Oracle Integration Cloud (OIC) is Oracle's next generation modern
Integration solution Platform as a Service (PaaS) offering. The core purpose of
this product to integrate various SaaS and On-prem systems real time. In
addition to Integration capability, it also provides Process Automation and
Visual Builder Capability. Details docs are available here.
OIC has concept of Adapters. There are huge range of adapters available
and documented here.
One of the Adapter REST Adapter been used to expose an Integration
to outside world for consumption. In order word, it's an entry point for most
of Integrations what we developed using OIC. It also gets used to invoke any
external REST based endpoint.
REST Adapter support Basic Auth and various flavour of OAuth as security
mechanism to protect the Integration access.
However, not all OAuth flavour supported for Trigger Role (Used as Entry
point of Integration) vs Invoke Role (Used for invoking third party REST
endpoint).
REST APIs exposed using the REST Adapter (Trigger Role) are protected
using Basic Authentication and OAuth token-based authentication.
REST API consumed using the REST Adapter (Invoke Role) Support HTTP
Basic Authentication, OAuth Client Credentials (two-legged flow), OAuth
Resource Owner Password Credentials (two-legged flow), OAuth Authorization Code
Credentials (three-legged flow), OAuth Custom Three Legged Flow, OAuth Custom
Two Legged Flow, OAuth 1.0a One Legged Authentication, Amazon Web Services
(AWS) Signature Version 4, and Oracle Cloud Infrastructure (OCI) Signature
Version 1. There is also support for consuming APIs that are unprotected.
Now, majority of Customers chose Basic AUTH while publishing an
Integration because it's very simply to implement but has limitation because
the user password gets expired in every 3 month which result changing all
Integrations configuration again in 3 month of time. We can very well
avoid this problem by Implementing OAuth token which never gets expired.
Oracle has official document for setting up Service Account without
expiry but it’s quite difficult to follow instructions from that document.
Hence, I thought to publish more user friendly instructions to achieve
the same outcome.
In this blog, I will be covering how we can invoke an Integration
exposed using REST Adapter (Trigger role) using OAuth token which doesn't get
expired.
To implement this solution we also need to understand Oracle Identity
Cloud Service concept which is IAM solution for all Oracle PaaS services. Here
useful Videos link for quick understanding of IDCS.
Before I proceed anything further, I would like to thanks Callan Howell
who helped me during this POC.
In order to setup the whole
flow below activities will be performed.
- Getting OAuth token which needed to run IDCS REST API to create an OAuth Confidential Application
- Create an OAuth application e.g. mgu_OIC_SVC_ACC_BASICAUTH in IDCS for Integration Service Account Purpose
- Associate newly created IDCS Application mgu_OIC_SVC_ACC_BASICAUTH to already existed OIC IDCS application e.g. XXX-oic-sdxfgbq3uk5z-sy
- Test Hello Word OIC Integration using OAuth Client ID and Client Secret
Getting OAuth token which needed to run IDCS REST API to create an OAuth
Confidential Application
Note: You should have Administrator access to your Cloud Tenancy to achieve
below task.
Login to cloud.oracle.com using your credentials and Customer account
and navigate to Identity >> Federation >> click Oracle Identity
Cloud Service URL to open IDCS
At rightmost top corner,
click on user account and then click further on "My Access Token"
Another window will open,
at rightmost corner you will "Download Token" option
It will download a file tokens.tok which will contain token. Use the
token value after ":" as highlighted
Now, we got the IDCS token which is required to run IDCS REST API to
create an IDCS Confidential application. To know more about IDCS Confidential
application refer this documentation.
Create an OAuth application e.g. mgu_OIC_SVC_ACC_BASICAUTH in IDCS for
Integration Service Account Purpose
Next step is to create IDCS
Confidential Application by using IDCS REST API.
REST API Syntax:
curl -X POST https://${IDCS_HOST}/admin/v1/Apps
-H 'Authorization: Bearer ${ACCESS_TOKEN}'
-H 'Content-Type:
application/json' -d '{$Payload}'
Sample Variable Values
are:-
${IDCS_HOST} - This value is hostname
of IDCS which can be copied of IDCS URL as per above steps. Sample value look
like this -
https://idcs-231e1e449a54437cbaf10xxxxxxxxxx.identity.oraclecloud.com/
${ACCESS_TOKEN} = This is value which we
got from tokens.tok file. Please note copy only token value after semi colon as
highlighted in above snap. Leave the word "app_access_token"
${Payload} = Change
"displayName" and "name" element values as per your choice.
"active": true,
"isOAuthClient": true,
"allowedGrants": ["client_credentials"],
"basedOnTemplate": {
"value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "mgu_OIC_SVC_ACC_BASICAUTH",
"name": "mgu_OIC_OIC_SVC_ACC_BASICAUTH",
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]
"isOAuthClient": true,
"allowedGrants": ["client_credentials"],
"basedOnTemplate": {
"value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "mgu_OIC_SVC_ACC_BASICAUTH",
"name": "mgu_OIC_OIC_SVC_ACC_BASICAUTH",
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]
So, final API will look
something like this -
curl -X POST
https://idcs-231e1e449a54437cbxxxxxxxxxx.identity.oraclecloud.com/admin/v1/Apps
-H 'Authorization: Bearer
eyJ4NXQjUzI1NiIAb28U6d0OwSMFfiAm8KEP0ww'
-H 'Content-Type: application/json' -d '{ "active": true,
"isOAuthClient": true,"allowedGrants":
["client_credentials"],"basedOnTemplate":
{"value": "CustomWebAppTemplateId"},
"clientType": "confidential", "displayName":
"mgu_OIC_SVC_ACC_BASICAUTH", "name":
"mgu_OIC_OIC_SVC_ACC_BASICAUTH", "schemas":
["urn:ietf:params:scim:schemas:oracle:idcs:App"]}'
Once executed successfully
from any terminal, it will give response stating application created
successfully.
Login to IDCS console, go to application menu and verify newly created
application. In my case it was "mgu_OIC_SVC_ACC_BASICAUTH"
Make a note of client Id
and client secret. We will be using this to invoke OIC Integration.
Also note the we have
allowed "Client Credential" type of grant to this application.
Associate newly created IDCS Application mgu_OIC_SVC_ACC_BASICAUTH
to already existed OIC IDCS application e.g. XXX-oic-sdxfgbq3uk5z-sy
Next step to associate this confidential application to OIC application
ServiceUser role which out-of-box gets created during provisioning.
In order to that. Find out your OIC Application. In my case my OIC
Instance name was something like XXX_oic, so corresponding IDCS application
name was XXX-oic-sdxfgbq3uk5z-sy
Once, find the corresponding application, go to "Application
Roles". Find out "ServiceUser", click on right most horizontal
line for "ServiceUser" role and select "Assign Application"
option.
Select the newly created
confidential application and click ok
Now all the configuration related to IDCS Confidential application and
association of that application to default OIC application been completed.
Test Hello Word OIC Integration using OAuth Client ID and Client Secret
Next step is just to use the Client ID and Client Secret ID as
Authentication parameter to invoke OIC REST Integration.
For testing I have chosen "Hello World" Integration which by
default gets created during OIC provisioning and ready for invocation. This
Integration using REST Adapter (Trigger) Role.
Here is Hello World
Integration flow. It echoes back "Hello world" along with name passed
in query string while invoking integration
In Postman use the Hello world Integration URL, chose basic auth and
pass the Client ID and Client Secret (OAuth Token) to invoke the integration.
Note: This token will never expire. In case if token been compromised then
IDCS offers option regenerate client secret. Customer may have one Confidential
application shared among multiple Integrations or create multiple confidential
applications for different Integrations, completely depends on how they want to
structure accessibility of various integrations.
That’s it, as you can
witness that OIC REST Integration was able to successfully invoked using
OAuth
Token which will never expire in future.
Stay tuned for more blogs
!!!
Happy Blogging 🙂