Example Authorization Flow

In this example flow, Example.com has subscribed to several Oracle Cloud PaaS and SaaS applications. Example.com's end users want to be able to access Oracle Cloud properties without having to go through the authorization process themselves (delegated authorization).

Note:

The command in this example uses the URL structure https://tenant-base-url/resource-path, where tenant-base-url represents the Identity Service URL, and the resource path represents the Identity Service API. See Send Requests for the appropriate URL structure to use.

When you create an application using the Assertion grant type in the Oracle Identity Cloud Service administration console UI:

• Specify Mobile Application as the application type.

• Select Assertion as the grant type.

See Assertion Grant Type for more information on the Assertion grant type and an authorization flow diagram.

Authorization Flow

1. A user attempts to access a client application (such as JCS).

   The URL contains query parameters that indicate the type of access being requested. The SAML2 assertion is Base64 encoded and the recipient value in the SAML assertion must be one of the following:

   • The issuer in the Issuer field of the OAuth Settings in the user interface.
   • Or, https://identity.oraclecloud.com/.
   • Or, the value of "secure_saml_sp_sso_endpoint" in the discovery response.

   Example Request Using the Authorization Header

   curl -i
   -H 'Authorization: Basic <base64Encoded clientid:secret>'
   -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' 
   --request POST https://tenant-base-url.identity.oraclecloud.com/oauth2/v1/token 
   -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<Base64 encoded user-assertion-value>&scope=<scope value>'

   Example Request Using the Authorization Header Including Refresh Token in Request

   curl -i
   -H 'Authorization: Basic <base64Encoded clientid:secret>'
   -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
   --request POST https://tenant-base-url.identity.oraclecloud.com/oauth2/v1/token 
   -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<Base64 encoded user-assertion-value>&scope=<Resource Server Scope>%20offline_access'

   Example Request Using a JWT Client Assertion

   curl -i
   -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
   --request POST https://tenant-base-url.identity.oraclecloud.com/oauth2/v1/token 
   -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<Base64 encoded user-assertion-value>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_asertion=<client-assertion>&scope=<scope value>'

   Example Request Using a JWT Client Assertion Including Refresh Token in Request

   curl -i
   -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
   --request POST https://tenant-base-url.identity.oraclecloud.com/oauth2/v1/token 
   -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<Base64 encoded user-assertion-value>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<Resource Server Scope>%20offline_access'

2. An Oracle Web Services Manager (client-side) agent intercepts the client application making a REST API call to the Resource Server (Fusion applications) to obtain an access token.

3. The Oracle Identity Cloud Service OAuth Authorization Server authenticates the client application based on the Authorization header or the assertion sent and returns an access token containing all applicable Oracle Identity Cloud Service scopes based on the privileges represented by the application roles granted to the requesting client application.

4. The user can access an OPC application from another OPC application.