Manish Kumar Gupta: Access OIC REST based Integrations using OAuth Token (No Password Expiry For Basic Auth User Anymore) !!!

Oracle Integration Cloud (OIC) is Oracle's next generation modern Integration solution Platform as a Service (PaaS) offering. The core purpose of this product to integrate various SaaS and On-prem systems real time. In addition to Integration capability, it also provides Process Automation and Visual Builder Capability. Details docs are available here.

OIC has concept of Adapters. There are huge range of adapters available and documented here.

One of the Adapter REST Adapter been used to expose an Integration to outside world for consumption. In order word, it's an entry point for most of Integrations what we developed using OIC. It also gets used to invoke any external REST based endpoint.

REST Adapter support Basic Auth and various flavour of OAuth as security mechanism to protect the Integration access.

However, not all OAuth flavour supported for Trigger Role (Used as Entry point of Integration) vs Invoke Role (Used for invoking third party REST endpoint).

REST APIs exposed using the REST Adapter (Trigger Role) are protected using Basic Authentication and OAuth token-based authentication.

REST API consumed using the REST Adapter (Invoke Role) Support HTTP Basic Authentication, OAuth Client Credentials (two-legged flow), OAuth Resource Owner Password Credentials (two-legged flow), OAuth Authorization Code Credentials (three-legged flow), OAuth Custom Three Legged Flow, OAuth Custom Two Legged Flow, OAuth 1.0a One Legged Authentication, Amazon Web Services (AWS) Signature Version 4, and Oracle Cloud Infrastructure (OCI) Signature Version 1. There is also support for consuming APIs that are unprotected.

Now, majority of Customers chose Basic AUTH while publishing an Integration because it's very simply to implement but has limitation because the user password gets expired in every 3 month which result changing all Integrations configuration again in 3 month of time. We can very well avoid this problem by Implementing OAuth token which never gets expired.

Oracle has official document for setting up Service Account without expiry but it’s quite difficult to follow instructions from that document. Hence, I thought to publish more user friendly instructions to achieve the same outcome.

In this blog, I will be covering how we can invoke an Integration exposed using REST Adapter (Trigger role) using OAuth token which doesn't get expired.

To implement this solution we also need to understand Oracle Identity Cloud Service concept which is IAM solution for all Oracle PaaS services. Here useful Videos link for quick understanding of IDCS.

Before I proceed anything further, I would like to thanks Callan Howell who helped me during this POC.

In order to setup the whole flow below activities will be performed.

Getting OAuth token which needed to run IDCS REST API to create an OAuth Confidential Application
Create an OAuth application e.g. mgu_OIC_SVC_ACC_BASICAUTH in IDCS for Integration Service Account Purpose
Associate newly created IDCS Application mgu_OIC_SVC_ACC_BASICAUTH to already existed OIC IDCS application e.g. XXX-oic-sdxfgbq3uk5z-sy
Test Hello Word OIC Integration using OAuth Client ID and Client Secret

Getting OAuth token which needed to run IDCS REST API to create an OAuth Confidential Application

Note: You should have Administrator access to your Cloud Tenancy to achieve below task.

Login to cloud.oracle.com using your credentials and Customer account and navigate to Identity >> Federation >> click Oracle Identity Cloud Service URL to open IDCS

At rightmost top corner, click on user account and then click further on "My Access Token"

Another window will open, at rightmost corner you will "Download Token" option

It will download a file tokens.tok which will contain token. Use the token value after ":" as highlighted

Now, we got the IDCS token which is required to run IDCS REST API to create an IDCS Confidential application. To know more about IDCS Confidential application refer this documentation.

Create an OAuth application e.g. mgu_OIC_SVC_ACC_BASICAUTH in IDCS for Integration Service Account Purpose

Next step is to create IDCS Confidential Application by using IDCS REST API.

REST API Syntax:

curl -X POST https://${IDCS_HOST}/admin/v1/Apps -H 'Authorization: Bearer ${ACCESS_TOKEN}'

-H 'Content-Type: application/json' -d '{$Payload}'

Sample Variable Values are:-

${IDCS_HOST} - This value is hostname of IDCS which can be copied of IDCS URL as per above steps. Sample value look like this - https://idcs-231e1e449a54437cbaf10xxxxxxxxxx.identity.oraclecloud.com/

${ACCESS_TOKEN} = This is value which we got from tokens.tok file. Please note copy only token value after semi colon as highlighted in above snap. Leave the word "app_access_token"

${Payload} = Change "displayName" and "name" element values as per your choice.

"active": true,
"isOAuthClient": true,
"allowedGrants": ["client_credentials"],
"basedOnTemplate": {
"value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "mgu_OIC_SVC_ACC_BASICAUTH",
"name": "mgu_OIC_OIC_SVC_ACC_BASICAUTH",
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]

So, final API will look something like this -

curl -X POST https://idcs-231e1e449a54437cbxxxxxxxxxx.identity.oraclecloud.com/admin/v1/Apps -H 'Authorization: Bearer eyJ4NXQjUzI1NiIAb28U6d0OwSMFfiAm8KEP0ww' -H 'Content-Type: application/json' -d '{ "active": true, "isOAuthClient": true,"allowedGrants": ["client_credentials"],"basedOnTemplate": {"value": "CustomWebAppTemplateId"}, "clientType": "confidential", "displayName": "mgu_OIC_SVC_ACC_BASICAUTH", "name": "mgu_OIC_OIC_SVC_ACC_BASICAUTH", "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]}'

Once executed successfully from any terminal, it will give response stating application created successfully.

Login to IDCS console, go to application menu and verify newly created application. In my case it was "mgu_OIC_SVC_ACC_BASICAUTH"

Make a note of client Id and client secret. We will be using this to invoke OIC Integration.

Also note the we have allowed "Client Credential" type of grant to this application.

Associate newly created IDCS Application mgu_OIC_SVC_ACC_BASICAUTH to already existed OIC IDCS application e.g. XXX-oic-sdxfgbq3uk5z-sy

Next step to associate this confidential application to OIC application ServiceUser role which out-of-box gets created during provisioning.

In order to that. Find out your OIC Application. In my case my OIC Instance name was something like XXX_oic, so corresponding IDCS application name was XXX-oic-sdxfgbq3uk5z-sy

Once, find the corresponding application, go to "Application Roles". Find out "ServiceUser", click on right most horizontal line for "ServiceUser" role and select "Assign Application" option.

Select the newly created confidential application and click ok

Now all the configuration related to IDCS Confidential application and association of that application to default OIC application been completed.

Test Hello Word OIC Integration using OAuth Client ID and Client Secret

Next step is just to use the Client ID and Client Secret ID as Authentication parameter to invoke OIC REST Integration.

For testing I have chosen "Hello World" Integration which by default gets created during OIC provisioning and ready for invocation. This Integration using REST Adapter (Trigger) Role.

Here is Hello World Integration flow. It echoes back "Hello world" along with name passed in query string while invoking integration

In Postman use the Hello world Integration URL, chose basic auth and pass the Client ID and Client Secret (OAuth Token) to invoke the integration.

Note: This token will never expire. In case if token been compromised then IDCS offers option regenerate client secret. Customer may have one Confidential application shared among multiple Integrations or create multiple confidential applications for different Integrations, completely depends on how they want to structure accessibility of various integrations.