Use an Appropriate Connection Type to Handle CORS for REST Services
Web apps can call external REST services directly or through the Visual Builder proxy. The value you choose for the connection type and your choice of authentication method when you create or modify a service connection determines which option your app uses.
Direct calls
- Oracle Cloud Account
- Delegate Authentication
- OAuth 2.0 (all types)
- None
Calls via proxy
The Visual Builder proxy is a trusted server-side component that calls external REST services hosted on external domains on behalf of your app. One benefit is that you, or a system administrator, don't need to configure CORS settings for the external REST service. However, you incur the cost of an extra network call, as each request and response must first go through the Visual Builder proxy.
All authentication types can be used with the Visual Builder proxy. When you use some authentication types, such as Basic authentication and OCI Signature, authentication is always routed through the Visual Builder proxy. (Note that the proxy times out if the REST API doesn’t respond within 234 seconds.)
Connection type options
- Dynamic, the service supports CORS: Visual Builder decides the best route to connect to the external REST service assuming that the external REST service has enabled CORS for the Visual Builder domain. If the authentication supports direct calls (None, Oracle Cloud Account, Delegate Authentication, OAuth 2.0), the external REST service is called directly from the app.
- Dynamic, the service does not support CORS: Visual Builder decides the best route to connect to the external REST service assuming that the external REST service has not enabled CORS for the Visual Builder domain. All calls are routed through the Visual Builder proxy.
- Always use proxy, irrespective of CORS support: REST service calls from your apps always go through the Visual Builder proxy.
Application type | Authentication type | Connection type | Result |
---|---|---|---|
Any | Any | Always use Proxy | Through Visual Builder proxy |
Visual Builder Design time environment | Any | Dynamic – Service doesn’t support CORS | Through Visual Builder proxy |
Web app running on browser | Any | Dynamic – Service doesn’t support CORS | Through Visual Builder proxy |
Progressive Web App | Any | Dynamic – Service doesn’t support CORS | Through Visual Builder proxy |
Any | All except basic authentication and OCI Infrastructure API Signature 1.0 | Dynamic – Service supports CORS | Direct |
Any | Basic authentication or OCI Infrastructure API Signature 1.0 | Dynamic – Service supports CORS | Through Visual Builder proxy |
Here's an example of how different choices work when your application calls Sales and Service (CRM) REST APIs from an Oracle Cloud Applications instance. For this scenario, let's say your Visual Builder instance is hosted on vb.oracle.com
and the crmRestApi is hosted on fa.oraclecloud.com
.
If you chose Dynamic, the service supports CORS and the selected Authentication Type supports direct calls, the direct call goes like this: vb.oracle.com (browser)
→ fa.oraclecloud.com
.
If you chose Dynamic, the service does not support CORS or Always use the Proxy, the call is routed through the proxy and goes like this: vb.oracle.com (browser)
→ vb.oracle.com proxy
→ fa.oraclecloud.com
.
It's recommended that you use the Dynamic options, where Visual Builder decides the best route based on whether the external service supports CORS or not for this particular domain. However, you have the flexibility of choosing Always use the Proxy to route all requests via the proxy.
If you don't want to use the Visual Builder proxy, you must enable CORS in Oracle Cloud Applications for your particular domain (vb.oracle.com
in our example) by adding the Access-Control-Allow-Origin
CORS header for the CORS profile option. To view the profile option, go to the Setup and Maintenance work area and use the Manage Applications Core Administrator Profile Values task in the Application Extensions functional area. See Configure Cross-Origin Resource Sharing in REST API for Common
Features in Oracle Fusion Cloud Applications.