Configure OAuth 2.0 Authentication
You can configure OAuth 2.0 authentication either by using the Oracle Field Service token service or by using an external token service. For more information, refer to the following sections:
- Configuring Authentication Using Oracle Field Service Token Service
- Example: Authentication Using Oracle Field Service Token Service
- Configuring Authentication Using External Token Service
- Example: Authentication Using External Token Service
Configuring Authentication Using Oracle Field Service Token Service
Before you configure the application to use Oracle Field Service token service, ensure that you synchronize the users from the external identity storage to Oracle Field Service
Note:
User synchronization between the client application and Oracle Field Service is beyond the scope of this document.To configure Oracle Field Service token service:
- In the Field Service Manage interface, click Configuration and select Applications.
- In the left pane, select the application to configure token service.
- Under General info, ensure that the Active check box is selected.
- Select Token service as OFSC.
- For authentication using client credentials,
perform the following steps:
- Under Authentication settings, select the Authenticate using Client ID/Client Secret check box.
- Click Show Client ID/Client Secret and note the Client ID and Client Secret. The application uses the Client ID and Client Secret to authenticate with the Oracle Field Service token service.
- Click Save.
- For authentication using JWT assertion,
perform the following steps:
- Under Authentication settings, select the Authenticate using JWT assertion check box.
- Click Upload and upload your assertion signing key certificate.
- Click Save.
Example: Authentication Using Oracle Field Service Token Service
The following example explains the process to configure an application to use Oracle Field Service Token Service for authentication.
To configure authentication using Client Credentials:
- In the Field Service Manage interface, create a new application.
- Select the Active check box, Token service as OFSC.
- Under Authentication settings, select the Authenticate using Client ID/Client Secret check box.
- Note the Client ID and Client Secret.
- Click Save.
- Obtain the OAuth 2.0 access token
Use the following cURL command with the Client ID, Client Secret, and Instance name:
curl -X POST -u '<CLIENT-ID>@<INSTANCE-NAME>:<CLIENT-SECRET>'\ -d 'grant_type=client_credentials' \ ' https://<instance_name>.fs.ocs.oraclecloud.com/rest/oauthTokenService/v1/token'
The response contains a JWT access token in the "token" field:
{ "token": "eyJ0eXAiOiJ...SKIP...qtCqNDk6qy_utky5M", "token_type": "bearer", "expires_in": 3600 }
- Copy the value of the "token" field
from the token service response, and use it in the following cURL
request to the API:
curl -H 'Authorization: Bearer eyJ0eXAiOiJ...SKIP...qtCqNDk6qy_utky5M'\ 'https://<instance_name>.fs.ocs.oraclecloud.com/rest/ofscCore/v1/activities/4224031'
The response contains the JSON data that the API returns. In this case, it will return the properties of the activity that has the 'activityId' as 4224031.
To configure authentication using JWT Assertion token:
- In the Field Service Manage interface, create a new application.
- Select the Active check box, Token service as OFSC.
- Under Authentication settings, select the Authenticate using JWT assertion check box.
- Click Upload and upload your assertion signing key certificate.
- Click Save.
- Your JWT assertion must be generated
in the following table.
Element Description Algorithm
RS256
Header
{ "alg": "RS256" }
Payload
The payload must contain the following fields:
- iss: Indicates who issued this assertion. This field is only for information and logging purposes and isn't used in validation.
- aud: Indicates the audience for assertion. It's a string composed of
the following parts each delimited by colon:
- ofsc
- Oracle Field Service instance name
- Application ID that you entered when registering the application.
- sub: If the call is made by an application, the value is equal to the value of aud value. Else, the value is equal to the login field of an Oracle Field Service user that you want to authorize to call REST APIs.
- iat: Indicates the time stamp when this assertion was issued.
- exp: Indicates the time stamp when this assertion expires. The value of expiration can be low, for example, a minute or a few minutes.
Example:
{ "sub": "gabrielle.lee", "aud": "ofsc:<INSTANCE-NAME>:<Application-ID>", "iss": "Identity Authority", "iat": 1482382598, "exp": 2482382728 }
Private key
The assertion should be signed by the private key of the certificate you uploaded earlier in the Applications page.
- Obtain the OAuth 2.0 access token.
Use the following cURL command with the Client ID, Client Secret, and Instance name:
curl -X POST -u '<CLIENT-ID>@<INSTANCE-NAME>:<CLIENT-SECRET>' \ -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer' \ -d 'assertion=YOUR-ASSERTION-TOKEN-FROM-JWT-IO' \ 'https://<instance_name>.fs.ocs.oraclecloud.com/rest/oauthTokenService/v1/token'
The response contains a JWT access token in the "token" field:
{ "token": "eyJ0eXAiOiJ...SKIP...qtCqNDk6qy_utky5M", "token_type": "bearer", "expires_in": 3600 }
- Copy the value of the "token" field
from the token service response, and use it in the following cURL
request to the API:
curl -H 'Authorization: Bearer eyJ0eXAiOiJ...SKIP...qtCqNDk6qy_utky5M' \ 'https://<instance_name>.fs.ocs.oraclecloud.com/rest/ofscCore/v1/activities/4224031'
The response contains the JSON data that the API returns. In this case, it will return the properties of the activity that has the 'activityId' as 4224031.
Configuring Authentication Using External Token Service
Before you configure the application to use an external token service, ensure that all the required identity provider configurations are completed.
Note:
Adding the configuration details in the identity provider is beyond the scope of this document.To configure External token service:
- In the Field Service Manage interface, click Configuration and select Applications.
- In the left pane, select the application to configure token service.
- Under General info, ensure that the Active check box is selected.
- Select Token service as External.
- Under Authentication settings, select the Authentication using external access token check box.
- Click Upload and upload your external token service's signing key certificate.
Example: Authentication Using External Token Service
The following example explains the process to use external token service for REST API authentication.
To configure authentication using external token service:
- Ensure to synchronize the users from the external identity storage to Oracle Field Service.
- In the Field Service Manage interface, click Configuration and select Applications.
- In the left pane, select the application to configure the token service.
- Under General info, ensure that the Active check box is selected.
- Select Token service as External.
- Under Authentication Settings, select the Authentication using external access token check box.
- Click Upload and upload your external token service's signing key certificate.
- Authenticate the REST API with the external
token service.
For example, if you're using Oracle Identity Cloud Service as the identity provider:
Oracle IDCS Authentication Parameters
An example bash script of how you would generate an assertion for external Token Service such as IDCS is as follows:
AUTHORIZATION_SERVER='https://authorization-service.fs.ocs.oraclecloud.com/oauth2/v1/token' CLIENT_ID=edd0f92d006240de8c5e35bea3ec8056 CLIENT_SECRET=2cf551aa-5b3f-4cca-beaf-90aa76319511 OFSC_INSTANCE=kh01_demo1 OFSC_APP_ID=c489ba38d24b7b6b29871efee2e882a50731552f IDCS_ASSERTION=`jwt_encode_and_sign '{ "sub":" Gabrielle.Lee@oracle.com", "aud":"https://identity.oraclecloud.com/", "iss":"edd0f92d006240de8c5e35bea3ec8056", "user_loginid":" Gabrielle.Lee@oracle.com ", "iat":1478013414, "exp":1478017024 }' client-key.pem`
cURL command that uses the assertion to obtain access token from external token service
Note:
Configure the external token service such that the sub and the aud fields in the access token that it returns would be the same as explained in the preceding example.curl -u "$CLIENT_ID:$CLIENT_SECRET" \ -X POST \ -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' \ -H 'Accept: application/json' \ -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer' \ -d "scope=$OFSC_INSTANCE/$OFSC_APP_ID" \ -d "assertion=$IDCS_ASSERTION" \ -k -v \ "$AUTHORIZATION_SERVER" > at-from-assertion.json
JWT Access Token from Oracle IDCS
cat at-from-assertion.json
eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJrb 3N0eWFudHluLmx5c3lAb3JhY2xlLmNvbSIsImlzcyI6Imh0dHBzOi8vaWRlbn RpdHkub3JhY2xlY2xvdWQuY29tLyIsInRva190eXBlIjoiQVQiLCJhdWQiOiJ raDAxX2RlbW8xIiwic2NvcGUiOiIvYzQ4OWJhMzhkMjRiN2I2YjI5ODcxZWZl ZTJlODgyYTUwNzMxNTUyZiIsImV4cCI6MTQ3NjY2NzgyMiwiaWF0IjoxNDc2N jY0MjIyLCJqdGkiOiJkZjZhM2YxNS0wZDc1LTQ1Y2MtYjM0Ny0xNWVjMjRjMz ZiMGMifQ.lLnjTBjKA2n6OmHO5ciKHeRycRCYS-omCKKBc_qUPSM
- Access the REST API with the access
token.
cURL command that uses the access token obtained from external token service to call REST APIs
curl -X POST "$OFSC_HOST/rest/ofscCore/v1/activities" \ -H "Authorization: Bearer `cat at-from-assertion.json`" \ --data-binary '{ "resourceId": "33011", "date": "2016-11-01", "activityType": "4", "apptNumber": "testApptNumber", "customerName": "testCustomerName", "streetAddress": "8 Elm St", "timeZone": "Eastern", "country_code": "US" }
Oracle Field Service verifies the JWT signature, expiration, and so on and processes the request.