1. Using the Rapid Adapter Builder with Oracle Integration 3
  2. Work with the Adapter Definition Document
  3. Update Connection Definitions
  4. Understand Security Policies in Connection Definitions
  5. Learn About Security Policies for Trigger Connections
  6. HMAC Signature Validation

HMAC Signature Validation

To support validation of HMAC-based digital signatures of incoming requests for invoking Oracle Integration flows, use the HMAC_SIGNATURE_VALIDATION managed security policy. You can customize the security policy as needed for a connection definition.

Overview

The HMAC policy validates the HMAC signature(s) part of incoming requests. The security policy validates signatures sent by an HTTP Client based on HMAC validation function (JQ) defined in the policy.

This security policy asserts the client ID value that is provided in clientIdentifier and checks that the clientID is associated with a ServiceInvoker role.

To add the HMAC Signature Validation policy to your document, use the available authentication scheme template. See Implement a New Connection Definition.

Note:

You can use the policy to verify multiple signatures in a single request.

Security Properties

A connection definition that uses this security policy defines the following properties in the securityProperties section. See Connection Properties and Sample Code.

The values in the name, displayName, shortDescription, and description columns list the default values that appear when you insert a security policy into an adapter definition document. You can update these values if needed.

name displayName shortDescription description Data type Required Recommendation

signatureString

Signing String(s)/Content(s) that are signed

Example: ${ .request.body}

JQ Expression or Flow indicating how build signatureString.

In case of more than 1 signature output should be ArrayNode for all signing strings.

String

Yes

"hidden":true

signature

Request Signature Location(s)

Example: ${.request.headers.\"x-signature\"}

JQ Expression or Flow to extract signature(s) from request

In case of more than 1 signature output should be ArrayNode for all signatures.

String

Yes

"hidden":true

secret

Shared Secret

secrets

Shared Secret

(Password)

If multiple signatures,

This can either be comma separated or only one same password for all signatures.

Password

Yes

"hidden":false

signatureAlgorithm

signature

Algorithm

Signing Algorithm

Example: HMACSHA256

One of the following:

HMACSHA256: HMAC Signature with SHA-256

HMACSHA384: HMAC Signature with SHA-384

HMACSHA512: HMAC Signature with SHA-512

CHOICE

Yes

"hidden":true

timestampValidator

Timestamp Validation Strategy

Example:

${.request.headers.ts < now()}

Optional, JQ Expression or Flow to validate message timestamp/expiry

String

No

"hidden":true

clientIdentifier

This ID will be used to authorize after signature validation. ID must belong to valid client application in OIC IAM domain. It Must have ServiceInvoker Application Role assigned

Example:

741abdd2ca2ddddd055670cfa856bfv

This ID will be used to authorize after signature validation.

ID must belong to valid client application in OIC IAM domain.

It Must have ServiceInvoker Application Role assigned

String

Yes

"hidden":false

Sample Code: Digital Signature Validation (HMAC)

 "securityPolicies": [
     {  
        "type": "managed",
        "policy": "HMAC_SIGNATURE_VALIDATION",
        "description": "Validates HMAC Signature",
        "displayName": "HMAC SIGNATURE VALIDATION",
        "scope": "TRIGGER",
        "securityProperties": [
           {
               "name": "signature",
               "hidden": true,
               "required": true,
               "default": "${connectivity::hexDecode(.request.headers.digest)}"
           },
           {
               "name": "signatureString",
               "displayName": "Request Signature Location",
               "hidden": true,
               "required": true,
               "default": "${.request.body}"
           },
           {
               "name": "signatureAlgorithm",
               "displayName": "Request Signature Location",
               "hidden": true,
               "required": true,
               "default": "HMACSHA256"
           },
           {
               "name": "secret",
               "displayName": "Shared Secret",
               "hidden": false,
               "required": true
           },
           {
               "name": "timestampValidator",
               "displayName": "Timestamp Validation",
               "hidden": true,
               "required": true,
               "default": ""
           },
            
       ]
      }
   ]