Security, Authentication and Authorization
Here are some scenarios where you may need to access Oracle Cloud Infrastructure Process Automation REST APIs without using the web application:
- You're using your own web based UI and want to only access Oracle Cloud Infrastructure Process Automation workflow information via REST end points.
- You're using your own web based UI and embedding the Oracle Cloud Infrastructure Process Automation CCA components in your web application.
- You're using your own mobile UI and want to display Oracle Cloud Infrastructure Process Automation information.
Authentication and authorization in Oracle Cloud Infrastructure Process Automation is managed by Oracle Identity Cloud Service. Oracle Cloud Infrastructure Process Automation REST APIs and REST endpoints exposed are protected using OAuth token-based authentication. Oracle Cloud Infrastructure Process Automation REST APIs support only token-based authorization which means that you cannot access the REST APIs using only the user name and password. You must have the OAuth access token for authorization operations.
Oracle Cloud Infrastructure Process Automation REST APIs do not support the Device Code grant type as they do not identify a user.
Client Credential Grant Type to Authenticate and Authorize External Applications in a Flow
In machine to machine flows, the process instance and decision services can handle requests that contain bearer tokens that are generated through the OAuth client credential flow. To use an external application in a flow, as a prerequiste, you must have an Oracle Cloud Infrastructure Identity and Access Management (IAM) application configured to authenticate a client using the client credentials grant. The scoped bearer token can access the Process Automation instance.
Note:
You can use the OAuth client credential flow to perform the following operations:
- All GET and POST operations of the path starting with
/process/api/v1/instances. - All GET operations of the path starting with
/process/api/v1/instances/*. - All GET operations of the path starting with
/decision/api/v1/*
Key Points About OAuth
-
The confidential application provides access to REST endpoints
You register a confidential application with Oracle Identity Cloud Service for each Oracle Cloud Infrastructure Process Automation instance. This confidential application provides access to the OAuth protected REST endpoints in Oracle Cloud Infrastructure Process Automation.
-
Clients use the confidential application client ID and secret
You provide clients with the client ID and client secret of your confidential application along with the Oracle Identity Cloud Service URL, and the Oracle Cloud Infrastructure Process Automation instance scope. The scope represents all the resources the confidential application can access and provides access to all the exposed REST APIs.
-
Clients gets an access token
With the information you provide clients, each client can obtain access token using one of the supported grant types from Oracle Identity Cloud Service. Each user has a different access token. The access token contains information about the client application and who the end user is.
-
Clients use the access token to access Oracle Cloud Infrastructure Process Automation REST APIs
The client application uses the access token it received from Oracle Identity Cloud Service to call the exposed REST APIs in Oracle Cloud Infrastructure Process Automation.
-
Clients can refresh expired access tokens
If an access token expires, the client can refresh it. Access tokens expire after one hour by default, but you can change this in the confidential application configuration.
-
Identity Domain Administrators can revoke access tokens for users
If security issues arise, you can revoke the access token for a specific user.