Working with Web Service Authentication (WWSA)
Web service authentication allows you to define a valid web service authentication user for each web service used by Order Management System.
Which web services are eligible? You can define web service authentication for the following:
• Inbound: Web services used to process inbound messages to Order Management System. See Inbound Web Service Authentication Process for Order Management System.
• To Order Broker: Web services used to process messages from Order Management System to Order Broker. See Web Service Authentication Process for Order Broker.
• To Customer Engagement: Web services used to process messages from Order Management System to Customer Engagement. See Web Service Authentication Process for Customer Engagement.
• To OCDS: Web services used for authentication for RESTful web service requests sent to the Omnichannel Cloud Data Service (OCDS). See Importing Enterprise Foundation Data through Omnichannel Cloud Data Service (OCDS)I for background.
• To RICS: Web services used for authentication for the pre-order (backorder quantity update) notification message (RICS). See Enterprise Order Integration (Future Receipts and Active PO/Pre-Order Processing) for background.
• Job notifications: A web service to send a job notification to an external system. See Using the Job Notification Outbound REST Message for more information.
Authentication types: Order Management System supports both basic and OAuth 2 authentication for inbound and outbound messages, although not all integrating systems support OAuth. See Basic or OAuth Authentication for a discussion.
For more information: See Setting Up Web Service Authentication for an overview and a discussion of the different types of authentication, and see the Oracle Retail Omnichannel Web Service Authentication Configuration Guide on My Oracle Support (2728265.1) for web service authentication configuration instructions.
In this topic:
• Basic or OAuth Authentication
• Inbound Web Service Authentication Process for Order Management System
• Order Management System Web Services Eligible for Authentication
• Work with Inbound Web Service Authentication Screen
• Work with Inbound Web Service Authentication Users Screen
• Work with Outbound Web Service Authentication Screen
• Change Outbound Web Service Authentication Screen
Basic authentication requires the requesting system to pass a user ID and a password to authenticate a web service request. The destination system validates the user ID and password.
OAuth requires the requesting system to provide an access token with the web service request. Oracle Cloud Services use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) as the authenticating service. The requesting system will use its configured client ID and secret to request an OAuth token from IDCS or OCI IAM and then include that token in service requests.
In addition to being more secure, OAuth provides better performance than basic authentication.
How Requests are Validated with OAuth
OAuth enables web service communication between applications using a token provided by IDCS or OCI IAM rather than a password, providing greater security. The requesting application first passes its:
• Client ID: Similar to a user ID in that it identifies a client application to the authentication service, in this case IDCS or OCI IAM. You can create client IDs through the Manage External Application Access page, in IDCS or OCI IAM, or through other applications, such as Customer Engagement.
• Client secret: A secure code that IDCS or OCI IAM creates for a client application, and that the client application passes to IDCS or OCI IAM for authentication. The client secret should be known only to the requesting application and to IDCS or OCI IAM.
When IDCS or OCI IAM receives the valid client ID and client secret, it then provides the token to the requesting application. The requesting application can then include the token in the web service request to the destination system, which validates the token with IDCS or OCI IAM.
For example, if your ecommerce system will communicate with Order Management System using OAuth, you can use this page to:
• Create a client ID and secret, which you can then provide to the ecommerce system.
• Create the associated web service authentication records for the ecommerce system.
With OAuth authentication:
The requesting system first passes a client ID and a client secret to an authenticating service, such as IDCS or OCI IAM.
• The authenticating service, such as IDCS or OCI IAM, generates a short-lived token.
• The requesting system submits the token to the destination system, rather than a password and user ID as with basic authentication.
• The destination system validates the token and client ID.
The following is required in order to support OAuth with Omnichannel products:
• The IDCS or OCI IAM client ID and client secret for the integrating system must be created through an Omnichannel cloud service, if it does not already exist.
• The system receiving the web service request needs to have a record of the client ID with assigned access for the web service API.
• A system sending the web service request needs to be able to request the token from IDCS or OCI IAM.
• The system sending the web service request needs to include the token so the system receiving the web service request can validate the request.
Configuration for outbound web service authentication: You need to specify an authentication type of either BASIC or OAUTH for each outbound web service from Order Management System. OAuth is supported for the following outbound web services:
• Order Broker 18.2 or higher
• Customer Engagement 18.0 or higher
• Job Notification
OAuth is not currently supported for the RICS Service.
OAuth summary by product:
|
Product |
Supports Receiving OAuth |
Supports Sending OAuth |
|---|---|---|
|
Order Broker |
19.0 or higher |
19.1.1 or higher |
|
Order Broker Cloud Service |
18.2 or higher |
19.1 or higher |
|
Order Management System |
18.3 or higher; 19.0 or higher supports XOffice OnPrem validation of stores with parent ID. 19.0 or higher. See the Manage External Application page in Modern View for background. |
19.1 or higher |
|
Customer Engagement |
18.0 or higher; 18.3or higher supports XOffice OnPrem validation of stores with parent ID. |
not currently supported |
For more information: See the Oracle Retail Omnichannel Web Service Authentication Configuration Guide on My Oracle Support (2728265.1) for web service authentication configuration instructions.
Inbound Web Service Authentication Process for Order Management System
When an external system calls an Order Management System web service, the external system sending the message to Order Management System must send authentication information in the HTTP header of the message.
Oracle Identity Cloud Service: When you use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) for password authentication, you do not define passwords in Work with Web Service Authentication (WWSA) for inbound web services; instead:
• Basic HTTPS:
• Create a user profile in IDCS or OCI IAM for inbound web service authentication and assign the password in IDCS or OCI IAM. You can create a single user, or a separate user for different inbound messages.
• Create the web service authentication user, using the User Name defined in IDCS or OCI IAM, in Work with Web Service Authentication (WWSA) for the inbound web service message. No password entry is required or supported, because the authentication takes place through IDCS or OCI IAM.
• OAuth: Uses the IDCS or OCI IAM Client ID of the client that generates the OAuth token as the user ID in Web Service Authentication (WWSA). You use the Manage External Application Access page in Modern View to create web service authentication records for client applications created in IDCS or OCI IAM that use OAuth authentication. See Basic or OAuth Authentication for a discussion.
When OAuth not used: When basic authentication is used, you should use the Work with Inbound Web Service Authentication screen (WWSA) rather than the Manage External Application Access page in Modern View.
For more information: See Oracle Authentication (IDCS or OCI IAM) in the Administration Guide.
When Order Management System receives an inbound web service request:
• If the web service passes authentication, the web service continues with regular processing.
• If the web service fails basic authentication, the web service returns a 401 error.
Order Management System Web Services Eligible for Authentication
You must define web service authentication, either through this menu option or through the Manage External Application Access page in Modern View, for the following Order Management System web services.
• CWCustomer: This web service is used to process an Inbound Customer Message (CWCustomerIn)n received from an external system. See Generic Customer API for more information.
• CWEmailRequest: this web service is used to process an Email Request Message (CWEmailRequest) received from an external system. See Store Pickup Confirmation Email Program (L48) for more information.
• CWMessageIn: This web service works with any of the integration layer processes set up through Working with Integration Layer Processes (IJCT). See XML Messages Processed By the CWMessageIn Web Service for a list of the messages processed by the CWMessageIn web service and see CWMessageIn Web Service for an overview.
• CWOrderIn: This web service is used to process an Inbound Order XML Message (CWORDERIN) from an external system. See Generic Order Interface (Order API) for more information.
• CWPickIn: This web service is used to process a CWPickIn XML Message from an external system. See Generic Pick In API (Shipments, Voids, and Backorders) for more information.
• CWReceiptIn: This web service is used to process a PO Receipt In XML Message (CWReceiptIn) from an external system. See Purchase Order Receipt In API for more information.
• CWServiceIn: This web service is used to process the following messages received from an external system:
• Order Transaction History Message (CWOrderTransactionHistory) if its type attribute is CWOrderTransactionHistory. See Generic Order Transaction History API for more information.
• Order Line History In Message (CWOrdLnHstIn) if its type attribute is CWOrdLnHstIn. See Order Line History In API for more information.
• Item Availability Request XML Message (CWItemAvailabilityWeb) if its type attribute is CWItemAvailabilityWeb. See Item Availability API for more information.
• E-Commerce Cancel Request Message (CWCancel) if its type attribute is CWCancel. See E-Commerce Cancel Process for more information.
• E-Commerce Catalog Request Message (CWCatRequest) if its type is CWCatRequest. See E-Commerce Catalog Requests for more information.
• CWProcessIn Message if its type attribute is CWProcessIn. See Using the CWProcessIn Message to Start a Periodic Process for more information.
• JMSQueue. This web service is used during Advanced Queuing to read from a queue in the queuing database.
• PrivateDataRequest RESTful web service. This web service is used to process a Get Personal Data Request and Forget Personal Data Request from an external system. See the Personal Data API in the Data Security and Encryption guide on My Oracle Support (1988467.1) for more information.
• ProcessIn. This RESTful web service is used to start a periodic process. See Using the ProcessIn REST Message to Start a Periodic Process for more information.
• Storage. This RESTful web service is used to upload, download, delete, or inquire on files imported or exported through the File Storage API.
Job Notification Outbound Message. This web service is used to notify an external system of a periodic process or job completion. See Using the Job Notification Outbound REST Message for more information.
Work with Inbound Web Service Authentication Screen
Purpose: Use this screen to define valid web service authentication users for the Order Management System web services.
Oracle Identify Cloud Service: When you use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) for password authentication, you do not define passwords in Work with Web Service Authentication (WWSA) for inbound web services; instead:
• Basic HTTPS:
• Create a user profile in IDCS or OCI IAM for inbound web service authentication and assign the password in IDCS or OCI IAM. You can create a single user, or a separate user for different inbound messages.
• Create the web service authentication user, using the User Name defined in IDCS or OCI IAM, in Work with Web Service Authentication (WWSA) for the inbound web service message. No password entry is required or supported, because the authentication takes place through IDCS or OCI IAM.
• OAuth: Use the IDCS or OCI IAM Client ID of the client that generates the token as the user ID in Web Service Authentication (WWSA).
For more information: See Basic or OAuth Authentication for background.
For more information: See Oracle Authentication (IDCS or OCI IAM) in the Administration Guide.
How to display this screen: Enter WWSA in the Fast path field at the top of any menu or select Work with Web Service Authentication from a menu.
|
Field |
Description |
|---|---|
|
Web Service |
An Order Management System web service that requires web service authentication. Valid web services are: • CWCustomer • CWEmailRequest • CWMessageIn • CWOrderIn • CWPickIn • CWReceiptIn • CWServiceIn • JMSQueue • PrivateDataRequest • ProcessIn • Storage Enter a full or partial web service name to display web services that contain your entry. See Order Management System Web Services Eligible for Authentication for a summary of each web service. Alphanumeric, 50 positions; optional. |
|
Screen Option |
Procedure |
|---|---|
|
Configure web service authentication for an Order Management System web service |
Select Authentication for a web service to advance to the Work with Inbound Web Service Authentication Users Screen. |
|
Configure web service authentication for an external web service |
Select Outbound Svcs to advance to the Work with Outbound Web Service Authentication Screen. |
Work with Inbound Web Service Authentication Users Screen
Purpose: Use this screen to configure web service authentication for a web service.
How to display this screen: Select Authentication for a web service on the Work with Inbound Web Service Authentication Screen.
|
Field |
Description |
|---|---|
|
Web Service |
The web service requiring authentication. Alphanumeric, 50 positions; display-only. |
|
User |
A valid web service authentication user that can authenticate the web service through one of the following methods: • OAuth authentication: When you use OAuth authentication, this is the IDCS or OCI IAM Client ID of the client that requests the OAuth token. • Basic authentication: When you use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) for basic password authentication, this is the user ID defined in IDCS or OCI IAM. See Basic or OAuth Authentication for background. About OAuth: OAuth is a standard for web service authentication through the use of access tokens rather than passwords. When OAuth is used, the inbound web service request specifies a client ID and a temporary token for authentication, rather than a user ID and a password. You can use the Manage External Application Access page in Modern View to create web service authentication records for applications created in IDCS or OCI IAM that use OAuth authentication. When OAuth not used: OAuth is not currently supported for web service requests to Order Management System from older versions of Order Broker. When OAuth is not supported, you should use the Work with Inbound Web Service Authentication screen (WWSA) rather than the Manage External Application Access page in Modern View. Enter a full or partial user ID to display users that contain your entry. Alphanumeric, 100 positions; optional. |
|
Screen Option |
Procedure |
|---|---|
|
Create a web service authentication user |
Select Create to advance to the Add User Window. Typically, you use the Manage External Application Access page in Modern View to create web service authentication records for client applications created in IDCS or OCI IAM and using OAuth authentication. |
|
Delete a web service authentication user |
Select Delete for a user. At the Are you sure you want to delete the web service user? window, select Yes to delete the user; otherwise, select No to cancel. You can also use the Manage External Application Access page in Modern View to delete web service authentication records for client applications created in IDCS or OCI IAM, if necessary, |
Purpose: Use this window to create a web service authentication user.
How to display this screen: Select Create on the Work with Inbound Web Service Authentication Users Screen.
|
Field |
Description |
|---|---|
|
User |
The web service authentication user ID. When you use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) for password authentication, this is the user ID or client ID defined in IDCS or OCI IAM. About OAuth: OAuth is a standard for web service authentication through the use of access tokens rather than passwords. When OAuth is used, the inbound web service request specifies a client ID and a temporary token for authentication, rather than a user ID and a password. Use the Manage External Application Access page in Modern View to create web service authentication records for client applications created in IDCS or OCI IAM that use OAuth, such as XOffice on premises. When OAuth not used: OAuth is not currently supported for web service requests to Order Management System from older versions of Order Broker. When OAuth is not supported, you should use the Work with Inbound Web Service Authentication screen (WWSA) rather than the Manage External Application Access page in Modern View. Alphanumeric, 100 positions. Add window: required. |
Work with Outbound Web Service Authentication Screen
Purpose: Use this screen to define a valid web service authentication user and password for an external web service that requires web service authentication.
You must define web service authentication for each of your Order Management System companies that communicates with the external system. Unlike inbound web service authentication, outbound web service authentication is defined at the company level.
Web service authentication for messages to Order Broker or Customer Engagement occurs when the message is received in that application. The web service user for web service authentication on inbound messages to Order Broker or Customer Engagement must be defined in that application.
How to display this screen: Select Outbound Svcs at the Work with Inbound Web Service Authentication Screen.
|
Field |
Description |
|---|---|
|
Web Service |
An external web service for which you can define a valid web service authentication user and password. Job Notification: The Job Notification web service is used to notify an external system about the completion of a periodic process or a job. See Using the Job Notification Outbound REST Message for more information. Narvar Service: Used for authentication of RESTful web service requests to generate shipment notification emails through the Narvar Integration. Note: Narvar currently supports only Basic authentication. OCDS Service: Used for authentication for RESTful web service requests sent to the Omnichannel Cloud Data Service. See Importing Enterprise Foundation Data through Omnichannel Cloud Data Service (OCDS) for background. Customer Engagement: Web services listed for Oracle Retail Customer Engagement are: • ORCE Customer • ORCE File Service • ORCE Loyalty • ORCE Purchase History • ORCE Stored Value Card • ORCE Wish List See Oracle Retail Customer Engagement Web Services Eligible for Authentication for a summary of each web service. |
|
|
Order Broker: Web services listed for Order Broker are: • OROB Discovery • OROB Locate • OROB Purchasing See Order Broker Web Services Eligible for Authentication for a summary of each web service. RICS Service: Used for authentication for the pre-order (backorder quantity update) notification message that is part of the Enterprise Order Integration (Future Receipts and Active PO/Pre-Order Processing). Note: RICS Service does not support OAuth authentication. See Basic or OAuth Authentication for more information on using OAuth. Sales Audit File Service: Used for OAuth authentication for submission of the RTLOG file to object storage for the Sales Audit module of the Oracle Retail Merchandising Foundation Cloud Service. Note that object storage is supported for version 21.0 or higher of the Sales Audit module. See Transmitting the RTLOG File to Object Storage for more information. Default client ID and secret for Order Broker and Customer Engagement: You can use the IDCS_ACCESS_CLIENT_ID and IDCS_ACCESS_CLIENT_ SECRET defined in Working with Admin Properties (CPRP) for outbound OAuth authentication to Order Broker and Customer Engagement if the client ID and secret are not defined in Working with Web Service Authentication (WWSA). Otherwise, these defaults are not used for other outbound web service authentication, Alphanumeric, 50 positions; optional. |
|
User/Client ID |
The web service authentication user defined for the web service, or the client ID to use for the web service for OAuth authentication. Enter a full or partial user name or client ID to display web service users that contain your entry. See Basic or OAuth Authentication for background. Alphanumeric, 100 positions; optional. |
|
Authentication Type |
Indicates the type of authentication to use for the outbound web service: • BASIC: Requests pass a user ID and a password for authentication of the web service. • OAUTH: Requests pass a client ID and a client secret for authentication of the web service. See Basic or OAuth Authentication for background. |
|
Screen Option |
Procedure |
|---|---|
|
Define a valid web service authentication user and password or client ID and client secret |
Select Change for a web service to advance to the Change Outbound Web Service Authentication Screen. |
|
Configure web service authentication for an Order Management System web service |
Select Inbound Svcs to advance to the Work with Inbound Web Service Authentication Screen. |
Change Outbound Web Service Authentication Screen
Purpose: Use this screen to define whether the service uses basic or OAuth authentication, and to define a valid:
• User and password if using basic authentication for the web service.
• Client ID and client secret if using OAuth for the web service.
See Basic or OAuth Authentication for background.
Default client ID and secret for Order Broker and Customer Engagement: You can use the IDCS_ACCESS_CLIENT_ID and IDCS_ACCESS_CLIENT_ SECRET defined in Working with Admin Properties (CPRP) for outbound OAuth authentication to Order Broker and Customer Engagement if the client ID and secret are not defined in Working with Web Service Authentication (WWSA). Otherwise, these defaults are not used for other outbound web service authentication,
How to display this screen: Select Change for a web service on the Work with Outbound Web Service Authentication Screen.
|
Field |
Description |
|---|---|
|
Web Service |
The web service for which you wish to define web service authentication. Alphanumeric, 50 positions; display-only. |
|
Authentication Type |
Indicates the type of authentication to use for the outbound web service: • BASIC: Requests pass a user ID and a password for authentication of the web service. • OAUTH: Requests pass a client ID and a client secret for authentication of the web service. See Basic or OAuth Authentication for background. Also, see the Work with Outbound Web Service Authentication Screen for information on which outbound web services support basic or OAuth authentication. If you have difficulty seeing both authentication types: Both options for this field may be difficult to see in Internet Explorer if the Enable syncing Internet Explorer settings and data option is not selected at the Advanced tab of the Internet Options window for Internet Explorer. |
|
User/Client ID |
Depending on the setting of the Authentication Type, this field is: • User (basic authentication): A valid web service authentication user that can authenticate the web service using basic authentication. You must enter the user ID in the correct case. • This user must be defined in the destination system, such as Order Broker or Customer Engagement. • Client ID (OAuth authentication): A valid client ID that you can use, along with the client secret, to generate a temporary token for OAuth authentication. In IDCS or OCI IAM, this field is labeled as the Display Name for the client, for example, RGBU_OBCS_<RANDOM>_APPID, where OBCS identifies the application, and <RANDOM> is a series of 8 random characters. The client ID must be defined in the authentication service, such as IDCS or OCI IAM, as well as the destination system. If you use IDCS or OCI IAM, you create the user in IDCS or OCI IAM and import the user into the destination system. Alphanumeric, 10 positions; required. |
|
Password/Client Secret |
Depending on the setting of the Authentication Type, this field is: • Password (basic authentication): A valid web service authentication user that can authenticate the web service using basic authentication. You must enter the user ID in the correct case. The password assigned to the web service authentication user. Must match the password in the destination system. You can define both upper and lower case letters for the password. • Client secret (OAuth authentication): The client secret defined for the client ID in the authentication service, such as IDCS or OCI IAM, to generate a temporary token for OAuth authentication. You can regenerate the client secret For security reasons, the system masks the password or client secret on the screen and encrypts it in the database. Alphanumeric, 50 positions; required. |
________________________________
Contents SCVs Reports XML Messages Glossary
Copyright © 2022, Oracle and/or its affiliates. All rights reserved.
Legal Notices