My Oracle Support Banner

OAM OAuth Services - Security query on base 64 encoded Authorization code (Doc ID 2356123.1)

Last updated on FEBRUARY 08, 2018

Applies to:

Oracle Access Manager - Version 11.1.2.3.5 and later
Information in this document applies to any platform.

Goal

OAuth (3-Legged OAuth Authorization) services  has been used for client application integration.

Noticing that authorization code is base 64 encoded. Having security concerns because base 64 code can be decoded.  Not finding any configurations to change this ?

Does OAM support any configuration changes to address above issue ?
 
Qn2:Can the authorization code be changed to a different configuration due to their concerns re base 64 encoding?
 
Qn3:The JWT token can be decoded (from Base64) and contains the principle name (prn=username) as well as an oracle field oracle.oauth.user_origin_id that holds the username.

These aren’t a security risk by themselves but could be in bulk. What controls are available to secure this information ?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.