How Does Authentication with Identity Propagation Work?

Authentication mechanisms that use identity propagation allow the identity of the end user that's signed in to the extension to be passed on to the service and used for authentication.

To use identity propagation, the service must be able to understand the IDCS identity token coming from VB Studio and extract the user (or subject) from it. VB Studio supports JWT tokens procured using OAuth 2.0 flows only.

Tokens are a way of encoding the calling user identity into a string according to different specifications like SAML or JWT format. If, for example, the user is John.Doe, the corresponding JWT token takes the format <header.body.signature> and looks like this:

Description of auth-jwt-token.png follows

Description of the illustration auth-jwt-token.png

Decoding the body of the token reveals details about the user identity and possibly the resources to which that user is allowed access. The signature part is encrypted by the authority that authenticated the user, and can be easily verified by using the authority's public key. A valid user's identity is encoded into the token so services (namely REST APIs) that receive this token can consider the user as authenticated. This token is usually passed to REST services by sending it as a bearer token. That's done by by passing "Bearer <token>" in the Authorization header.

Here are the authentication methods that use identity propagation:

Authentication method	Description
Oracle Cloud Account	This method is used in extensions to communicate with Oracle Cloud Applications. Since you will always have an out-of-the-box backend (available through the Unified Application) representing Oracle Cloud Applications and its child instances, you will probably not need to use this authentication type.
OAuth 2.0 User Assertion	Select this method to call an external system's REST API that can accept a token from the IDCS or OCI IAM identity domain attached to VB Studio. Such external services are represented in IDCS or OCI IAM as a resource application with a particular scope. You must be signed in as a user that is present in the relevant IDCS or OCI IAM identity domain. If you have an Oracle Process Automation or Oracle Integration instance in the same IDCS stripe/OCI IAM domain, you can use this authentication type. See unresolvable-reference.html#GUID-CA2AFB98-A401-4C2E-A295-B9467C7E177A for details. This also requires the user to sign with a valid Oracle Identity Cloud Service user account. As with Oracle Cloud Account authentication, the user's identity is first converted into an assertion, then into an IDCS-issued JWT token for the configured scope. The difference is that with this method you can specify your own scope, rather than using the service's URL.

Authentication method

Description

Oracle Cloud Account

This method is used in extensions to communicate with Oracle Cloud Applications. Since you will always have an out-of-the-box backend (available through the Unified Application) representing Oracle Cloud Applications and its child instances, you will probably not need to use this authentication type.

OAuth 2.0 User Assertion

Select this method to call an external system's REST API that can accept a token from the IDCS or OCI IAM identity domain attached to VB Studio. Such external services are represented in IDCS or OCI IAM as a resource application with a particular scope. You must be signed in as a user that is present in the relevant IDCS or OCI IAM identity domain.

If you have an Oracle Process Automation or Oracle Integration instance in the same IDCS stripe/OCI IAM domain, you can use this authentication type. See unresolvable-reference.html#GUID-CA2AFB98-A401-4C2E-A295-B9467C7E177A for details.

This also requires the user to sign with a valid Oracle Identity Cloud Service user account. As with Oracle Cloud Account authentication, the user's identity is first converted into an assertion, then into an IDCS-issued JWT token for the configured scope. The difference is that with this method you can specify your own scope, rather than using the service's URL.