Access OIC REST based Integrations using an OAuth Client (No Password Expiry For Basic Auth User Anymore) !!!

Oracle Integration Cloud (OIC) is Oracle’s next generation modern Integration solution Platform as a Service (PaaS) offering. The core purpose of this product to integrate various SaaS and On-prem systems real time. In addition to Integration capability, it also provides Process Automation and Visual Builder Capability. Details docs are available here.

OIC has concept of Adapters. There are huge range of adapters available and documented here.

One of the Adapter REST Adapter been used to expose an Integration to outside world for consumption. In order word, it’s an entry point for most of Integrations what we developed using OIC. It also gets used to invoke any external REST based endpoint.

REST Adapter support Basic Auth and various flavour of OAuth as security mechanism to protect the Integration access.

However, not all OAuth flavour supported for Trigger Role (Used as Entry point of Integration) vs Invoke Role (Used for invoking third party REST endpoint).

REST APIs exposed using the REST Adapter (Trigger Role) are protected using Basic Authentication and OAuth token-based authentication.

REST API consumed using the REST Adapter (Invoke Role) Support HTTP Basic Authentication, OAuth Client Credentials (two-legged flow), OAuth Resource Owner Password Credentials (two-legged flow), OAuth Authorization Code Credentials (three-legged flow), OAuth Custom Three Legged Flow, OAuth Custom Two Legged Flow, OAuth 1.0a One Legged Authentication, Amazon Web Services (AWS) Signature Version 4, and Oracle Cloud Infrastructure (OCI) Signature Version 1. There is also support for consuming APIs that are unprotected.

Now, majority of Customers chose Basic AUTH while publishing an Integration because it’s very simply to implement but has limitation because the user password gets expired in every 3 month which result changing all Integrations configuration again in 3 month of time.  We can very well avoid this problem by Implementing OAuth token which never gets expired.

Oracle has official document for setting up Service Account without expiry but it’s quite difficult to follow instructions from that document. Hence, I thought to publish more user friendly instructions  to achieve the same outcome.

In this blog, I will be covering how we can invoke an Integration exposed using REST Adapter (Trigger role) using OAuth token which doesn’t get expired.

To implement this solution we also need to understand Oracle Identity Cloud Service concept which is IAM solution for all Oracle PaaS services.

Before I proceed anything further, I would like to thanks Callan HP who helped me during this POC.

In order to setup the whole flow below activities will be performed.

  • Getting an access token which is used to invoke the IDCS REST API
  • Create an OAuth application in IDCS for Integration Service Account Purpose
  • Associate newly created IDCS Application to OIC
  • Test Hello Word OIC Integration using OAuth Client ID and Client Secret

Getting an access token which is used to invoke the IDCS REST API

Note: You should have at least Application Administrator access to your Identity Cloud Service to achieve below task.

Login to cloud.oracle.com using your credentials and Customer account and navigate to Identity >> Federation >> click Oracle Identity Cloud Service URL to open the IDCS Admin Console.

21

At rightmost top corner, click on user account and then click further on “My Access Token”

02

Another window will open, and after selecting which roles you want a token for (the next step requires at least “Application Administrator”), you with be able to obtain a token by clicking the “Download Token” button at the rightmost corner.

03

It will download a file tokens.tok which will contain an access token in a JSON wrapper. Copy the value of the “app_access_token” attribute, as shown below.

tok

Now, we got the IDCS token which can be used to invoke the IDCS REST API to create a new IDCS Application. To know more about IDCS Confidential application refer to the documentation.

Create an OAuth application in IDCS for Integration Service Account Purpose

Next step is to create IDCS Confidential Application by using IDCS REST API.

REST API Syntax (using curl):

curl -X POST https://${IDCS_HOST}/admin/v1/Apps -H 'Authorization: Bearer ${ACCESS_TOKEN}' 
-H 'Content-Type: application/json' -d '{$PAYLOAD}'

Sample Variable Values are:-

${IDCS_HOST} – This value is hostname of IDCS which can be copied of IDCS URL as per above steps. Sample value look like this – https://idcs-231exxxxxxxxxx.identity.oraclecloud.com/

${ACCESS_TOKEN} = This is value of the app_access_token attribute which we got from tokens.tok file.

${PAYLOAD} = Change “displayName” and “name” element values as per your choice. The “name” attribute must end with “_BASICAUTH” to be used with OIC.

"active": true, 
"isOAuthClient": true,
"allowedGrants": ["client_credentials"],
"basedOnTemplate": {
"value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "<Your App name here>", 
"name": "<app_name>_BASICAUTH",
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]

So, final API will look something like this –

curl -X POST https://idcs-231e1exxxxxxxxxx.identity.oraclecloud.com/admin/v1/Apps -H 'Authorization: Bearer eyJ4NX...' -H 'Content-Type: application/json' -d '{ "active": true, "isOAuthClient": true,"allowedGrants": ["client_credentials"],"basedOnTemplate": {"value": "CustomWebAppTemplateId"}, "clientType": "confidential", "displayName": "mgu_OIC_SVC_ACC_BASICAUTH", "name": "mgu_OIC_SVC_ACC_BASICAUTH", "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]}'

Once executed successfully from any terminal, it will give response stating application created successfully.

05

Login to IDCS console, go to application menu and verify newly created application. In my case it was “mgu_OIC_SVC_ACC_BASICAUTH”

Make a note of client Id and client secret. We will be using this to invoke OIC Integration.

23

Also note the we have allowed “Client Credential” type of grant to this application.

07

Associate newly created IDCS Application with OIC

The next step is to associate this confidential application with an OIC application ServiceUser role. This role gets created by default during OIC provisioning, and can be managed in IDCS.

In order to assign the new application this role, find your OIC Application in IDCS. If your OIC Instance name is something like xxx-oic, the corresponding IDCS application name is xxx-oic-abcdef12345-sy. The quickest way to locate this is probably to type your instance name in the search bar at the top right of the Applications list.

Once you have found the corresponding application, open it, and go to “Application Roles”. The select the hamburger menu on the right of the “ServiceUser” role, and select “Assign Application”.

08

Search for and select the newly created confidential application and click OK.

09

Now all the configuration related to IDCS Confidential application and association of that application to default OIC application been completed.

Test Hello Word OIC Integration using OAuth Client ID and Client Secret

The final step is to test this configuration, using the Client ID and Client Secret  as Authentication parameter to invoke an OIC REST Integration.

For testing I have chosen “Hello World” Integration which by default gets created during OIC provisioning and ready for invocation. This Integration using REST Adapter (Trigger) Role.

10

Here is Hello World Integration flow. It echoes back “Hello world” along with name passed in query string while invoking integration

11

In Postman use the Hello world Integration URL, chose basic auth and pass the Client ID and Client Secret (OAuth Token) to invoke the integration.

Note: This token will never expire. In case if token been compromised then IDCS offers option regenerate client secret. Customer may have one Confidential application shared among multiple Integrations or create multiple confidential applications for different Integrations, completely depends on how they want to structure accessibility of various integrations.

12

That’s it, the OIC REST Integration was able to be successfully invoked using the client identifiers which will not expire (though they can be revoked from IDCS if required).

Stay tuned for more blogs !!!

Happy Blogging 🙂

Author: Manish Kumar Gupta

I am currently designated as Principal Presales Consultant in Oracle, Sydney, Australia. Having 17 + years professional experience. Currently Looking after presales activites for iPaaS related Cloud Offering e.g. Oracle SOA Cloud Services (OSCS), Oracle Integration Cloud Service (OIC), MFT and Oracle API Platform etc. In past I have worked for many small to large companies. I have played various roles such as Integration Solution Architect / Integration Technical Architect / Integration Team Lead / Integration Specialist / SOA Infrastructure Admin / SOA Designer and SOA Developer in multiple companies. I have worked in various OFMW products such as Weblogic, OSB, BAM, SOA Suite, OWSM and Mediator etc. I have good hands-on experience in SOA Administration as well. In addition to that, have handful experience of SOA Architecture, Analysis, Design, Development, SIT Testing, Performance and Load Testing, Production and Post-Production Support for SOA projects.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s