1. Building Responsive Applications with Visual Builder Studio
  2. Connect Applications to Data
  3. Work With Services
  4. Manage Backends in Your Visual Application
  5. Set the Backend's Authentication Method and Connection Type
  6. Use an Appropriate Connection Type to Handle CORS for REST Services

Use an Appropriate Connection Type to Handle CORS for REST Services

Web apps can call external REST services directly or through the Visual Builder proxy. The value you choose for the connection type and your choice of authentication method when you create or modify a service connection determines which option your app uses.

Direct calls

In this method, the REST service is called directly from the browser JavaScript using the browser's Fetch API. This method can have a performance benefit, as the call is routed directly from the browser to the REST service in question without any intermediary. However, the external REST service that you call must add your app’s domain to its CORS allowlist. A direct call can only be made for the following authentication types:
  • Oracle Cloud Account
  • Delegate Authentication
  • OAuth 2.0 (all types)
  • None

Calls via proxy

The Visual Builder proxy is a trusted server-side component that calls external REST services hosted on external domains on behalf of your app. One benefit is that you, or a system administrator, don't need to configure CORS settings for the external REST service. However, you incur the cost of an extra network call, as each request and response must first go through the Visual Builder proxy.

All authentication types can be used with the Visual Builder proxy. When you use some authentication types, such as Basic authentication and OCI Signature, authentication is always routed through the Visual Builder proxy. (Note that the proxy times out if the REST API doesn’t respond within 234 seconds.)

Connection type options

The type of REST service call to make (either direct or through the Visual Builder proxy) is controlled by the option you choose in the Connection Type drop-down menu (located in the dialog where you edit or add a server to a service connection) and includes:
  • Dynamic, the service supports CORS: Visual Builder decides the best route to connect to the external REST service assuming that the external REST service has enabled CORS for the Visual Builder domain. If the authentication supports direct calls (None, Oracle Cloud Account, Delegate Authentication, OAuth 2.0), the external REST service is called directly from the app.
  • Dynamic, the service does not support CORS: Visual Builder decides the best route to connect to the external REST service assuming that the external REST service has not enabled CORS for the Visual Builder domain. All calls are routed through the Visual Builder proxy.
  • Always use proxy, irrespective of CORS support: REST service calls from your apps always go through the Visual Builder proxy.
Review this table to understand what happens when you use different combinations of authentication and connection types:
Application type Authentication type Connection type Result
Any Any Always use Proxy Through Visual Builder proxy
Visual Builder Design time environment Any Dynamic – Service doesn’t support CORS Through Visual Builder proxy
Web app running on browser Any Dynamic – Service doesn’t support CORS Through Visual Builder proxy
Progressive Web App Any Dynamic – Service doesn’t support CORS Through Visual Builder proxy
Any All except basic authentication and OCI Infrastructure API Signature 1.0 Dynamic – Service supports CORS Direct
Any Basic authentication or OCI Infrastructure API Signature 1.0 Dynamic – Service supports CORS Through Visual Builder proxy

Here's an example of how different choices work when your application calls Sales and Service (CRM) REST APIs from an Oracle Cloud Applications instance. For this scenario, let's say your Visual Builder instance is hosted on vb.oracle.com and the crmRestApi is hosted on fa.oraclecloud.com.

If you chose Dynamic, the service supports CORS and the selected Authentication Type supports direct calls, the direct call goes like this: vb.oracle.com (browser)fa.oraclecloud.com.

If you chose Dynamic, the service does not support CORS or Always use the Proxy, the call is routed through the proxy and goes like this: vb.oracle.com (browser)vb.oracle.com proxyfa.oraclecloud.com.

It's recommended that you use the Dynamic options, where Visual Builder decides the best route based on whether the external service supports CORS or not for this particular domain. However, you have the flexibility of choosing Always use the Proxy to route all requests via the proxy.

If you don't want to use the Visual Builder proxy, you must enable CORS in Oracle Cloud Applications for your particular domain (vb.oracle.com in our example) by adding the Access-Control-Allow-Origin CORS header for the CORS profile option. To view the profile option, go to the Setup and Maintenance work area and use the Manage Applications Core Administrator Profile Values task in the Application Extensions functional area. See Configure Cross-Origin Resource Sharing in REST API for Common Features in Oracle Fusion Cloud Applications.