIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoicmVmcmVzaF90b2tlbiIsImV4cCI6MTQ1MzUxMD Q5NywicHJuIjpud WxsLCJqdGkiOiJh
MGZm M2NhNS0xYTM0LTQ0ZTQtYjNhYS1iZjRiZDJlODVmYWQiLCJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6IkFwcDEiLC
JvcmFjbGUub2F1dGguc2NvcGUiOiJVc2VyUHJvZmlsZS51c2VycyIsInVzZXIudGVuYW50Lm5hbWUiOiJEZWZhdWx0RG9tYWluIiwib3J
hY2xlLm9hdXRoLmlkX2RfaWQiOiIxMjM0NTY3OC0xMjM0LTEyMzQt MTI zNC0xMjM0NTY3ODkw MTIifQ.JvCZcY1CTfPGody8cTcFoS
Yg0Lr7T7LfoL14HkYluJTzNSWKy1jr8jQicY5Bg3YiM5OJDnrkVmhXy23RqGI6tbA8VDCwQfftnT4c -
7JERC_9uwV0yOIYSlAs2QHbUUrltY6_EkfKH fim42Y7CWnITn_YqNwlHRvmBXbIutWtVnY",
1c2VyX29yaWdpbl9pZCI6IkpET0UiLCJpc3MiOiJ3d3cub3JhY2xlLmV4YW1wbGUuY29tIiw ib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQ
XV0aFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDUzNDk2MDk3LCJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJMREFQX1VJRCIsImV4
cCI6MTQ1MzQ5OTY5Nywib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJyZXNvdXJjZV9hY2Nlc3NfdGsiLCJwcm4iOiJKRE9FIiwianRpIjoi
ZGMyYmNkZTItZWMwNy00MjRlLTkxNzIt MjMzMWRiZDBjZTc1Iiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiJBcHAxIi
wib3JhY2xlLm9hdXRoLnNjb3BlIjoiVXNlclByb2ZpbGUudXNlcnMiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYXVsdERvbWFpbiIsIm9yY

WNsZS5vYXV0aC5pZF9kX2lkIjoiMTIzNDU2NzgtMTIzNC0x MjM0LTEyMzQtMTIzND U2Nzg5MD EyIn0.usbawwdkhEL1noGSnSfzWVP
UiU8j4VVjp0LaRpdx7DdVPLogYeahSd_WluleHjy0rSoivkOnuTmqbwGAKOwSZI --
lTaebad_lhlO_VHyH5WH8mKwrAKxCvKBYXkF7FlENBMzblZWNcslcxLkztEDgJS-YBjYvT8RlX8D48Kjtbg"
}
Exercise 11 – Terminate JWT User Assertion

Introduction – Now we will see how to terminate the JWT user assertion from mobile app.
===================== HTTP Request ====================================

'client_id=App1&grant_type=oracle-idm%3A%2Foauth%2Fgrant-type%2Fuser-token%2Fjwt&assertion=<JWT
User Assertion got in Exercise7 (user_assertion-
>access_token)>&oracle_token_action=delete&oracle_device_profile=<Base64 encoded Mobile Device Profile
from Exercise 3>&client_assertion=<Mobile Client Assertion got in Exercise 7 (client_assertion->
access_token)>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Fri, 22 Jan 2016 21:04:26 GMT

Pragma: no-cache
{"successful":true}
Exercise 12 – Login (Create a JWT User

Session)
Introduction – Now we will login again.
===================== HTTP Request ====================================

'grant_type=password&username=JDOE&password=Oracle123&client_assertion=<Client Assertion Created in
Exercise 7 (client_assertion ->
access_token)>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-
bearer&oracle_device_profile=<Base64 Device Profile from Exercise 3>&oracle_requested_assertions=oracle-
idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Fjwt’
Note: If the client assertion has expired get a new one by executing Exercise 7
===================== HTTP Response ====================================
HTTP/1.1 200 OK
Date: Fri, 22 Jan 2016 21:52:21 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa 58a63:1526a57ea2b:-8000-0000000000003fd0
{
"expires_in":28800,
GgudXNlcl9vcmlnaW5faWQiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNsZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0aC5ydC50dGMiOiJ1
c2VyX2Fzc2VydGlvbiIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQ1MzQ5OTU0Miwib3
JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Omlvc2lkZm9ydmVuZG9yIjoiNjBCMDZGNDYtRDI3RC00MEFBLUJEQjktNzE0MjNGMTkyMjUz
Iiwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJyZWZyZXNoX3Rva2VuIiwiZXhwIjoxNDUzNjE0NzQyLCJvcmFjbGU6aWRtOmNsYWltcz
pjbGllbnQ6bWFjYWRkcmVzcyI6IjAwOjIzOjMyOjkxOkE2Ojk5IiwicHJuIjpudWxsLCJqdGkiOiIwMTI3MTg4 MS1jYm M1LTRhMGQtOTA
4ZS1jMGYyYTMzNTcxZjkiLCJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6IkFwcDEiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmY
XVsdERvbWFpbiIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTIzNDU2Nzgt MTI zNC0xMjM0LTEyMzQt MTI zNDU2Nzg5MDEyIn0.njnwZ
QL7UN-UjEJkE2gVo0XqTHzEm _Bq4EkvkjAE1YrP EEZYtmg54fS_fcSdt fBYY18B-
OVPbjmTln9nVLb3gOOO72RFyLvdeKuJ68JhsuN9JAYlSE6IF2F-CxzxAGx9IFb_ADF6CsZRwiBAGiKQF7gGYJvkfXjicuJdsx8hVBw",
9yYWtleSJ9.eyJzdWIiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNsZS5leGFtcGxlLmNvbSIsIm9yYWNs ZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGh
TZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQ1MzQ5OTU0Miwib3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Omlvc2lkZm9ydmVuZG9yIjoiNjB
CMDZGNDYtRDI3RC00MEFBLUJEQjktNzE0MjNGMTkyMjUzIiwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJleHAiO
jE0NTM1 MjgzNDIsIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoidXNlcl9hc3NlcnRpb24iLCJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ
6bWFjYWRkcmVzcyI6IjAwOjIzOjMyOjkxOkE2Ojk5IiwicHJuIjoiSkRPRSIsImp0aSI6IjQ0OTJhZWNhLTQyYmItND M1Mi04MGYwLTg2Mz
IzYjI5NzAxOSIsIm9yYWNsZS5vYXV0aC5jbGllbnRfb3JpZ2luX2lkIjoi QXBwMSIsInVzZXIudGVuYW50Lm5hbWUiOiJEZWZhdWx0RG9tY
WluIiwib3JhY2xlLm9hdXRoLmlkX2RfaWQiOiIxMjM0NTY3OC0xMjM0LTEyMzQt MTIzNC0xMjM0NTY3ODkw MTIifQ.ltot -

rhKn1DdnER-W8fupIMNNvjR9jYDbMrlSaiOvSORVRUD72Xm-
PI9qxtgqZ7GpB2Q50cKWghnFMtK_mvvwe_tAqFwR1XEWpod91ysxOmROr1VDUXnyWWJLLDm324CnEmergjdcnMgwgqDICxtrg8f
Gx1192SA9ETf6mnG-GU"
}
Exercise 13 – Create OAM UT and OAM MT

using JWT User Token (Token Exchange)
Introduction – Now as the user is logged in and has an access token , we will create OAM User
Token and OAM Master Token using the user token
===================== HTTP Request ====================================

curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" –-request POST
http://identity.oracleads.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens -d 'grant_type=oracle-
idm%3A%2Foauth%2Fgrant-
type%2Foam_credentials&user_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Auser-assertion-
type%3Ajwt-bearer&user_assertion=<JWT User Assertion created in Exercise 12 (user_assertion-
>access_token)>&client_assertion=<Client Assertion created in Exercise7 (client_assertion-
>access_token)>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-
bearer&oracle_device_profile=<Base64 encoded profile from Exercise 3>'
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Fri, 22 Jan 2016 22:08:41 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa58a63:1526a57ea2b:-8000-00000000000042c7
{
{"oam_mt":

{"oracle_tk_context":"oam_mt",
"oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/oam\/master-token",
"access_token":"VERSI ON_4%7E%2Bg%2FmXOvoyMTn66fJmgB%2Bpw%3D%3D%7Ea47FNf2NlpTtE6jKWaHG3Jo%2BTddBVzyW3
YJhUdgX3QljxROkMEKrNAuq MBKIj8YUqkBBq0wbaJshHFpnblAU6OeXUl6DXRX5g%2BJ6Z90EabrQLJgL41SdrlVQMnZxk5rIuQrNivC
d0W60Ud3sneWWnki%2FsiKQZL5HLR22VZoJOa5w19RHAsGC8qWYGPms0m4DVjwYn7 deT%2BYfEhCih2rx9i5xpOZfbJ1f5XyL0Sgzs
VEDBm02cdOlx8VRlqJZD8bS0QmG6OgFdH541%2BvdjOrGnu3U%2FdF72cUfPNXdExzuhCo%3D"
}
}
,"oracle_tk_context":"oam_ut",
"oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/user-token\/oam",
"access_token":"o8rUxCH4Luz+2gHqZynMRvXpcQ9pVjkEl6Gy2E63o7qXbjmyXzhi6jGLyhpWq70612cn7T3o+GHqerBfljb+N3dadpq
g\/AtkEFyWb TouVnl5n7\/WfjdSzJwzhyFiMZwx EDTsmHoKR92z9ftw5edgs2eNv1eAppXPTEY4dxUujCbdeWD4w6LH6azxaP5+Wotm
gvr4W1XA8q6LsMJOdJVOHlj6Q5dzyABkxbXZznfj7i4F8spMKzHuiAkKey73MiEdclSgCgwYnZx3KwwB9EL8 xVlr4wjI+bfH3RejgHQxtk6
rOFAaaazUYOStuWMqDsQwCq8gvO48JYpk656inWrZlAlADBaFveX29bR3TlYU0ppxNtl81yKhj49PJZTKaeflcalQJ+ZUNPdxv8O1IV6qH
VLvvW9eFklideiDbpJ1IagAwyZqfYg3nIhShaeFT5iDRSHP8x2WPlpc2+i06XzGIsDpf6WzVnoclKkMqEfdArI="
Note that you will have both oam MT and oam UT in the response.
Exercise 14 – Create OAM MT and OAM UT

using JWT User Token + PIN (Token
Exchange)
Introduction – In this sample we will use the JWT User Token and a PIN to get the OAM MT and
UT tokens
===================== HTTP Request ====================================

type%3Ajwt-bearer&user_assertion=<JWT User Assertion created in Exercise 12 (user_assertion-
>access_token)>&client_assertion=<Client Assertion created in Exercise7 (client_assertion-
bearer&oracle_device_profile=<Base64 encoded profile from Exercise 3>&oracle_user_credentials=<Base 64
encoding of user credential>'
Note: The oracle_user_credentials is base 64 encoding of JSON user credential payload. If the user
assertion OR client assertion has expired get a new one by executing Exercise 7

For example: {"pin":"123"} and Base 64 encoding value is eyJwaW4iOiIxMjMifQ==
===================== HTTP Response ====================================

HTTP/1.1 200 OK

Date: Fri, 22 Jan 2016 22:16:11 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:6fa58a63:1526a57ea2b:-8000-00000000000043f9
{"oam_mt":
{
"oracle_tk_context":"oam_mt ",
"access_token":"VERSI ON_4%7ERPwm0wx17J6TsvDR7%2BX2kg%3D%3D%7EsITmOlSI7mtpmuEcOI59Utcm4q6AjQCvKxhyAAZ5C
H8jZS6todR%2FCoEhDPFvoVmbqQ4P0KZSBrZOR1w%2FInyqD%2F1B4X3rGhUdmZAN%2Fb14RTZhM9SvY4lnvgymHNmxUUeS2Z%
2BZ2IRouCRjUJnWJhO20MopjEmsPeZW90yaBJ3u0CAav%2BtcfJydkTi7v30vN3w3SNrfwQcQlHlWXUPxSnASYTyANH Mrayfh15Wwb
blSIdYryDTsHS2oZY2wgIgPHxgHOyJUImwhi7yUdf77rCu4vPd65MDR%2FEAy%2BimRtjfVIVM%3D"
}
}
,
"oracle_tk_context":"oam_ut ",

"access_token":"Zo5vuuU+zfTxFfbG1wy4ftLnaTX5Pu+PhJDQR6To3nT2QO+silGnWeGsaTA2HSqRUUlbBca5I3y6YhOZpJQNRxad5W
xphuOcQoAyPsjJdFOIyYnXYuBwo MCSsMwmIKdCBtClcsUB5AedN5Nqj5mNTVv\/27ccwDxlhikvoktxmpjnfghTAS7hqDDOZ1Sw7x1m
PFs3b1rswa9MB7RXhgM6tYEKTrcIpIbdGNiWZiixDm1DqpL+0K\/Zq7il3mAcxBQarWJhi3eBoNP+p9wX4tN2+Reu+DUDHdrCP1Dws7
od9dl0U10Goy\/vhqbzIGpwcjGwNPZKhTkGLHI5go3x8Alo+GCjpKXmrgX9dhvrlVlB8MKg9QlN1c \/JrZ7xYwazShk\/aLtWOiiX3kfhG9
NouK27OuJwVERD6r+b2YQyL6px69J1NeaTRKBhJPOCbdwG5qcnRy0lAqCdp5GIO3CqaWVMhuDnSwewD5tsIpD3ggcsBzw="
}
Exercise 15 – Create OAM MT using OAM

Credential Grant
Introduction – In this we will create OAM Master Token using OAM credential Grant
===================== HTTP Request ====================================

type%3Ajwt-bearer&user_assertion=<JWT User Assertion from Exercise 12 (user_assertion-
>access_token)>&client_assertion=<MOBILE CLIENT ASSERTION from Exercise 7 (client_assertion-
bearer’
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Mon, 25 Jan 2016 23:58:32 GMT
Pragma: no-cache

X-ORACLE-DMS-ECID: 024170c1c59452c4:1710295:1527b0ccc45:-8000-00000000000017e8
{
{
"oam_mt":
{
"oracle_tk_context":"oam_mt ",
"access_token":"VERSI ON_4%7El2ytaVBiXb4Jl7f46R4WcA%3D%3D%7EthyPghzSp4copV3b0lmdKb2nsVadin7VYh%2FP%2Fb4cph
DbpxtipOhbmRI0IZsrNSpont%2BnJccCFyju57VLSeGZro8co0I3BWmWuapd%2F7ESxGL29nLCyU%2FTJdZeSg9Nl1BaJBRg1x7y07wh
aFiMoA0yma0j7BoM%2Fun4LCb%2Bcy0pVYBX%2FTRlIPWInTof1j2ulQ3u9o BsyiNC1eRmjx%2BHJqHPi97oxZeGLI4Nije0LndSTWOK
1uil36zAmyvfufYFM85hw7BJTFILAso%2FkuVH7nhvbcBLKJWJoc84NJdifl1oZCo%3D"}},"oracle_tk_context":"oam_ut","oracle_gran
t_type":"oracle-idm:\/oauth\/grant-type\/user-
token\/oam","access_token":"+O4haZdGqWHd0Y0YOuqCMMwba CVNa242zLN0DEFgWbhqhp1fUtNXg4FA5\/6Rp7bQ57955ybHli
oLDerCNUD++CHlAwcIFTZhxHmwbk964ij7y+5DLXWHft+iH7h9iHrsJApyGFg9RC6O3RhXjMrNkg9u40z3Bb2il0jkudPsLNMBqwyYp8r
oTYEvpuxz0X8FN2a8wS1WKVJjuaLubK9sG+rD\/jW\/Y5bRLHarWUu3zFkDVgGsBrKeB4xUHQUxGxWKy\/Vr4IpoigYIGAzq8H2SdYe\
/StvrefrBgFELs9rgqAhmTfxruZgI1qNxRN2ZrPOP7Dn58+RKM0019UtyMysJEsPxB4rIUNoskJVd2q08Z\/fI8EEOO9dDL\/uCbrYb\/DYR
JxLUm5NYkuAd0vfO6FXPyODIxXnxM4yMzn M2swcguMOG3ZVbdHiYMMBfWweEKT2ZNwb Y1J4CQkEycwWKWGV3 \/CSb4kVdKpb
DwjrQ5IlbSEk="
}
Exercise 16 – Enable Server Side SSO

Introduction – Now we will enable the server side SSO feature. When its enabled the user token
will be stored on the server side. The OAuth Calls no longer need to supply the user token as
part of the call.
Steps
1. Login to OAMConsole as DCRANE/Oracle123
2. Click on Mobile Security -> Mobile OAuth Services -> DefaultDomain -> Service Profiles ->
OAuth ServiceProfile
3. Expand the Attributes section
4. Modify msAlwaysShowLogin to false from true

Note: when you set this parameter to false, use doesn’t have to enter the credentials every
time a new app is registered with Server Side SSO enabled. Server will automatically register
the apps with server side token for the user.
More details can be found in the documentation here
https://docs.oracle.com/cd/E52734_01/oam/AIAAG/oauthunderstanding.htm#AIAAG89982
5. Expand the Mobile Service Settings

6. Now check the box for Enable Server Side Single Sign-On
7. Click Apply to save the change.
8. Logout of OAM Console

9. Restart the OAM Server for change to take effect.

Exercise 17 – Register Mobile App1 using

UserName and Password
Introduction – We will first register the app using user’s credentials. This will create client and
user assertion.
===================== HTTP Request ====================================

'grant_type=password&username=JDOE&password=Oracle123&client_id=App1&oracle_pre_authz_code=<Mobil
e Device Verification Code from Exercise5 >&oracle_device_profile=<Base 64 Device Profile from Exercise
4>&oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
Note : Since the server has been restarted, you need to get a new Mobile Verification code by executing Exercise 5 .
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Sat, 23 Jan 2016 00:01:57 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:61a521a3:1526bc13b75:-8000-00000000000001c4
{
{"user_assertion":
{
"oracle_token_in_server_device_store":true,
"expires_in":28800,
"refresh_token":"",
"access_token":""
}
},
9yYWtleSJ9.eyJvcmFjbGUub2F1dGguY3QucmVnX3VzZXJfaWRfdHlwZSI6IkxEQVBfVUl EIiwic3ViIjoiQXBwMSIsImlzcyI6Ind3dy5vcmF
jbGUuZXhhbXBsZS5jb20iLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoU2VydmljZVByb2ZpbGUiLCJpYXQiOjE0NTM1MDczMTgsI

m9yYWNsZS5vYXV0aC5wcm4uaWRfdHlwZSI6IkNsaWVudElEIiwib3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Omlvc2lkZm9ydmVuZG9
yIjoiNjBCMDZGNDYtRDI3RC00MEFBLUJEQjktNzE0 MjNGMTkyMjUzIiwiZXhwIjoxNDU0MTEyMTE4LCJvcmFjbGUub2F1dGguY3Quc
mVnX3VzZXIiOiJKRE9FIiwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJjbGllbnRfYXNzZXJ0aW9uIiwib3JhY2xlOmlkbTpjbGFpbXM6Y2x
pZW50Om1hY2FkZHJlc3MiOiIwMDoyMzozMjo5MTpBNjo5OSIsInBybiI6IkFwcDEiL CJqdGkiOiI0ZGVhNGIyOC1jMzE2LTRiNDAtOWE
5Yy1lMWY0YWUzOWI2OWUiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYXVsdERvbWFpbiIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMT
IzNDU2Nzgt MTIzNC0xMjM0LTEyMzQtMTIzND U2Nzg5 MDEyIn0.IN_ODixDw6oBZqeFAgqOO3sqE0ZqiENHB82SVFgU01mCoTN6IU -
Vz_dhexVSuRlOUcNco5v155jW_ng20B9p5qpBmr2iARWtNWlh6LLYnsMMrE_xcMI6rlGtBkSJ6XresUemFpWdf-
u7l16A0BB95FRmjQzNReZSvx5fPkovbNE"
}
Notice the parameters highlighted in RED. Since the user token is stored in Server side, it’s not returned as part of the
response.
Exercise 18 – Register App2 using Server side

JWT user assertion.
Introduction – As mentioned below with server side SSO enabled, the user token is stored on
the server side and we don’t need to pass that in the request. The server will use the token
stored on the server side.
===================== HTTP Request ====================================

'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=App2&oracle_pre_authz_code=<Mobile
Device Verification Code for App2 from Exercise 6>&oracle_device_profile=<Base64 encoded profile from
Exercise3)>&oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-
bearer&oracle_use_server_device_store=true’
Note: Since the server has been restarted, get the new mobile verificati on code for App2 by executing exersize6.
===================== HTTP Response ====================================
HTTP/1.1 200 OK
Date: Mon, 25 Jan 2016 22:58:12 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:4b11e1b9:15279b38af7:-8000-000000000000828b

{
9yYWtleSJ9.eyJvcmFjbGUub2F1dGguY3QucmVnX3VzZXJfaWRfdHlwZSI6IkxEQVBfRlFETiIsI nN1YiI6IkFwcDIiLCJpc3MiOiJ3d3cub3Jh
Y2xlLmV4YW1wbGUuY29tIiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDUzNzYyNjkzL
CJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJDbGllbnRJRCIsIm9yYWNsZTppZG06Y2xhaW1zOmNsaWVudDppb3NpZGZvcnZlbmR
vciI6IjYwQjA2RjQ2LUQyN0QtNDBBQS1CREI5LTcxNDIzRjE5MjI1MyIsImV4cCI6MTQ1ND M2NzQ5Mywib3JhY2xlLm9hdXRoLmN0LnJ
lZ191c2VyIjoiSkRPRSIsIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoiY2xpZW50X2Fzc2VydGlvbiIsIm9yYWNsZTppZG06Y2xhaW1zOm
NsaWVudDptYWNhZGRyZXNzIjoiMDA6MjM6MzI6OTE6QTY6OTkiLCJwcm4iOiJBcHAyIiwianRpIjoiZGNiMGU2MjgtNDk3My00NTVlL
TkzYTItYWI4ODZhZW E2ZjFiIiwidXNlci50ZW5hbnQubmFtZSI6IkRlZmF1bHREb21haW4iLCJvcmFjbGUub2F1dGguaWRfZF9pZCI6IjEy
MzQ1Njc4LTEyMzQtMTIzNC0x MjM0LTEyMzQ1Njc4OTAx MiJ9.M_8sLArN2pkzA1cWZGkakTracIpcEuPcnmr_OIeKWPaecPWDFfxn4
_mAj4CJXuMGU22-4MBCNm0OiVmOM2qkh8q7eUINyJD7LeC7JztboQei -
h_CorbsQmt_bUGvAOd8 QvPwMTpIXd_5rOw0KpBMr3GF9jITU2YcbNpeSjed05I"
}
Exercise 19- Create Access Token using JWT

Client Assertion and Server Side JWT User
Assertion
Introduction – Now we will create an Access Token using Mobile Client Assertion and JWT User
Assertion stored on server side.
===================== HTTP Request ====================================

'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_assertion_type=urn:ietf:params:oauth:client-
assertion-type:jwt-bearer&client_id=App1&client_assertion=<Mobile Client Assertion obtained in Exercise 17
(client_assertion-
>access_token)>&scope=UserProfile.users&oracle_use_server_device_store=true&oracle_device_profile=<base
64 device profile from Exercise 4>'

===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Sat, 23 Jan 2016 00:29:12 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:61a521a3:1526bc13b75:-8000-0000000000000677
{
"expires_in":3600,
GgudXNlcl9vcmlnaW5faWQiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNs ZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0aC5ydC50dGMiOiJy
ZXNvdXJjZV9hY2Nlc3NfdGsiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoU2VydmljZVByb2ZpbGUiLCJpYXQiOjE0NTM1MDg5NT
MsIm9yYWNsZTppZG06Y2xhaW1zOmNsaWVudDppb3NpZGZvcnZlbmRvciI6IjYwQjA2RjQ2LUQyN0QtNDBBQS1CREI5LTcxNDIz RjE5
MjI1MyIsIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoicmVmcmVzaF90b2tlbiIsImV4cCI6MTQ1MzUyMzM1Mywib3JhY2xlOmlkbTpj
bGFpbXM6Y2xpZW50Om1hY2FkZHJlc3MiOiIwMDoyMzozMjo5MTpBNjo5OSIsInBybiI6bnVsbCwianRpIjoiOGJjOGEwN2UtYTE4Ny0
0YTU3LThjZWItNjI5ZjhhODU1MmYwIiwib3JhY2xlLm9hdXRoLnNjb3BlIjoiVXNlclByb2ZpbGUudXNlcnMiLCJvcmFjbGUub2F1dGguY2
xpZW50X29yaWdpbl9pZCI6IkFwcDEiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYXVsdERvbWFpbiIsIm9yYWNsZS5vYXV0aC5pZF9kX2l
kIjoiMTIzNDU2Nzgt MTI zNC0xMjM0LTEyMzQt MTIzNDU2Nzg5 MDEyIn0.b4s40oHhMj_WgcLqRx21nTqyM1TGs72e PunjHTInWatBX
b_qh7EOm3S-IisdV-F-
09mcWocR05rhXhyAytLGhDrsWveutkXqFjhBD9YblyiumnqAP8jKQRfdVUSKfCWmsq6xMEoVqwIxAA_Y_5W2JNAqEopv9gBhvM7yp
B-80b8",
1c2VyX29yaWdpbl9pZCI6IkpET0UiLCJpc3MiOiJ3d3cub3JhY2xlLmV4YW1wbGUuY29tIiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQ
XV0aFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDUzNTA4OTUzLCJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJMREFQX1VJRCIsIm9yY
WNsZTppZG06Y2xhaW1zOmNsaWVudDppb3NpZGZvcnZlbmRvciI6IjYwQjA2RjQ2LUQyN0QtNDBBQS1CREI5LTcxNDIzRjE5 MjI1MyIs
Im9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoicmVzb3VyY2VfYWNjZXNzX3RrIiwiZXhwIjoxNDUzNTEyNTUzLCJvcmFjb GU6aWRtOmNs
YWltczpjbGllbnQ6bWFjYWRkcmVzcyI6IjAwOjIzOjMyOjkxOkE2Ojk5IiwicHJuIjoiSkRPRSIsImp0aSI6ImFmNzg5MWQ0LTdkMjUtNDky
Mi05MDdjLWRmNDFlYzI1OW E5YyIsIm9yYWNsZS5vYXV0aC5zY29wZSI6IlVzZXJQcm9maWxlLnVzZXJzIiwib3JhY2xlLm9hdXRoLmNs
aWVudF9vcmlnaW5faWQiOiJBcHAxIiwidXNlci50ZW5hbnQubmFtZSI6IkRlZmF1bHREb21haW4iLCJvcmFjbGUub2F1dGguaWRfZF9
pZCI6IjEyMzQ1Njc4LTEyMzQtMTI zNC0xMjM0LTEyMzQ1Njc4OTAxMiJ9.TdFTu76A0FIsIWPcEL3qkMMbP -E33TDHLC2-
rapama2NXxTzw1xn2ezDdgb52iVLI_VHbxLhs5xWaYn-kwBYG4AYpUiIstG9A8GS-sRby-
H7Se6UwBieJnaaJLyyDmfcMsYJOAPIoQRmdEERqiRe9ZOOSX z3NmiuxU0kaywU4gw"
}
Exercise 20- Create Access Token using

Refresh Token
Introduction – Now we will create an Access Token by using the Refresh token obtained in
previous step
===================== HTTP Request ====================================

'grant_type=refresh_token&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-
bearer&client_id=App1&client_assertion=<Mobile Client Assertion obtained in Exercise 17 (client_assertion ->
access_token)>&scope=UserProfile.users&refresh_token=<Refresh Token Obtain in Exercise 19 refresh_token>’
===================== HTTP Response ====================================

HTTP/1.1 200 OK

Date: Sat, 23 Jan 2016 00:35:53 GMT
Pragma: no-cache
X-ORACLE-DMS-ECID: 024170c1c59452c4:61a521a3:1526bc13b75:-8000-000000000000078f
{
"expires_in":3600,
"refresh_token":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsIng1dCI6Ilh0em9yVUdfWmtOVDZRUUg2eElMYXl0UENnTSIsImtpZCI6Im
9yYWtleSJ9.eyJzdWIiOm51bGwsIm9yYWNsZS5vYXV0aC51c2VyX29yaWdpbl9pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dG
gudXNlcl9vcmlnaW5faWQiOiJKRE9FIiwiaXNzIjoid3d3Lm9yYWNsZS5leGFtcGxlLmNvbSIsIm9yYWNsZS5vYXV0aC5ydC50dGMiOiJyZ
XNvdXJjZV9hY2Nlc3NfdGsiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoU2VydmljZVByb2ZpbGUiLCJpYXQiOjE0NTM1 MDkzNTU
sIm9yYWNsZS5vYXV0aC50a19jb250ZXh0IjoicmVmcmVzaF90b2tlbiIsImV4cCI6MTQ1MzUyMzc1NSwicH JuIjpudWxsLCJqdGkiOiI3N
GRhYzMxNS01MDk2LTQ4ZDYtYm YxNS0zN2ZhYjcxNjRmM2 QiLCJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6IkFwcDEiLCJv
cmFjbGUub2F1dGguc2NvcGUiOiJVc2VyUHJvZmlsZS51c2VycyIsInVzZXIudGVuYW50Lm5hbWUiOiJEZWZhdWx0RG9tYWluIiwib3JhY
2xlLm9hdXRoLmlkX2RfaWQiOiIxMjM0NTY3OC0x MjM0LTEyMzQtMTIzNC0x MjM0NTY3ODkw MTIifQ.s3A-
u4mdixxiTZW7nv123x4jVJrtVYGJYFS-
l8yn7nhhGSbWeILFnbfH1hvyBT79SyuCK5tMc9uKkILarDHgzX6lKQXD0aqG1_ndBxyHf0EWnvTWLBNZop4vSp75AjNFcIpwiEgxV3GT
V2VGq7qGoQV8bTgiOI Epexl9Ll9DCKI",
1c2VyX29yaWdpbl9pZCI6IkpET0UiLCJpc3MiOiJ3d3cub3JhY2xlLmV4YW1wbGUu Y29tIiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQ
XV0aFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDUzNTA5MzU1LCJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJMREFQX1VJRCIsImV4
cCI6MTQ1MzUxMjk1NSwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJyZXNvdXJjZV9hY2Nlc3NfdGsiLCJwcm4iOiJKRE9FIiwianRpIjoiY

zIyMjZhOWUt MmM2ZS00YTEyLThhYWYtZjBhZGE5Zjg4YTU5Iiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiJBcHAxIiwi
b3JhY2xlLm9hdXRoLnNjb3BlIjoiVXNlclByb2ZpbGUudXNlcnMiLCJ1c2VyLnRlbmFudC5uYW1lIjoiRGVmYXVsdERvbWFpbiIsIm9yYWN
sZS5vYXV0aC5pZF9kX2lkIjoiMTIzNDU2NzgtMTIzNC0xMj M0LTEyMzQtMTIzNDU2Nzg5MDEyIn0.W0ivYaZuz5n5sW_nUIJjNOhwq0w
Ibfvq-d33LJ7k_dwZ31b0pUo4fz_6BBsKbY7wgYVILfUM -yn-bs2NArzCuzhx5aZkwT3imKSu9v1K-
BBkQMpm6Z7wTNWChvsqoULfE3mD79gny_KMq-jgG0_aXOgK1xHmb3nyXTofyD1RpGA"
}
Exercise 21 – Create OAM AT using OAM

UT
Introduction – In this use case we will create OAM Access Token using OAM User Token
===================== HTTP Request ====================================

idm%3A%2Foauth%2Fgrant-type%2Foam_credentials&client_assertion=<MOBILE CLIENT ASSERTION from
Exercise 17 (client_assertion-
bearer&oracle_device_profile=<Base64 Device profile from
Exercise3)>&scope=oracle.security.oauth.oam.resource_access&oracle_oam_application_context=<Appliaction
Context given by Webgate (see below notes for how to get
It)>&oracle_oam_application_resource=http%3A%2F%2Fidentity.oracleads.com%3A7777%2Findex.html&
oracle_use_server_device_store=true'
Note: How to get the value for parameter oracle_oam_application_context
1. Login to oamconsole using DCRANE/Oracle123

2. Click on Agents. Search and open webgate_1
3. Under User Defined Parameters add the following
OAMAuthUserAgentPrefix=OIC
OAMAuthAuthenticationServiceLocation=http://identity.oracleads.com:14100/oic_rest
/rest/oamauthentication
Note: Agent Prefix could be any prefix of your choice

Service Location Points to REST OAM authentication end point

4. Save the changes.

5. Make sure that OAM Server is started, OHS server is started (startOHS.sh)
6. Using a terminal issue the below command
curl -i -H 'User-Agent:OIC-Authentication' --request GET

http://identity.oracleads.com:7777/index.html
Note: We are using the Prefix provided above in the command
You should see the following response

HTTP/1.1 401 Authorization Required
Date: Wed, 27 Jan 2016 18:26:20 GMT
Server: Oracle-HTTP -Server-11g
Set-Cookie: OAMAuthnHintCookie=0@1453919180; httponly; path=/; domain=.oracleads.com

Set-Cookie: OAMRequestContext_identity.oracleads.com:7777_345963=4YcYtRyL5qdsX7P8v7L/2w==;max -age=300;
httponly; path=/
WWW-Authenticate: OAM-Auth realm="webgate_1:2
http://identity.oracleads.com:14100/oic_rest/rest/oamauthentication", request-
ctx="encquery%3DXcNqq5vWlKK0hLvIRXVekzmb7lA%2BJP4batYkjees2MyKYlO8hKDj8SiysWK8yZOo2mu6irf2gLQAK
RjOqCkMBI3AX1qEa26kd2V%2F5JkKkjeMsF9ZUq673oYKTJdm0%2BAC2pbX8Q8uSqFkWWdgHSPPh70bGlt9eXTcJfEJx
XI9cqpGd2YcE2gHQpN1OF%2Fvoz3C3mGT%2FoqtpLrW3Amuf647YKolxPS1fLAC4Tot4Fdd0iWO1awqQbdOZSaqEq0%
2BJPWmRlmkG%2FvxhkIJTyuHllEqmIMqCOrPVjzn4wpM wOZErtQ%3D%20agentid%3Dwebgate_1%20ver%3D1%20cr
method%3D2"
Content-Length: 294
Content-Type: text/html; charset=iso -8859-1
7. Notice the request-context. This is the value you should use for parameter
oracle_oam_application_context. Use the value you get by executing the above
command.
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Wed, 27 Jan 2016 17:39:20 GMT
Pragma: no-cache
X-ORACLE-DM S-ECID: 024170c1c59452c4:24b055d4:15280e58587:-8000-000000000000a5ce
{

{
"oam_ut":
{
"oracle_tk_context":"oam_ut",
"access_token":"E6P1QoXadfQ4ktIcT It \/Pw1NyUbybDUWku3iqseA70WT FnRluRK7nuy G+CYZHhrwE CKVQ1e9ld0bYk3jGS
4qtV\/p2EIVpyxyq+ik+bk VN3gmtPzqJ63QDBORDE8mxFtokzOXmw308boVEJl9qcid2BXFGbQq\/G11kS7DOO2mB7ZYQPI
CdH8 SGH9a7fySIXqW7B3xgq6qrpUniWR5mULsmH3vODXjCusvlg9 \/KD29sDHVcFx8XpQxWkUtNcU5Ab8eSla9M+BmDH
aK2om6Y5MPZWUeAhlBUb0hasT 92wzbSF \/\/Y+ChBB6JwPEw8\/J3XEdUuuhMtdqJL9MfiW2SGtB0d653lVTAvD3+eQYdG
C+9yJnX78ZMcoNj7\/OGuIeUcCW\/LVwgRNYyKUpA911oWWZdmia58HWpZMB5X9OqsDrRZZXElKO0VairORXn wexfs5
dnYrVWT Q2K6pYAShxJw0tUioEUtxvgNxT qUaQt7drWAWM="
}
},
"oracle_tk_context":"oam_at",
"oracle_grant_type":"oracle-idm:\/oauth\/grant-type\/resource-access-token\/oam",
"access_token":"Uoi4cDSHauyLCy1W8tvOHHzdJ9N2%2F78cfTr6%2BhGToL3vKRDAlb5aFAsVZF4KnFNAuJ%2Fb61bzaqG
U3pM919gB1sPFWcxnt8r8xsmJjhP7u2G8%2Bq%2B%2BDzs%2BftEkUq3viJAQYqpKF%2BcVTALyxo9rdfkv9mV3brsyCJvp
%2B0ngsYZKjJcoP1n7GY6Ng%2FvKRxz5J8ytvd1ZsNDaLZCBHiXJWT kTt3N0HpQ%2BSwVH5u5lb4Y%2Bj6up wOnNRtytJ
1G8XlBmMT YzPmJZOmAgwQze3auIoQFdE VF4oDsC%2Fi0 CBRqBHoXRlrXtm704iHeHwe0BIBzRY7fz7oppcgLazCqeUI9B
Pp2Il1YCsJI%2FSUdo gcjbHd4bZ gSJKg5Z VhvhonIgCGukWLmkHpVKo2lPNyAJ0htK6t1TeLjUBOBpMDQY2Wc b2ef7z8cIW
dgSMyntSWPayK9tVRHdP%2FVMJv wBfeYiQMn7OauFRYVwVm qyT G%2B%2FvQRiONbHeT Y%3D"
}
Exercise 22- Logout

Introduction – We will now perform a logout operation
===================== HTTP Request ====================================

http://identity.oracleads.com:14100/ms_oauth/oauth2/oammsui/oauthservice/logout -d
'client_id=App1&redirect_uri=app1://&oracle_device_profile=<Base 64 Encoding Device Profile from Exercise
4>&client_assertion=<Mobile Client Assertion from Exercise 18 (client_assertion-
>access_token)>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
===================== HTTP Response ====================================

HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Date: Sat, 23 Jan 2016 00:41:13 GMT
Content-Length: 0
==============================================================================

Exercise 23- Login

Introduction – We will now perform a Login operation.
===================== HTTP Request ====================================

'grant_type=password&username=JDOE&password=Oracle123&client_assertion=<MOBILE CLIENT ASSERTION
from Exercise 17>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-
bearer&oracle_device_profile=<Mobile Device Profile from Exercise4>&oracle_requested_assertions=oracle-
idm%3A%2Foauth%2Fassertion-type%2Fuser-identity%2Fjwt'
===================== HTTP Response ====================================

HTTP/1.1 200 OK
Date: Sat, 23 Jan 2016 00:44:58 GMT
Pragma: no-cache
{
"oracle_token_in_server_device_store":true,
"expires_in":28800,
"refresh_token":"",
"access_token":""
}
Summary – In this Lab we have seen how mobile apps can use OAuth Calls . We have also seen
the support for both Server side SSO enabled and Disabled.


Lab 08 Oracle Access Management - Access Manager 11G R2 Ps3 2 Legged Mobile Oauth

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 08 Oracle Access Management - Access Manager 11G R2 Ps3 2 Legged Mobile Oauth

Uploaded by

Copyright:

Available Formats

Oracle Access Management Suite Plus 11g R2 PS3 Bootcamp

Oracle Access Management -

 Admin Server (startAdmin.sh)

 OAM Server (startOAM.sh)

Oracle Access Management Access Manager 11g R2 PS3

Lab Introduction ......................................................................................................................... 3

Oracle Access Management Access Manager 11g R2 PS3

Pre Requisite for the Lab

Lab1 – Exercise 1 & Exercise 2

Exercise 1 – Configure OAuth Service

1. Login to OAM console as DCRANE/Oracle123

Oracle Access Management Access Manager 11g R2 PS3

3. Click on DefaultDomain to open it

5. Open the section Plug-Ins

Oracle Access Management Access Manager 11g R2 PS3

Click on iOS for Supported Platform.

7. Open Configuration Settings -> Token Settings

Update Client Verification code to 120 minutes

8. Also for User Assertion, click on Refresh Token Enabled Checkbox

Oracle Access Management Access Manager 11g R2 PS3

9. Click Apply to save the update.

10. Click on Resource Servers -> User Profile

11. Change the Identity Store Name to OUDStoreIDSProfile

Oracle Access Management Access Manager 11g R2 PS3

12. Update the Offline Scope to UserProfile.users

13. Click on Apply to Save the change

Summary – In this section we have update the OAuth Service configuration.

Exercise 2 – Create Mobile Client Profiles

1. Make sure that you are in Default Domain ->Clients

Oracle Access Management Access Manager 11g R2 PS3

3. Define a new as following

Click “Create” button to create the mobile profile.

Oracle Access Management Access Manager 11g R2 PS3

4. Similarly define the second application as shown below

Oracle Access Management Access Manager 11g R2 PS3

Click “Create” button to create the mobile profile.

Oracle Access Management Access Manager 11g R2 PS3

Summary – In this section we have defined two mobile app profiles.

Oracle Access Management Access Manager 11g R2 PS3

Exercise 3 – Mobile Device Profile Sample

Base64 Encoded Device Profile

Oracle Access Management Access Manager 11g R2 PS3

Exercise 4 – Get Application Profile

===================== HTTP Request ====================================

curl -i --request GET

===================== HTTP Response ==================================

Oracle Access Management Access Manager 11g R2 PS3

Exercise 5 – Create Mobile Device

Oracle Access Management Access Manager 11g R2 PS3

===================== HTTP Request ====================================

curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST

===================== HTTP Response ====================================

Exercise 6 - Create Mobile Device

===================== HTTP Request ====================================

Oracle Access Management Access Manager 11g R2 PS3

===================== HTTP Response ====================================

Exercise 7 - Register Mobile App1 using

===================== HTTP Request ====================================

Oracle Access Management Access Manager 11g R2 PS3

===================== HTTP Response ====================================

Oracle Access Management Access Manager 11g R2 PS3

Note: If you get the below error

HTTP/1.1 401 Unauthorized