JWT Profile : Validating JWT Access Tokens In ORDS

ORDS 23.3.0 brings a new way of accessing protected resources using JSON Web Tokens (JWT). Making it much easier to integrate ORDS with OAuth2-compliant Identity Providers such as 

• Oracle Identity Cloud Service (IDCS)
• Oracle Identity Access Management (IAM)
• Microsoft Azure Active Directory 
• Okta OAuth0 

JWT access tokens issued by Identity Providers on behalf of a user/resource owner, allow a client to access the users protected resources in ORDS.

ORDS provides a new feature called JWT Profile, which defines how JWT bearer tokens can be validated for a particular REST-Enabled schema.

Example JWT Profile

JWTs presented as Bearer Tokens for protected resources for a particular REST-Enabled schema have to be

1. Signed with a signature which can be validated using the schemas JWT Profile p_jwk_url
2. Provide an audience "aud" claim which matches the schemas  JWT Profile p_audience 
3. Provide an issuer "iss" claim which matches the schemas JWT Profile p_issuer

Once the JWT is validated, ORDS will accept 

1. The JWT subject "sub" as the user principal making the request
2. The JWT scope "scope" or "scp" as the ORDS privileges being used on behalf of the user by the client.

Example JWT Token

Example Request with JWT Bearer Token

NOTE, ORDS does not take part in the Authentication/Authorization flow. That is left to the Client to perform with the Identity Provider. Therefore ORDS does not persist a client_id or client_secret. It acts solely as a OAuth2 Resource Server that can validate JWT bearer tokens issued by an Identity Provider.

Additional Requirements

The JWK URL must be accessible from the ORDS server.

The JWT must be signed using one of the following algorithms

• RS256
• RS384
• RS512

The JWT scope claim must contain a value with the same name as the ORDS privilege protecting the resource.
Only one JWT Profile can be defined for each REST-Enabled schema.