| Oracle® Retail Xstore Office Cloud Service Security Guide Release 18.0 F13698-03 |
|
 Previous |
This chapter describes the security considerations for developers.
A Customer Administration User will be created as part of the Xstore Office Cloud Service provisioning process. Before end users can access the Xstore Office Cloud Service application it is necessary to create and provision users. This includes provisioning access to the system, assigning organizations, a role and org nodes to each user to control what functionality will be available to them. This will need to be done by the Customer Administration User.
|
Note: While users can be created using the IDCS UI, it is important to note that they must still be provisioned through the Xadmin UI. This includes provisioning access to the system, assigning organizations, a role and org nodes to each user to control what functionality will be available to them. |
Users can be created manually (that is one at a time) in IDCS by following the instructions on how to create user accounts in the Oracle Cloud Administering Oracle Identity Cloud Service Guide.
Users can be bulk imported into IDCS by following the instructions on how to import user accounts in the Oracle Cloud Administering Oracle Identity Cloud Service Guide.
Users can also be imported (either individually or in bulk) into IDCS by invoking IDCS REST APIs. For more information about the REST APIs, see the Oracle Cloud REST API for Oracle Identity Cloud Service Guide. This requires the creation of an OAuth Client in order to be able to obtain an OAuth Token to be able to invoke the REST APIs. For more information about creating OAuth Clients, refer to the Creation of OAuth Clients in IDCS section.
When a user is created using IDCS (either manually or via bulk import, or via REST APIs), it is the Customer Admin's responsibility to grant the User the User Access AppRole. This can be done in the IDCS UI as follows:
Click on the Xstore Office App.
Click on the Application Roles tab.
Select the menu icon on the far right of the User Access AppRole.
Select Assign Users and select the Users in the popup to be granted this AppRole.
Refer to the Oracle Retail Xstore Office/Xstore Office Cloud Service User Guide for details on how to create and provision users via the Xadmin User Management UI.
AppRoles have been created in Xoffice OAuth Clients in order to perform additional App Level Authorization.
Typically, the IDCS tenant will represent several applications which are independent of each other. The User Access AppRole has been created in the Xstore Office App (which typically has a display name of either RGBU_XSTCS_PRD_XOFFICE or RGBU_XSTCS_UAT_XOFFICE depending on the environment). The User Access AppRole is used to link IDCS users with the Xstore Office Cloud Service Application.
When Xadmin performs a user sync against IDCS, it will do the sync based on the users that have been granted this User Access AppRole. Refer to the Oracle Retail Xstore Office/Xstore Office Cloud Service User Guide for details on the user sync between Xadmin and IDCS.
Whenever a user is created using the Xadmin UI, the user is automatically granted the User Access AppRole. When a user is created using the IDCS UI (either manually or via Bulk Import), it is the Customer Admin's responsibility to grant the user the User Access AppRole. This can be done as follows:
Click on the Xstore Office App.
Click on the Application Roles tab.
Select the menu icon on the far right of the User Access AppRole.
Select Assign Users and select the Users in the popup to be granted this AppRole.
The Xstore Access AppRole is used for additional App Level Authorization. This authorization is done when Xstore Office REST APIs are invoked. Therefore, if the Xstore Office REST APIs are to be invoked, then they must be done by using an OAuth Client (App) that has been granted the Xstore Access AppRole. For instance, refer to the Xstore Office Setup App or Xstore Office Data Migration App in the Creation of OAuth Clients in IDCS section.
The Data Privacy Access AppRole is used for additional App Level Authorization. This authorization is done when the Data Privacy REST APIs are invoked. Therefore, if the Data Privacy REST APIs are to be invoked, they must be done by using an OAuth Client (App) that has been granted the Data Privacy Access AppRole. Refer to the Xstore Office Data Privacy App in the Creation of OAuth Clients in IDCS section.
The Service Access AppRole is used for internal manipulation of the OAuth Clients. This is also needed in case OAuth Clients need to be deleted. See the Deletion of OAuth Clients in IDCS section.
Any Xstore register that communicates with Xstore Office Cloud Service must first be enrolled in IDCS via Xstore Office Cloud Service. This can be done either via Xadmin or Xenvironment. The sections below contain information about the steps to be followed for Cloud Enrollment of Xstore Clients.
Xstore Stores can be enrolled in Xstore Office Cloud Service via Xadmin On-Premise, if the retailer has an existing Xadmin On-Premise application 18.0.1 or higher. Refer to the on-premise Oracle Retail Xstore Office User Guide for these steps.
Xstore stores can be enrolled in the Xstore Office Cloud Service via Xenvironment by following these steps.
|
Note: Collect the following data prior to starting the Cloud Enroll process via Xenvironment.
|
Once the Xenvironment installation is complete, open a web browser (from any system in the store) and go to the following URL: https://<lead_register_hostname>:9096/cloudenroll.
Log in with the appropriate user. The user must have the SYSTEM_ADMIN security privilege. This is the same privilege required to execute secured functions in Xenvironment.
In the form that is presented, enter the Xcenter Application Server Settings for Xstore Office Cloud.
Host: Xstore Office Cloud Hostname
Port: Xstore Office Cloud Port
Provisioning ID: Customer's Provisioning ID
Username: Username of an IDCS user (This is typically an email address)
Password: Password of an IDCS user
Click Enroll Location. This will validate the user credentials and enroll the location.
Once the enrollment is complete the systems will be restarted. When the registers start up again they will be configured for Xstore Office Cloud Service.
OAuth Clients (also called Apps) are required in order to invoke REST Services exposed by Xstore Office.
|
Note: While OAuth Clients can be created via the IDCS User Interface, the resulting OAuth Clients do not have all the needed properties in order to be able to function accurately. Instead, follow the steps detailed below in order to create the OAuth Clients using the IDCS REST APIs. |
It is very helpful to understand tools and terminologies such as Basic Auth, OAuth, curl, json and their usage.
For example, knowing that OAuth uses Bearer Tokens in the HTTP Authorization Header whereas Basic Auth uses Base 64 encoded credentials will help you understand the commands below.
Authorization Header for an OAuth Token would look like this: "Authorization: Bearer <token>"
Authorization Header for a Basic Auth Token would look like this: "Authorization: Basic <Base64_encode(client_id:client_secret)>"
|
Note:
|
Collect the following data prior to creation of OAuth Clients.
IDCS_TENANT_HOST: The Customer Administrator can look this up by logging into their Cloud Service Account.
Xstore Office OAuth Client App ID: The Xstore Office App has a display name that is typically RGBU_XSTCS_PRD_XOFFICE or RGBU_XSTCS_UAT_XOFFICE. Clicking on it will display the App Details. The entry called Application ID contains the App ID for this OAuth Client.
Xstore Office OAuth Client credentials: The Xstore Office App has a display name that is typically RGBU_XSTCS_PRD_XOFFICE or RGBU_XSTCS_UAT_XOFFICE. Clicking on it and then clicking the Configuration Tab will display the App's Client ID and Client Secret.
IDCS User credentials: Username and password of any IDCS user belonging to the provisioned IDCS tenant. Typically, the user performing the particular function for which these OAuth Clients are needed would be used.
The following steps are executed using curl. However, any similar tool such as SoapUI or Postman can be used.
Before the newly provisioned Xstore Office Cloud Service can be used, some initial setup is required. For instance, the Xstore Office database needs Tax Location data to be present in order to be able to setup new stores or organization hierarchy via the Xadmin UI. This can be achieved by using the Xcenter auto deployment functionality via REST services. In order to utilize the Xcenter REST services, an OAuth Client is required. This client can also be used to insert any other seed Xstore Office data that needs to be present in the database besides the Tax Location data.
|
Note:
|
Request an Access token using the Xstore Office OAuth Client credentials.
Replace the <client_id> and <client_secret> with those of the Xstore Office OAuth Client (App). curl -i -H "Authorization: Basic <Base64_encode(<client_id>:<client_secret>)>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" https://<IDCS_TENANT_HOST>/oauth2/v1/token -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
Create a Setup OAuth Client (App). The response will contain the Application ID for the Setup App. Save this value since it will be required in a later step.
For PRD environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\SetupPRDApp.json
Copy the following contents into a file called SetupPRDApp.json and place it in \temp (for example).
SetupPRDApp.json
{
"displayName": "RGBU_XSTCS_PRD_Setup",
"name": "RGBU_XSTCS_PRD_Setup_APPID",
"description": "RGBU XSTCS Setup for PRD",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_PRD_Setup",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
For UAT environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\SetupUATApp.json
Copy the following contents into a file called SetupUATApp.json and place it in \temp (for example).
SetupUATApp.json
{
"displayName": "RGBU_XSTCS_UAT_Setup",
"name": "RGBU_XSTCS_UAT_Setup_APPID",
"description": "RGBU XSTCS Setup for UAT",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_UAT_Setup",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
Create a Service Access AppRole in the Setup App.
Prior to running this command, update the CreateServiceAccessAppRole.json to replace <App_Id> with the value of the Application Id for the Setup App that was saved previously.
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/AppRoles -d @\temp\CreateServiceAccessAppRole.json
Copy the following contents into a file called CreateServiceAccessAppRole.json and place it in \temp (for example).
Replace <App_Id> with the value of the Application Id for the Setup App that was saved previously.
CreateServiceAccessAppRole.json
{
"displayName": "Service Access",
"adminRole": true,
"description": "Service Access AppRole",
"public": false,
"app": {
"value": "<App_Id>"
},
"availableToClients": true,
"availableToUsers": true,
"availableToGroups": true,
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:AppRole"]
}
(If not already retrieved via IDCS) Retrieve the Xstore Office App ID.
This can also be obtained by logging into IDCS and clicking on the appropriate App (typically RGBU_XSTCS_PRD_XOFFICE or RGBU_XSTCS_UAT_XOFFICE). Clicking on it will display the App Details. The entry called Application Id contains the App Id for this OAuth Client.
Replace the <client_id> with that of the Xstore Office OAuth Client (App).
curl -i -H "Authorization: Bearer <token>" "https://<IDCS_TENANT_HOST>/admin/v1/Apps?filter=name+eq+%22<client_id>%22&attributes=id"
Retrieve the Xstore Office Xstore Access AppRole ID.
Replace the <App_Id> with the Application Id of the Xstore Office App.
curl -i -H "Authorization: Bearer <token>" "https://<IDCS_TENANT_HOST>/admin/v1/AppRoles?filter=app.value+eq+%22<App_Id>%22+and+displayName+eq+%22Xstore%20Access%22&attributes=id"
Grant the Xstore Office Xstore Access AppRole to the Setup OAuth Client (App).
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Grants -d @\temp\XofficeAppRoleToGranteeAppGrant.json
Copy the following contents into a file called XofficeAppRoleToGranteeAppGrant.json and place it in \temp (for example).
Replace the <Xstore_Office_App_Id> with the Xstore Office Application Id value.
Replace the <AppRole_Id> with the "Xstore Access" AppRole Id value.
Replace the <Grantee_App_Id> with the Setup OAuth Client (App) Application Id value.
XofficeAppRoleToGranteeAppGrant.json
{
"app": {
"value": "<Xstore_Office_App_Id>"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "<AppRole_Id>"
},
"grantMechanism": "ADMINISTRATOR_TO_APP",
"grantee": {
"value": "<Grantee_App_Id>",
"type": "App"
},
"isFulfilled": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:Grant"
]
}
Request an Access token using the Setup OAuth Client credentials.
Replace the <client_id> and <client_secret> with those of the Setup OAuth Client (App).
curl -i -H "Authorization: Basic <Base64_encode(<client_id>:<client_secret>)>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" https://<IDCS_TENANT_HOST>/oauth2/v1/token -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
This token can now be used to invoke Xstore Office REST APIs in order to configure Xstore Office Cloud Service.
The Data Migration OAuth Client is required to configure the Data Migration Utility in order to migrate data from an existing Xstore Office to Xstore Office Cloud Service.
Request an Access token using the Xstore Office OAuth Client credentials.
Replace the <client_id> and <client_secret> with those of the Xstore Office OAuth Client (App). curl -i -H "Authorization: Basic <Base64_encode(<client_id>:<client_secret>)>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" https://<IDCS_TENANT_HOST>/oauth2/v1/token -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
Create a Data Migration OAuth Client (App). The response will contain the Application ID for the Data Migration App. Save this value since it will be required in a later step.
For PRD environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\DataMigrationPRDApp.json
Copy the following contents into a file called DataMigrationPRDApp.json and place it in \temp (for example).
DataMigrationPRDApp.json
{
"displayName": "RGBU_XSTCS_PRD_Data_Migration",
"name": "RGBU_XSTCS_PRD_Data_Migration_APPID",
"description": "RGBU XSTCS Data Migration for PRD",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_PRD_Data_Migration",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
For UAT environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\DataMigrationUATApp.json
Copy the following contents into a file called DataMigrationUATApp.json and place it in \temp (for example).
DataMigrationUATApp.json
{
"displayName": "RGBU_XSTCS_UAT_Data_Migration",
"name": "RGBU_XSTCS_UAT_Data_Migration_APPID",
"description": "RGBU XSTCS Data Migration for UAT",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_UAT_Data_Migration",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
Create a Service Access AppRole in the Data Migration App.
Prior to running this command, update the CreateServiceAccessAppRole.json to replace <App_Id> with the value of the Application Id for the Data Migration App that was saved previously.
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/AppRoles -d @\temp\CreateServiceAccessAppRole.json
Copy the following contents into a file called CreateServiceAccessAppRole.json and place it in \temp (for example).
Replace <App_Id> with the value of the Application Id for the Data Migration App that was saved previously.
CreateServiceAccessAppRole.json
{
"displayName": "Service Access",
"adminRole": true,
"description": "Service Access AppRole",
"public": false,
"app": {
"value": "<App_Id>"
},
"availableToClients": true,
"availableToUsers": true,
"availableToGroups": true,
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:AppRole"]
}
(If not already retrieved via IDCS) Retrieve the Xstore Office App ID.
This can also be obtained by logging into IDCS and clicking on the appropriate App (typically RGBU_XSTCS_PRD_XOFFICE or RGBU_XSTCS_UAT_XOFFICE). Clicking on it will display the App Details. The entry called Application Id contains the App Id for this OAuth Client.
Replace the <client_id> with that of the Xstore Office OAuth Client (App).
curl -i -H "Authorization: Bearer <token>" "https://<IDCS_TENANT_HOST>/admin/v1/Apps?filter=name+eq+%22<client_id>%22&attributes=id"
Retrieve the Xstore Office Xstore Access AppRole ID.
Replace the <App_Id> with the Application Id of the Xstore Office App.
curl -i -H "Authorization: Bearer <token>" "https://<IDCS_TENANT_HOST>/admin/v1/AppRoles?filter=app.value+eq+%22<App_Id>%22+and+displayName+eq+%22Xstore%20Access%22&attributes=id"
Grant the Xstore Office Xstore Access AppRole to the Data Migration OAuth Client (App).
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Grants -d @\temp\XofficeAppRoleToGranteeAppGrant.json
Copy the following contents into a file called XofficeAppRoleToGranteeAppGrant.json and place it in \temp (for example).
Replace the <Xstore_Office_App_Id> with the Xstore Office Application Id value.
Replace the <AppRole_Id> with the "Xstore Access" AppRole Id value.
Replace the <Grantee_App_Id> with the Data Migration OAuth Client (App) Application Id value.
XofficeAppRoleToGranteeAppGrant.json
{
"app": {
"value": "<Xstore_Office_App_Id>"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "<AppRole_Id>"
},
"grantMechanism": "ADMINISTRATOR_TO_APP",
"grantee": {
"value": "<Grantee_App_Id>",
"type": "App"
},
"isFulfilled": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:Grant"
]
}
The Client ID and Client Secret of the Data Migration OAuth Client (App) can now be used to update the idp.properties in the Data Migration Utility and the Data Migration Utility is ready for use.
The Data Privacy OAuth Client is required in order to be able to invoke the Data Privacy REST API.
|
Note: While some OAuth Clients can be used for different purposes (for instance, the same OAuth Client can be used for both the initial Cloud Setup as well as configuring the Data Migration Utility), it is important to remember that those cannot be used to invoke the Data Privacy REST API. The Data Privacy OAuth Client must be created as described below due to specific Data Privacy related authorizations that are performed. |
Request an Access token using the Xstore Office OAuth Client credentials.
Replace the <client_id> and <client_secret> with those of the Xstore Office OAuth Client (App).
curl -i -H "Authorization: Basic <Base64_encode(<client_id>:<client_secret>)>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" https://<IDCS_TENANT_HOST>/oauth2/v1/token -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
Create a Data Privacy OAuth Client (App). The response will contain the Application ID for the Data Privacy App. Save this value since it will be required in a later step.
For PRD environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\DataPrivacyPRDApp.json
Copy the following contents into a file called DataPrivacyPRDApp.json and place it in \temp (for example).
DataPrivacyPRDApp.json
{
"displayName": "RGBU_XSTCS_PRD_Data_Privacy",
"name": "RGBU_XSTCS_PRD_Data_Privacy_APPID",
"description": "RGBU XSTCS Data Privacy for PRD",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials",
"password"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_PRD_Data_Privacy",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
For UAT environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\DataPrivacyUATApp.json
Copy the following contents into a file called DataPrivacyUATApp.json and place it in \temp (for example).
DataPrivacyUATApp.json
{
"displayName": "RGBU_XSTCS_UAT_Data_Privacy",
"name": "RGBU_XSTCS_UAT_Data_Privacy_APPID",
"description": "RGBU XSTCS Data Privacy for UAT",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials",
"password"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_UAT_Data_Privacy",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
Create a Service Access AppRole in the Data Privacy App.
Prior to running this command, update the CreateServiceAccessAppRole.json to replace <App_Id> with the value of the Application Id for the Data Privacy App that was saved previously.
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/AppRoles -d @\temp\CreateServiceAccessAppRole.json
Copy the following contents into a file called CreateServiceAccessAppRole.json and place it in \temp (for example).
Replace <App_Id> with the value of the Application Id for the Data Privacy App that was saved previously.
CreateServiceAccessAppRole.json
{
"displayName": "Service Access",
"adminRole": true,
"description": "Service Access AppRole",
"public": false,
"app": {
"value": "<App_Id>"
},
"availableToClients": true,
"availableToUsers": true,
"availableToGroups": true,
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:AppRole"]
}
(If not already retrieved via IDCS) Retrieve the Xstore Office App ID.
This can also be obtained by logging into IDCS and clicking on the appropriate App (typically RGBU_XSTCS_PRD_XOFFICE or RGBU_XSTCS_UAT_XOFFICE). Clicking on it will display the App Details. The entry called Application Id contains the App Id for this OAuth Client. Replace the <client_id> with that of the Xstore Office OAuth Client (App). curl -i -H "Authorization: Bearer <token>" "https://<IDCS_TENANT_HOST>/admin/v1/Apps?filter=name+eq+%22<client_id>%22&attributes=id"
Retrieve the Xstore Office Data Privacy Access AppRole ID.
Replace the <App_Id> with the Application Id of the Xstore Office App. curl -i -H "Authorization: Bearer <token>" "https://<IDCS_TENANT_HOST>/admin/v1/AppRoles?filter=app.value+eq+%22<App_Id>%22+and+displayName+eq+%22Data%20Privacy%20Access%22&attributes=id"
Grant the Xstore Office Data Privacy Access AppRole to the Data Privacy OAuth Client (App).
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Grants -d @\temp\XofficeAppRoleToGranteeAppGrant.json
Copy the following contents into a file called XofficeAppRoleToGranteeAppGrant.json and place it in \temp (for example).
Replace the <Xstore_Office_App_Id> with the Xstore Office Application Id value.
Replace the <AppRole_Id> with the "Data Privacy Access" AppRole Id value.
Replace the <Grantee_App_Id> with the Data Privacy OAuth Client (App) Application Id value.
XofficeAppRoleToGranteeAppGrant.json
{
"app": {
"value": "<Xstore_Office_App_Id>"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "<AppRole_Id>"
},
"grantMechanism": "ADMINISTRATOR_TO_APP",
"grantee": {
"value": "<Grantee_App_Id>",
"type": "App"
},
"isFulfilled": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:Grant"
]
}
Request an Access token using the Data Privacy OAuth Client credentials and an IDCS user's userid/password.
Replace the <client_id> and <client_secret> with those of the Data Privacy OAuth Client (App). Replace the <IDCS_username> and <IDCS_password> with those of an IDCS user. curl -i -H "Authorization: Basic <Base64_encode(<client_id>:<client_secret>)>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" https://<IDCS_TENANT_HOST>/oauth2/v1/token -d "grant_type=password&username=<IDCS_username>&password=<IDCS_password>&scope=urn:opc:idm:__myscopes__"
Invoke the Data Privacy endpoint (example – replace with appropriate data).
Replace <token> with the token from the previous step. curl -i -H "Authorization: Bearer <token>" "https://<XSTORE_OFFICE_HOST>/xcenter/rest/privatedata/1000::100?type=employee"
The steps below create an OAuth Client that can be used to invoke RTLog Generator REST APIs.
Request an Access token using the Xstore Office OAuth Client credentials.
Replace the <client_id> and <client_secret> with those of the Xstore Office OAuth Client (App). curl -i -H "Authorization: Basic <Base64_encode(<client_id>:<client_secret>)>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" https://<IDCS_TENANT_HOST>/oauth2/v1/token -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
Create a RTLog Generator Client OAuth Client (App). The response will contain the Application ID for the RTLog Generator Client App. Save this value since it will be required in a later step.
For PRD environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\RTLogClientPRDApp.json
Copy the following contents into a file called RTLogClientPRDApp.json and place it in \temp (for example).
RTLogClientPRDApp.json
{
"displayName": "RGBU_XSTCS_PRD_RTLog_Client",
"name": "RGBU_XSTCS_PRD_RTLog_Client_APPID",
"description": "RGBU XSTCS RTLog_Client for PRD",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_PRD_RTLog_Client",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
For UAT environment:
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/Apps -d @\temp\RTLogClientUATApp.json
Copy the following contents into a file called RTLogClientUATApp.json and place it in \temp (for example).
RTLogClientUATApp.json
{
"displayName": "RGBU_XSTCS_UAT_RTLog_Client",
"name": "RGBU_XSTCS_UAT_RTLog_Client_APPID",
"description": "RGBU XSTCS RTLog_Client for UAT",
"isOAuthClient": true,
"clientType": "confidential",
"isOAuthResource": false,
"allowedGrants": [
"client_credentials"
],
"allowedOperations": [
"introspect"
],
"allowOffline": true,
"allowAccessControl": false,
"basedOnTemplate": {
"value": "OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App:serviceInstanceIdentifier": "RGBU_XSTCS_UAT_RTLog_Client",
"active": true,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true
}
Create a Service Access AppRole in the Setup App.
Prior to running this command, update the CreateServiceAccessAppRole.json to replace <App_Id> with the value of the Application Id for the RTLog Generator Client App that was saved previously.
curl -i -H "Content-Type:application/scim+json" -H "Authorization: Bearer <token>" https://<IDCS_TENANT_HOST>/admin/v1/AppRoles -d @\temp\CreateServiceAccessAppRole.json
Copy the following contents into a file called CreateServiceAccessAppRole.json and place it in \temp (for example).
Replace <App_Id> with the value of the Application Id for the RTLog Generator Client App that was saved previously.
CreateServiceAccessAppRole.json
{
"displayName": "Service Access",
"adminRole": true,
"description": "Service Access AppRole",
"public": false,
"app": {
"value": "<App_Id>"
},
"availableToClients": true,
"availableToUsers": true,
"availableToGroups": true,
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:AppRole"]
}
The Client ID and Client Secret of the RTLog Generator Client OAuth Client (App) can now be used to obtain a token in order to invoke RTLog Generator REST APIs.
Additional OAuth Clients can be created if required.
For invoking Xstore Office REST APIs, please follow the steps as mentioned in the Data Migration OAuth Client section (and make any necessary changes to keep the IDs unique).
For invoking RTLog REST APIs, follow the steps as mentioned in the RTLog Generator Client section (and make any necessary changes to keep the IDs unique).
In order to delete OAuth Clients in IDCS, follow this process:
Log into IDCS.
Select the App to be deleted.
Click on the Application Roles tab.
Select the menu icon on the far right of the Service Access AppRole.
Select Assign Users and select the current user in the popup to be granted this AppRole.
Then go back to the list of Applications, select the menu icon to the far right of the App to be deleted. Then click Deactivate and click Deactivate Application in the pop up dialog.
Once again select the menu icon to the far right of the App to be deleted and click Remove and click Remove Application in the pop up dialog.
