Pages

Wednesday, March 25, 2020

Access OIC REST based Integrations using OAuth Token (No Password Expiry For Basic Auth User Anymore) !!!



Oracle Integration Cloud (OIC) is Oracle's next generation modern Integration solution Platform as a Service (PaaS) offering. The core purpose of this product to integrate various SaaS and On-prem systems real time. In addition to Integration capability, it also provides Process Automation and Visual Builder Capability. Details docs are available here.

OIC has concept of Adapters. There are huge range of adapters available and documented here.

One of the Adapter REST Adapter been used to expose an Integration to outside world for consumption. In order word, it's an entry point for most of Integrations what we developed using OIC. It also gets used to invoke any external REST based endpoint.

REST Adapter support Basic Auth and various flavour of OAuth as security mechanism to protect the Integration access.

However, not all OAuth flavour supported for Trigger Role (Used as Entry point of Integration) vs Invoke Role (Used for invoking third party REST endpoint).

REST APIs exposed using the REST Adapter (Trigger Role) are protected using Basic Authentication and OAuth token-based authentication.

REST API consumed using the REST Adapter (Invoke Role) Support HTTP Basic Authentication, OAuth Client Credentials (two-legged flow), OAuth Resource Owner Password Credentials (two-legged flow), OAuth Authorization Code Credentials (three-legged flow), OAuth Custom Three Legged Flow, OAuth Custom Two Legged Flow, OAuth 1.0a One Legged Authentication, Amazon Web Services (AWS) Signature Version 4, and Oracle Cloud Infrastructure (OCI) Signature Version 1. There is also support for consuming APIs that are unprotected.

Now, majority of Customers chose Basic AUTH while publishing an Integration because it's very simply to implement but has limitation because the user password gets expired in every 3 month which result changing all Integrations configuration again in 3 month of time.  We can very well avoid this problem by Implementing OAuth token which never gets expired. 

Oracle has official document for setting up Service Account without expiry but it’s quite difficult to follow instructions from that document. Hence, I thought to publish more user friendly instructions  to achieve the same outcome.

In this blog, I will be covering how we can invoke an Integration exposed using REST Adapter (Trigger role) using OAuth token which doesn't get expired.

To implement this solution we also need to understand Oracle Identity Cloud Service concept which is IAM solution for all Oracle PaaS services. Here useful Videos link for quick understanding of IDCS.

Before I proceed anything further, I would like to thanks Callan Howell who helped me during this POC. 

In order to setup the whole flow below activities will be performed.
  • Getting OAuth token which needed to run IDCS REST API to create an OAuth Confidential Application
  • Create an OAuth application e.g. mgu_OIC_SVC_ACC_BASICAUTH in IDCS for Integration Service Account Purpose
  • Associate newly created IDCS Application mgu_OIC_SVC_ACC_BASICAUTH  to already existed OIC IDCS application e.g. XXX-oic-sdxfgbq3uk5z-sy
  • Test Hello Word OIC Integration using OAuth Client ID and Client Secret

Getting OAuth token which needed to run IDCS REST API to create an OAuth Confidential Application

Note: You should have Administrator access to your Cloud Tenancy to achieve below task.
Login to cloud.oracle.com using your credentials and Customer account and navigate to Identity >> Federation >> click Oracle Identity Cloud Service URL to open IDCS


At rightmost top corner, click on user account and then click further on "My Access Token"



Another window will open, at rightmost corner you will "Download Token" option



It will download a file tokens.tok which will contain token. Use the token value after ":" as highlighted



Now, we got the IDCS token which is required to run IDCS REST API to create an IDCS Confidential application. To know more about IDCS Confidential application refer this documentation.

Create an OAuth application e.g. mgu_OIC_SVC_ACC_BASICAUTH in IDCS for Integration Service Account Purpose

Next step is to create IDCS Confidential Application by using IDCS REST API.
REST API Syntax:

curl -X POST https://${IDCS_HOST}/admin/v1/Apps -H 'Authorization: Bearer ${ACCESS_TOKEN}'
-H 'Content-Type: application/json' -d '{$Payload}'

Sample Variable Values are:-
${IDCS_HOST} - This value is hostname of IDCS which can be copied of IDCS URL as per above steps. Sample value look like this - https://idcs-231e1e449a54437cbaf10xxxxxxxxxx.identity.oraclecloud.com/

${ACCESS_TOKEN} = This is value which we got from tokens.tok file. Please note copy only token value after semi colon as highlighted in above snap. Leave the word "app_access_token"

${Payload} = Change "displayName" and "name" element values as per your choice.

"active": true,
"isOAuthClient": true,
"allowedGrants": ["client_credentials"],
"basedOnTemplate": {
"value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "mgu_OIC_SVC_ACC_BASICAUTH",
"name": "mgu_OIC_OIC_SVC_ACC_BASICAUTH",
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]

So, final API will look something like this - 

curl -X POST https://idcs-231e1e449a54437cbxxxxxxxxxx.identity.oraclecloud.com/admin/v1/Apps -H 'Authorization: Bearer eyJ4NXQjUzI1NiIAb28U6d0OwSMFfiAm8KEP0ww' -H 'Content-Type: application/json' -d '{ "active": true, "isOAuthClient": true,"allowedGrants": ["client_credentials"],"basedOnTemplate": {"value": "CustomWebAppTemplateId"}, "clientType": "confidential", "displayName": "mgu_OIC_SVC_ACC_BASICAUTH", "name": "mgu_OIC_OIC_SVC_ACC_BASICAUTH", "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]}'

Once executed successfully from any terminal, it will give response stating application created successfully. 



Login to IDCS console, go to application menu and verify newly created application. In my case it was "mgu_OIC_SVC_ACC_BASICAUTH"

Make a note of client Id and client secret. We will be using this to invoke OIC Integration.



Also note the we have allowed "Client Credential" type of grant to this application.


Associate newly created IDCS Application mgu_OIC_SVC_ACC_BASICAUTH  to already existed OIC IDCS application e.g. XXX-oic-sdxfgbq3uk5z-sy

Next step to associate this confidential application to OIC application ServiceUser role which out-of-box gets created during provisioning. 

In order to that. Find out your OIC Application. In my case my OIC Instance name was something like XXX_oic, so corresponding IDCS application name was XXX-oic-sdxfgbq3uk5z-sy

Once, find the corresponding application, go to "Application Roles". Find out "ServiceUser", click on right most horizontal line for "ServiceUser" role and select "Assign Application" option.



Select the newly created confidential application and click ok


Now all the configuration related to IDCS Confidential application and association of that application to default OIC application been completed.

Test Hello Word OIC Integration using OAuth Client ID and Client Secret

Next step is just to use the Client ID and Client Secret ID as Authentication parameter to invoke OIC REST Integration. 

For testing I have chosen "Hello World" Integration which by default gets created during OIC provisioning and ready for invocation. This Integration using REST Adapter (Trigger) Role.




Here is Hello World Integration flow. It echoes back "Hello world" along with name passed in query string while invoking integration


In Postman use the Hello world Integration URL, chose basic auth and pass the Client ID and Client Secret (OAuth Token) to invoke the integration.

Note: This token will never expire. In case if token been compromised then IDCS offers option regenerate client secret. Customer may have one Confidential application shared among multiple Integrations or create multiple confidential applications for different Integrations, completely depends on how they want to structure accessibility of various integrations. 



That’s it, as you can witness that OIC REST Integration was able to successfully invoked using 

OAuth Token which will never expire in future.

Stay tuned for more blogs !!!

Happy Blogging 🙂

Friday, March 13, 2020

Manage Custom Object in Salesforce using Oracle Integration Salesforce Adapter !!!


Customisation is essential part of any SaaS implementation to capture unique business needs. In Salesforce SaaS application also, there could be several use-cases where user might need to create a new Custom Object or add custom fields into existing Standard Object such as Contact, Account and Organisation etc. In this blog I will be showing how can we add Custom Object e.g. CochOrder which can have multiple Custom Fields e.g. Order Number, Shipping Cost, Source Region, Target Region and Total Amount etc. and can update that Custom Object fields using Oracle Integration Cloud (OIC) Salesforce adapter. I must recommend you to read my other blog which I have wrote to cover adding Custom Fields to existing Standard Object such as Contact, Account and Organisation etc.  Most of the steps is going to same as previous blogs, so I am not going to repeat them here, instead will be only focusing only new changes related to Custom Objects.
Before, I go into deep drive, just want to highlight the core objective of this blog to show Salesforce configuration and OIC Salesforce adapter configuration, I am assuming reader has already basis understanding of OIC product features such as Connection, Integration, mapping and deployment.
My colleague had already covered Salesforce Inbound and Outbound integration using Oracle Integration Cloud Salesforce Adapter. So, I might not be repeating few steps which already been covered in this blog as well. if you doing Salesforce Integration first time, then its recommended to review these blogs before you proceed to read this blog.
So let's do deep dive now. Below are the high levels flow and steps which needs to be performed to achieve desired result.



  • Create Custom object e.g. "CochOrder" which contains these fields Order Number, Shipping Cost, Source Region, Target Region and Total Amount etc. inside Salesforce
  • Create/Update Salesforce Connection in OIC
  • Create REST Adapter in OIC
  • Create Integration which maps Contact Object Custom Fields from REST Adapter to Salesforce Adapter
  • Activate Integration
  • Trigger Integration using Postman
  • Verify Result In Salesforce

Create Custom Object in Salesforce
Create Custom object e.g. "CochOrder" which contains these fields Order Number, Shipping Cost, Source Region, Target Region and Total Amount etc. inside Salesforce
Login into Salesforce using your credentials and navigate to this path Setup >> Build >> create >>object >> new custom object



Specify all the fields values e.g. label, object name, record name etc. If you need to understand the meaning of any particular fields and possible values then click on "help for this page" option given at right most top corner.



Once object got created, click on that object and go the section of "Custom Field and Relationship" and define new fields for this Custom object. In our example we are going to create five fields Order Number, Shipping Cost, Source Region, Target Region and Total Amount.



Select the data type of new filed


Enter the details of new Custom Fields e.g. Order Number, length and field name etc. as per your need.


In next screen, you need to select profile who are allowed to access this new field. I haven't selected anything specific, left default value. If you have any specific requirement than select relevant profile.

  
In this screen, page layout needs to selected where this new fields will be appearing, again, I left default value.



That's it. Now, new custom field "Order Number" been created. Similarly, create other fields Shipping Cost, Source Region, Target Region and Total Amount. Once done Custom Object CochOrder will look like this-


So, now custom fields creation process is done, next we need to create connection in OIC for Salesforce.

Create/Update Salesforce Connection in OIC

In order to create connection in OIC for Salesforce, user needs Salesforce Enterprise WSDL, Token and username and password. Please refer this blog to get instruction how to get Token and Enterprise WSLD from Salesforce.
Once you get Enterprise WSDL and token, creating Salesforce Connection in OIC is pretty simple process. Login to OIC console, from home page,  navigation to Integration >> Connection >> create >> find and select Salesforce >> specify any valid String as Connection name >> Select Role Trigger and Invoke >> Create >> then configure Connectivity and Security
Configure Security: You need browse Salesforce Enterprise WSDL
Configure Security:  You need to provide your password + Salesforce Token. For example: If your password is mypassword, and your security token is XXXXXXXXXX, then you must enter mypasswordXXXXXXXXXX
And Test the connection, it must show you message "Connection SalesForceXXXX was tested successfully."



Now, we are ready with Salesforce Connection. Next Steps to create REST Adapter in OIC.

Create REST Adapter in OIC

In this steps, we need to create a REST Connection in OIC with valid Contact Object JSON Payload having Custom Field as input.
Again, navigate to Connection >> create >> find and select "REST" >> specify any valid String as Connection name >> Select Role Trigger and Invoke >> Create >> then configure Connectivity and Security
Configure Security: Specify Connection type as "REST API Based URL", TLS Version as "TLSv1.1", Connection URL as "https://mgu-oic-dev-XXXX.integration.ocp.oraclecloud.com" and leave other to default values.
Configure Security:  Provide your OIC username and password to secure this REST Endpoint.



Now, we are ready with Rest Adapter. In next steps we will be creating Integration.

Create Integration which maps CochOrder Custom Object Fields from REST Adapter to Salesforce

In this step we will be creating a new Integration, use REST Connection as source Connection, and Salesforce Connection as Target Connection and will perform mapping.

Salesforce Adapter configuration

Drop the salesforce adapter from right hand side invoke section to canvas and define the endpoint and other configuration -



Select create, select Custom and find out your Custom object. It must be listed here. In my case it was "CochOrder_c". and finish Adapter configuration.

Note:
If you are not able to find out your Custom object here, then first check the enterprise WSDL whether that object XML element are appearing there or not, If WSDL don't have corresponding XML element then obviously Custom Object won't be visible here because all these mata-data what we see in adapter comes from Salesforce Enterprise WSDL only. If you used old Enterprise WSLD in Connection before you create Custom Object than meta-data won't refresh automatically here. Generate new Enterprise WSLD and reconfigure your Salesforce Adapter.



Similarly configure REST adapter, and perform mapping. I am not going to cover those steps in details here.


Once mapping done, flow completed, activate the integration.
My Integration flow which I build was looks like something this. Highlighted area is mapping and Saleforce adapter call -



Once Integration activated, trigger request using Postman and verify Saleforce Custom Object inside Salesforce.



Login into Salesforce, go to your Custom Object page. For your Custom Object there will be dedicated page created, where you can see all newly created orders as part of this Integration flow.



That's it, as you can witness that the multiple Orders been created inside Salesforce using CochOrder Custom Object.

I hope, this blog will help you to understand how easily and simply we can add new  Custom Object in Salesforce and can perform create/update operation using Oracle Integration Salesforce Adapter.

So, stay tuned for more blogs !!!

Happy Blogging :)