1. Securing Applications
  2. Configure Outbound API Authentication Using Three Legged OAuth Authorization Protocol

Configure Outbound API Authentication Using Three Legged OAuth Authorization Protocol

OAuth is an open industry standard protocol that allows applications access information from other third-party applications, on behalf of the users. The OAuth authorization protocol manages access securely without revealing any passwords to the client application, such as Oracle Applications Cloud.

To understand the OAuth authorization protocol, let's take the example of a LinkedIn user who wants to access profile information from LinkedIn and display it in Oracle Applications Cloud. When Oracle Applications Cloud prompts for LinkedIn credentials, the user authenticates and provides the required permissions to Oracle Applications Cloud to access the information from LinkedIn.

As you notice, there are three parties involved in the entire authentication process: Oracle Applications Cloud, the user who owns information on LinkedIn, and LinkedIn's authorization server. This authorization protocol always requires three such parties for the authentication to complete. Therefore, this protocol is called three-legged OAuth authorization protocol.

Here's the sequential representation of the end-to-end authorization process between Oracle Applications Cloud and the LinkedIn server:

  1. Oracle Applications Cloud registers the Client ID and Client Secret and other settings required for authorization.

  2. When an Oracle Applications Cloud user wants to access profile information, the LinkedIn login page appears, where the user authenticates using the required credentials.

  3. On successful authentication, LinkedIn's authorization server sends an authorization code to Oracle Applications Cloud.

  4. Oracle Applications Cloud receives the authorization code and sends an access token request to LinkedIn. LinkedIn processes the access token request and returns an access token.

  5. Oracle Applications Cloud uses the access token to call LinkedIn APIs on behalf of the user to access the required information. At runtime, Oracle Web Services Manager manages the entire authorization process.

The following graphic shows the entire authorization process between Oracle Applications Cloud and the LinkedIn server:

Diagram that shows the OAuth authorization process when a user who's signed in to Oracle Applications Cloud accesses information from LinkedIn.

Using the Security Console, you configure the three-legged OAuth authorization settings for Oracle Applications Cloud. Once configured, users can access their information from a third-party application, within Oracle Applications Cloud.

Before you proceed, you must enable a profile option to get the OAuth Three-Legged option on the External Client Applications Details page. See the Related Information section for more information.

Here's how you configure three-legged OAuth authorization:

  1. On the Security Console, click API Authentication.

  2. Click Create External Client Application.

  3. On the External Client Application Details page, click Edit.

  4. Enter a name and description for the external client application that you want to create.

  5. In the Select Client Type drop-down list, select OAuth Three-Legged.

  6. Click Save and Close to return to the External Client Application Details page.

  7. Click the OAuth Details tab.

  8. On the Three-Legged OAuth Details page, click Edit.

  9. Enter the appropriate values in the following required fields:

    • Authorization URL - The authorization code link that the authorization server sends to the application.

    • Redirect URL - The page to which the user is redirected to after successful authorization of application.

    • Access Token URL - The access token that's sent from the authorization server to the application.

    • Servlet Application URL - The access token that's sent from the authorization server to the application.

    • Client ID - The access token that's sent from the authorization server to the application.

    • Client Secret - The access token that's sent from the authorization server to the application.

    • Client Scope - The access token that's sent from the authorization server to the application.

  10. Enter the appropriate values in the following optional fields, if required:

    • Server Scope - The access token that's sent from the authorization server to the application.

    • Federated Client Token - The access token that's sent from the authorization server to the application.

    • Include Client Credential - The access token that's sent from the authorization server to the application.

    • Client Credential Type - The access token that's sent from the authorization server to the application.

  11. Click Save and Close.

  12. Click Done to return to the Three-Legged OAuth Details page.

  13. Click Done again to return to the API Authentication page. You can view the newly created three-legged OAuth configuration here.

Related Topics