1. Mobile Plugin Framework
  2. Authentication

Authentication

You can use the HTTP Basic or HMAC method of authentication to load the plugin's URL securely in the init stage.

HTTP Basic

The HTTP Basic method uses the standard method, which is a part of the HTTP 1.0 standard (RFC 1945) called Basic Access Authentication. It works over HTTPS as well. Check whether your browser supports this, before you decide to use this method. This table describes the three conditions you must fulfill to implement the HTTP Basic method.
Condition Description
Oracle Fusion Field Service Configuration On the Forms & Plugins page, select "HTTP Basic" authentication type. Fill up the Login and Password fields. These credentials are encrypted and saved to the Oracle Fusion Field Service database.
Server Side Configure the web server on which the plugin sources are hosted to return the HTTP 401 Unauthorized status, if you are requesting the configured plugin URL without the credentials. See the NGINX and Apache documents for details.

The server must return the plugin content if its URL is requested with the HTTP header. Authorization: Basic bXlsb2dpbjpteXBhc3M= Where bXlsb2dpbjpteXBhc3M= is a valid Base64 - encoded pair of login:password. The credentials configured for the plugin in the Add plugin and Modify plugin pages must be accepted as valid.
Client Side When the user logs in, Oracle Fusion Field Service reads the credentials from the database and loads the plugin URL into the hidden iframe as follows: <iframe src="https:// mylogin:mypass@example.com/myPlugin.php"/> This way, the browser loads the plugin sources over HTTPS using HTTP Basic Authentication:
GET /myPlugin.php HTTP/1.1
Host: example.com
Authorization: Basic bXlsb2dpbjpteXBhc3M=

HMAC Authentication

HMAC (Hash based message authentication code) lets you sign HTTP requests and their GET parameters. The HMAC signature ensures that the URL is generated by an authorized source. The MAC signature (digest) is added as an additional GET parameter at the end of a query string: <!CDATA[[http://www.example.com/path?user=test&section=D%26G&activity=33&hmac=D2BJn9P1EcLhaFrNhbAzCQTVQXCCwCBQsrg8V6h4YoU%3D]]>

HMAC Function Algorithm

The algorithm is defined in RFC 2104 , and can be very roughly described as: hmac = BASE64(HMAC-SHA-256(data, SHA256(SecretKey))). SHA - 256 accepts SecretKey as a string and returns the hash string. The secret key is configured per plugin in the Add plugin and Modify plugin pages in Oracle Fusion Field Service Core Application, hashed by SHA256, encrypted and stored in the database. HMAC-SHA-256 accepts data and key as strings and returns a binary array of HMAC signature. BASE64 accepts the binary array and returns BASE64 encoded string. Data required for generating HMAC is query resource location with query parameters sorted lexicographically:

  • Remove the protocol identifier from the URL together with colon and slashes ( http:// or https:// ).

  • Remove the resource name and port from the URL.

  • Append query location to the output string.

  • If there are query parameters append the character ? to the output string.

  • Decode every name and value for URL parameters.

  • Sort the list of parameters alphabetically by name.

  • For each name/value pair:

    • Append the encoded name to the output string.

    • Append the ‘=’ character to the output string.

    • Append the encoded value to the output string.

  • If there are more key/value pairs remaining, append an & character to the output string.

Example: Request URL: http://www.example.com/path?user=test&section=D%26G&activity=33
SecretKey : 'mysecret'

  1. http://www.example.com/path?user=test&section=D%26G&activity=33 => www.example.com/path?user=test&section=D%26G&activity=33

  2. www.example.com/path?user=test&section=D%26G&activity=33 => /path?user=test&section=D%26G&activity=33

  3. data = '/path'

  4. data = '/path?'

  5. ['user'='test','section'='D&G','activity'=33]

  6. ['activity'=33,'section'='D&G','user'='test']

  7. ['activity'=33,'section'='D&G', 'user'='test'] => data

  8. data = '/path? activity'

  9. data = '/path? activity='

  10. data = '/path? activity=33'

  11. data = '/path? activity=33&'

  12. data = '/path? activity=33&section=D %26G&user=test'

hmac = BASE64(HMAC-SHA-256('/path?activity=33&section=D%26G&user=test',SHA256('mysecret'))) = BASE64(HMAC - SHA - 256( '/path? activity=33&section=D %26G&user = test' ,'652c7dc687d98c9889304ed2e408c74b611e86a40caa 51c4b43f1dd5913c5cd0')) = BASE64([0f,60,49,9f,d3,f5,11,c2,e1,68,5a,cd,85,b0,33,09,04,d5,41,70,82,c0,20,5 0,b2,b8,3c,57,a8,78,62, 85]) = 'D2BJn9P1EcLhaFrNhbAzCQTVQXCCwCBQsrg8V6h4YoU='

The full signed URL is 'http://www.example.com/path?user=test&section=D%26G&activity=33&hmac=D2BJn9P1EcLhaFrNhbAzC QTVQXCCwCBQsrg8V6h4YoU%3D'