1 Reply Latest reply on Jul 19, 2016 12:42 PM by Erik Raetz

    ORDS Rest Security

    789370

      Hi

       

      We have just started building REST out of the database for a project, and looking to live soon.  The services are used for two purposes.

       

      Exposing data to website via JSON

      Integration to third party exposing and submitting data

       

      I am wondering what others have used to protect their rest services through OAUTH2.0?

       

      Thanks

       

      Kevin

        • 1. Re: ORDS Rest Security
          Erik Raetz

          Read part 3.5 about Authentication in the documentation and pick the authentication you need for your case:

          http://docs.oracle.com/cd/E56351_01/doc.30/e56293/develop.htm#AELIG90123

           

          Currently we use server-to-server communication only. Means any frontend or app that is presented to an end-user/customer is not calling the ORDS REST Service directly but a an application layer in between. The application layer manages oauth client information and oauth tokens and keeps that information hidden from the frontend. Thus we use Third-Party with Two-legged OAuth (Client_Credential flow).


          In ORDS we set privileges for specific uri-patterns. Specific roles are allowed to work with specific privileges. Specific roles are granted to each oauth client. Our services are consumed by different applications. Each application has its own oauth client. Since each client has its own set of roles they get access to specific uri-patterns depending on their needs.