For Non-browser Clients (NBC): OAM Webgate Request Context Timeout Query encquery Parameter Configuration (Doc ID 1951576.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Mobile and Social - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Goal

We need to know timeout/caching configuration of OAM Webgate request-ctx(received in WWW-Authenticate HTTP header when accessing protected page without access token) attribute.
In order to access protected REST API endpoints we first access protected page without access token and in susequent step utilize request-ctx in WWW-Authenticate header for access token request.
We don't avoid calling protected REST API endpoint each time(before access to protected page) to retrieve request-ctx to optimize performance.
We need to understand default expiry/timeout beahiour of WWW-Authenticate/request-ctx value before designing solution to skip WWW-Authenticate/request-ctx retrieval step for subsequent user login.

What might cause WWW-Authenticate/request-ctx/encquery value parameter to go invalid ? When I request access for same protected page next time , I notice different value for WWW-Authenticate/request-ctx/encquery parameter.
Can I reuse WWW-Authenticate/request-ctx/encquery  parameter forever ? Is there something which can break reuse of WWW-Authenticate/request-ctx/encquery  parameter.

We have configured OAM 11gR2 PS2 Webgate to handle Non Browser Client use cases by configuring following parameters on SSO Agent:
OAMAuthUserAgentPrefix=OAMMS
OAMAuthAuthenticationServiceLocation=http://tc.oamq.fnni.com:50001/oic_rest/rest/mobilejwtoamauthentication

Sample request-ctx value from response of protecetd page access attempt(please refer attachment usersession_trace.txt for complete request response sequence):

WWW-Authenticate: OAM-Auth realm="IHSMobileWebGate:2 http://tc.oamq.fnni.com:50001/oic_rest/rest/mobilejwtoamauthentication", request-ctx="encquery%3D4VKXYuiDeCbPVjqAFs20HgZ%2BGkrMeGIwRH8IG04a%2FBz8%2B7YLwsgJJS0PBbjwNd6NerUBtRIsOLhlLhTgqwRsEedJiTwUnUaK6K3yKKXZlVqVh%2B5v1D3ijcMmHxxS5%2FAM%2FhuKlUIwC6dl8R2Bv74AN0pPv1m7f6mdaVcOy1irvJWo%2FcisEiC9eATWiIpoMNWdFIgIG36YQoFOUR8jR%2FsDRLF0K59RWHQT%2FoHAQlJhGU8J6gfyvoLtXY23R6B3wBW7LuRU4dNntTYjhOEg3sRInq8KZHXs5xdg5khmMWQmAJ4qRnzln3DHTSdEPYPgzk0ZimlBoIH3eE7wthdbco8D%2FQ%3D%3D%20agentid%3DIHSMobileWebGate%20ver%3D1%20crmethod%3D2"


First time user login message sequence from mobile device(native Android and native iOS apps) :

1. Get Client Registration Handle (Client Token)
2. Get OAM User Token
3. Get oracle_oam_application_context by calling protected page with expected User-Agent prefix(defined during OAM 11gR2 webgate) which is nothing but encquery** value. This value is returned in response http header named WWW-Authenticate
4. Get OAM Access Token - this steps requires Client Token + OAM User Token + encquery** value
5. Access the protected page by adding Access Token in an HTTP header
6. Log out (delete OAM User Token)


Subsequent user login message sequence from mobile device(native Android and native iOS apps) :

1. Get Client Registration Handle (Client Token)
2. Get OAM User Token
---retrive the cached encquery** value from first login session ---------
3. Get OAM Access Token - this steps requires Client Token + OAM User Token + encquery** value
4. Access the protected page by adding Access Token in an HTTP header
5. Log out (delete OAM User Token)

As you notice in Subsequent user login message sequence we are trying to skip one step to retrive encquery** value and reuse the value from first user session.

WWW-Authenticate/request-ctx/encquery parameter in NBC message flow maps to following in Web flow :
ChallengeRedirectMethod Web Behavior when value around encquery:
POST: Webgate sends encquery as POST data and credential collectors send encreply as POST data.
GET: Webgate sends encquery as query string and expects encreply as query string.

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms