Authenticate

Authentication and authorization in Oracle Analytics Cloud is managed by Oracle Identity Cloud Service (IDCS). To access the Oracle Analytics Cloud REST APIs, you need an OAuth 2.0 access token to use for authorization.

OAuth 2.0 Token Authentication

This authentication type requires a bearer token, obtained by an initial call to the Oracle Identity Cloud Service token REST API (oauth2/v1/token) with suitable parameters. This section describes how to obtain the token and how to use it to call Oracle Analytics Cloud REST APIs. The way you obtain the token depends on the grant type that you decide to use: Resource Owner or JWT Assertion.

• Resource owner

  This grant type uses the username and password of an Oracle Identity Cloud Service user, together with a confidential application that you've registered with Oracle Identity Cloud Service to call Oracle Analytics Cloud REST APIs. You use the confidential application client ID, client secret, and scope to access the Oracle Analytics Cloud REST APIs.

  Note:

  The resource owner grant type works only for non-federated users in Oracle Identity Cloud Service.

• JWT assertion

  The JWT assertion grant type allows you to obtain a token for federated users. For details, see Obtaining an Access Token by Using a Self-Signed User Assertion and a Client Assertion.

  You don't need a password for the user but instead, you need to assert the user and client using an assertion signed with a certificate. This means you must upload a certificate key to the confidential application registered with Oracle Identity Cloud Service.

These are the high-level steps for token authentication:

1. In Oracle Identity Cloud Service Console, create a confidential application and map the Oracle Analytics Cloud instance you want to connect to as a scope in the resource section. This scope will be used to obtain the token.
2. (JWT Assertion only) Generate a key pair for signing the client and user JWT assertion.
3. (JWT Assertion only) Register the certificate with the IDCS confidential application.
4. Make a note of the IDCS confidential application scope, client ID and client secret.
5. Call the IDCS REST API to get a bearer token. If you're using JWT assertion, you can create your own scripts to generate the client and user assertions.
6. Use the bearer token to authenticate calls to Oracle Analytics Cloud REST APIs.

Create a Confidential Application

Create a confidential application in Oracle Identity Cloud Service and include your Oracle Analytics Cloud instance as an authorized resource. See also Add a Confidential Application.

1. Sign-in to your Oracle Cloud account as an administrator.
2. Navigate to Identity & Security, and click Domains.

   If your cloud account doesn't offer identity domains, you don't see the Domains link. This means your cloud account federates with Oracle Identity Cloud Service. Click Federation, select oracleidentitycloudservice, and then click the Oracle Identity Cloud Service Console URL.

3. Navigate to the Applications tab, and click Add
4. In the Add Application dialog, click Confidential Application.
5. Specify a name and description, and then click Next.
6. Select Configure this application as a client now.
7. In Allowed Grant Types, select either Resource Owner or JWT Assertion.

   You can use either Resource Owner or JWT Assertion to call Oracle Analytics Cloud REST APIs.

   If you select JWT assertion, complete these additional steps:

   1. Generate a private key and public certificate to authenticate the confidential application and user JWT assertions. For example, you can create a key-pair using openssl:

      openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -x509 -days 1024 -out public_certificate.crt

   2. Upload the public certificate file to the confidential application. In Security, select the Trusted Client checkbox. Click Import, enter a Certificate Alias, and then upload your public certificate file.
8. In the section Token Issuance Policy, click Add. In Add Scope, select the Oracle Analytics Cloud instance you want to access. For example, select AUTOANALYTICSINST_<my_OAC_instance_ID>.
9. Make a note of the Scope value (a URL) as this is used to call the IDCS REST API to obtain a bearer token.

   

10. Make a note of the confidential application client ID and client secret.

Call the IDCS REST API to Get a Bearer Token

• Resource Owner

  Use this example curl command to get the token if you selected Resource Owner as the allowed grant type:

  curl --request POST \
  --url 'https://<IDCS-instance>.identity.oraclecloud.com/oauth2/v1/token' \
  --header 'authorization: Basic <base64 encoded clientID:ClientSecret>' \
  --header 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
  -d 'grant_type=password&username=<username>&password=<password>&scope=<scope copied from resource section in IDCS confidential application>'

• JWT Assertion

  Use this example curl command to get the token if you selected JWT Assertion as the allowed grant type:

  curl --request POST 'https://<IDCS_instance>.identity.oraclecloud.com/oauth2/v1/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope=https://<IDCS_CUSTOM_APP_OAC_REFERENCE>.analytics.ocp.oraclecloud.com:443urn:opc:resource:consumer::all \
  --data client_id=<IDCS_CUSTOM_APP_CLIENT_ID> \
  --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  --data assertion=<JWT_USER_ASSERTION_TOKEN> \
  --data client_assertion=<JWT_CLIENT_ASSERTION_TOKEN>

Use the Token to Call the Oracle Analytics Cloud REST API

When you have a bearer token, use the token to call the Oracle Analytics Cloud REST API.

For example:

curl -i \
  --header 'Authorization: Bearer <token>' \
  --request GET 'https://<my-oac-instance>.analytics.ocp.oraclecloud.com/api/20210901/snapshots'