1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Use Cases
  3. Using the Authenticate API to Develop a Custom Sign-in Page
  4. Generating Access Token Using Authentication API

Generating Access Token Using Authentication API

This use case provides a step-by-step example of using the Oracle Identity Cloud Service to generate access token using authentication API. The user gets user information through Me Access Token using Authentication API.

Note:

Use this Authenticate API only if you're building your own end-to-end login experience by developing a custom sign-in application to be used by Oracle Identity Cloud Servcice.

Note:

This Authenticate API can't be used to integrate your applications with Oracle Identity Cloud Service for single sign-on purposes.

Note:

See the Oracle Identity Cloud Service Authentication API Postman collection for extensive authentication use case examples. Download the collection and the global variables file from the idcs-authn-api-rest-clients folder within GitHub and then import them into Postman.
There are four steps in this use case. Each step contains request and response examples:

Step 1: Begin the Authentication Flow

When the user tries to access an application that is associated with TOU, IDCS server uses the application name to fetch the policy that is assigned to this application. Based on the tenant settings, the server gets the IDP and authentication policy and then guides the user to the next step.

Response Example

The following example shows the contents of the response in JSON format:

{
    "status": "success",
    "ecId": "5fR1O171000000000",
 "nextOp": [
        "credSubmit"
    ],
    "nextAuthFactors": [
        "USERNAME_PASSWORD"
    ],
    "USERNAME_PASSWORD": {
        "credentials": [
            "username",
            "password"
        ]
    },
    "requestState": "BC4LO/oKGHPryRorg...FEmtjUykWhOFZ5ZM"
}

Step 2: Submit the User's Credentials

In this scenario, the user posts the user credentials and retrieves the authnToken. The following must be included in the request:

  • credentials: user name and password

  • requestState: received in the Step 1 response

  • op: tells the server what kind of operation the client wants

AuthnToken is the id_token in JWT format which represents the current user information, session and request data. This is used to create an SSO session cookie and redirect to the target URL.If the username and password are valid, theAuthnToken is retrieved.

Request Example

The following example shows the contents of the POST request in JSON format to the /sso/v1/sdk/authenticate endpoint: 

{  
   "op":"credSubmit",
   "credentials":{  
      "username":"admin@oracle.com",
      "password":"Welc0me@1"
   },
   "requestState": "{{requestState}}"
}

Response Example

The following example shows the contents of the response in JSON format where the AuthnToken is retrieved: 

Response Example:
{
    "authnToken": "eyJ4NXQjUzI1NiI6Iks0R0hvZ...ZLjOZmKAvORB8OaV1Xqt1GL3tx1kyWA",
    "status": "success",
    "ecId": "5fR1O171000000000"
}

Step 3:Generate Access Token

After you retrieve an AuthnToken, it is used to get access token from OAuth server.

Request Example

The following example shows the contents of the request in JSON format:

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&scope=urn:opc:idm:__myscopes__&assertion={{authnToken}}

Response Example

The following example shows the contents of the response in JSON format:

{
    "access_token": "eyJ4NXQjUzI1NiI6Iks0R0hvZV..._Txr0XBW2V2rtXVDGvc2R6anYg",
    "token_type": "Bearer",
    "expires_in": 7600
}

Step 4: Obtain User Information

The user submits the access token to obtain their information such as user name, display name, email id, etc.

Request Example

The following example shows the contents of the request in JSON format.

{{HOST}}/admin/v1/Me

Response Example

The following example shows the contents of the response in JSON format with user information.

{
    "idcsCreatedBy": {
        "type": "App",
        "display": "idcssm",
        "value": "4ba14c4be74d48d497da6ce651209a06",
        "$ref": "https://docteam.identity.internal.oracle.com:8943/admin/v1/Apps/4ba14c4be74d48d497da6ce651209a06"
    },
    "id": "de94e8399a0e4f23ac52fc681f5fb828",
    "meta": {
        "created": "2018-12-12T09:46:53.646Z",
        "lastModified": "2018-12-13T10:35:32.604Z",
        "resourceType": "Me",
        "location": "https://docteam.identity.internal.oracle.com:8943/admin/v1/Me/de94e8399a0e4f23ac52fc681f5fb828"
    },
    "active": true,
    "displayName": "admin opc",
    "idcsLastModifiedBy": {
        "value": "6567bac90beb4e65a2eb3b280b2f0d1f",
        "display": "idcssso",
        "type": "App",
        "$ref": "https://docteam.identity.internal.oracle.com:8943/admin/v1/Apps/6567bac90beb4e65a2eb3b280b2f0d1f"
    },
    "nickName": "TAS_TENANT_ADMIN_USER",
    "userName": "admin@oracle.com",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User": {
        "isFederatedUser": false
    },
    "emails": [
        {
            "verified": false,
            "primary": false,
            "secondary": false,
            "value": "admin@oracle.com",
            "type": "recovery"
        },
        {
            "verified": false,
            "primary": true,
            "secondary": false,
            "value": "admin@oracle.com",
            "type": "work"
        }
    ],
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:userState:User": {
        "locked": {
            "on": false
        }
    },
    "name": {
        "formatted": "admin opc",
        "familyName": "opc",
        "givenName": "admin"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User",
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:userState:User"
    ]
}