OWSM currently does not support REST security. Oracle is planning to add support in upcoming 11g release-PS6 and 12c releases.
SAML V/s OAuth in REST
In terms of SAML vs. OAuth. OAuth has more buzz and is prevalent/popular for REST. However the answer can vary based on the use-case. For simple identity propagation – it’s better to use SAML.
SAML is supported by OWSM. OAuth is more suited for cases where we don’t want to propagate the password. OAuth uses digital signatures instead of sending the full credentials with each request. Digital signatures help the recipient to verify that the content of the request hasn’t changed in transit. To do that, the sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.
In today’s Service Bus product, security for RESTful API is provided using transport level security (SSL). In 184.108.40.206 (PS6), one can apply OWSM transport policies to non-WSDL services (aka RESTful API).
Service Bus has a custom token capability a few customers are using for proprietary tokens for RESTful API (in lieu of OAUTH below) read more here:
So the only option is to use custom Oauth mechanism implemented in Java and I will mention more on this implementation in my coming articles