Oracle Access Manager 11g R2PS3 (OAM 11.1.2.3) OAuth Services - Security query on base 64 encoded Authorization code
(Doc ID 2356123.1)
Last updated on AUGUST 28, 2023
Applies to:
Oracle Access Manager - Version 11.1.2.3.5 and laterInformation in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
Goal
OAuth (3-Legged OAuth Authorization) services has been used for client application integration.
Noticing that authorization code is base 64 encoded. Having security concerns because base 64 code can be decoded. Not finding any configurations to change this ?
Does OAM support any configuration changes to address above issue ?
Qn2:Can the authorization code be changed to a different configuration due to their concerns re base 64 encoding?
Qn3:The JWT token can be decoded (from Base64) and contains the principle name (prn=username) as well as an oracle field oracle.oauth.user_origin_id that holds the username.
These aren’t a security risk by themselves but could be in bulk. What controls are available to secure this information ?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| References |