REST API Authentication

To make sure data access over a network is secure, Oracle REST APIs use a global security policy. This security policy enforces the following authentication standards:

This security policy enforces the following authentication standards:

• Basic authentication, which extracts the user name and password credentials from the HTTP header.
• Bearer token in the HTTP header, OAuth and SAML use the bearer token for authentication.
• For OAuth integration through CPQ, refer to OAuth 2.0 Secure Login Functionality, OAuth Provider Integration, and User Integration Page.
• For integrations using SAML, refer to Single Sign-On (SSO).

Let's look at a couple of examples.

• Basic authentication: To authenticate, you must submit the user name and password for your Oracle CPQ account. Typically, the user name and password are encoded in Base64 format, as in:

  -H 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' \

  Alternatively, you can use the cURL -u option to pass the user name and password for your Oracle CPQ account, as in this example:

  curl -u <username:password> \

• Bearer token in the HTTP header: Your authorization and authentication information get passed in the Authorization key of the request header. When passing tokens (OAuth or SAML) in Postman, the Authorization key must include Bearer, followed by the token, as shown in this screen shot:

  

Scopes

CPQ supports the following scopes to access CPQ REST APIs: api, /api, <hosturl>/api, and <hosturl>api.

Note:

For Developer Toolkit scopes, refer to Developer Toolkit OAuth Configuration Properties.

Authorization

Authorization enforces access privileges by service role. This determines access to a REST resource. so, make sure that your user has the proper role.

For additional details, including a list of specific roles for accessing a REST resource, see: the Oracle CPQ Security Guide.