How Does OAuth Work in Oracle Cloud?

OAuth is used to secure access to web services like Oracle Java Cloud Service-SaaS Extension, Oracle Mobile Cloud Service, and Oracle Fusion Applications that are exposed by Oracle Cloud. 

A tenant is a subscribing customer that has a group of users who share common access with specific privileges to a software instance. A tenant can have one or more services hosted by Oracle Cloud that need to communicate with each other using REST API calls.

For example, your company ACME Corp., is a typical tenant in Oracle Cloud. As tenant you’ve subscribed to cloud services like Oracle Fusion Applications, Oracle Java Cloud Service-SaaS Extension, and Oracle Mobile Cloud Service. Oracle Cloud hosts these services, which communicate with each other using REST API calls. OAuth Service provides access tokens that OAuth clients use to make REST API calls to the services hosted by Oracle Cloud.

There are two types of REST API calls that can be made between services. They are:

  • Intra-Oracle Cloud: These REST API calls come from one cloud service to another cloud service within Oracle Cloud. An example of an intra-Oracle Cloud REST API call is Oracle Java Cloud Service-SaaS Extensions calling Oracle Mobile Cloud Service.
  • Inter-Oracle Cloud: These REST API calls come from an outside Oracle Cloud service to a cloud service within Oracle Cloud. An example of an inter-Oracle Cloud REST API call is a mobile application calling the Oracle Mobile Cloud Service .
In this scenario, an OAuth client can make two different types of REST API calls:
  • Simple REST API: A client has a credential and wants to make a REST API call to an Oracle Cloud service. (For example a mobile application client making a REST API call to Oracle Mobile Cloud Service).
  • REST with identity propagation: Identity propagation is the replication of authenticated identities. An Oracle Java Cloud Service-SaaS application wants to make a REST API call to another Oracle Cloud service like Oracle Mobile Cloud Service. Oracle Java Cloud Service-SaaS makes a REST call on-behalf of the user in the current security context. But the Oracle Java Cloud Service-SaaS application does not know the user credentials.

The OAuth service acts as the central trust manager. The OAuth clients are registered with the OAuth service. During the registration of an OAuth client, information on which APIs the OAuth client can access is also sent to the OAuth service. When the OAuth client makes a new REST API call to access a protected service, it receives an access token from the OAuth service. The OAuth client can use this token for subsequent access to the same service until it expires. If the token expires, the OAuth client again acquires an access token from the OAuth service. The OAuth service infrastructure validates the access token and allows the API call only if the token is valid (the signature validation succeeds and the tenant information matches).