Pages

Thursday, April 6, 2023

VBCS Fixed Credentials Configuration for backend API Service Connection!!!

Recently, I have been come across scenario where one of my Customer, building a VBCS application which needs a combobox to be populated with all IDCS Users name as approver. Customer builds the solution but was having issue with existing solution. Problem was when One user e.g. Sys Admin User ID (Administrator role) login using his credentials, he can see combobox populated with IDCS users name. However, when another business user when they login they can’t see combobox fetching IDCS User list. Obliviously, its permission issue. Sys Admin being part of IDCS Admin group has all privilege but other users in his tenancy are not, hence problem was coming.

 

Now, VBCS has two mechanisms for Identity propagation. Please read this section for more info.  a) login user identity gets propagated to invoke REST API as part of service connection b) Developer can use fixed credentials to invoke backend REST API using service connection.

 

To fix this problem we need to use 2nd approach which I am going to discuss in this blog. The Fixed Credentials approach will avoid user identity propagation and will use IDCS confidential app as generic user for Authentication purpose.  

 

So, we needed couple of configurations for this solution as highlighted below –

 

Note: I am only covering key aspects of this solution here, not step by step instructions how to perform whole configuration. Assumption here that the reader of this blog already well ware how VBCS application works and how to populate Service endpoint API result back to VBCS combobox component.

 

IDCS Configuration

 

A confidential IDCS application with “Client Confidential” & “Refresh token” grant type and a valid scope which allows read only permission for IDCS Users REST API. I discussed this scenario with my IDCS Administrator, and he created a IDCS Confidential Application with “Client Confidential” & “Refresh token” grant type and “Audit Administrator” role as per below snap –

 


 


The “Audit Administrator” is the read only privilege which allows this IDCS application to read the IDCS Users list and the technical scope value for this privilege is “urn:opc:idm:t.users_r”

 

So, once IDCS application gets’ activated we can get client id and client secret value which we need later stage. Note down both client ID and Client Secret value.

 

 

VBCS Configuration

 

Once IDCS part done, we just need to create service connection (open VBCS application >> services >> Service connection) inside VBCS for IDCS Users API with below details -

 

Authentication type

OAuth 2.0 Client Credentials

IDCS Users REST API

https://idcs-5dfcc4d6691c419aad5dxxxxxxd4ccb159931c8.identity.oraclecloud.com/admin/v1/Users

 

IDCS token REST API

https://idcs-5dfcc4d6691c419axxxxxx4ccb159931c8.identity.oraclecloud.com/oauth2/v1/token

ClientId

Client ID values copied from IDCS App

Client Secret

Client Secret value copied from IDCS App

Scope

IDSCS scope value which you can get from IDCS Administrator e.g.  urn:opc:idm:t.users_r

 

 

 

 

 

 

 

Once service endpoint gets configured, developer can visit “Test” tab page and test the connection and API-

 

Once connection and API tested, we can create “types” using this endpoint. Further you can create “Variables” using newly created types and bind that variable to ComboBox (Many) component

 

 

As you can see in above snapshot, combobox been populated with IDCS users list, and no matter which user going to access this VBCS application, VBCS will always use this Fixed connection IDCS confidential application to make a call to IDCS and populate this comboxbox with result.

 

I hope you will find this blog very helpful. Please feel free to share your thoughts using comment section.

 

Happy blogging