Embed an Interview Secured by Identity Cloud Service

You can control access to embedded interviews (that use the OraclePolicyAutomationInterview.BatchStartOrResume API) with Identity Cloud Service. In addition to the steps outlined in Use Identity Cloud Service to Provide Authorization for Interviews, you also need to:

1. Obtain the active JSON Web Key (JWK) via the Hub REST API to encrypt a JSON Web Encryption (JWE). Intelligent Advisor will attempt to use the active JWK’s private key to decrypt any JWE objects in the JSON payload. (If the JWE is missing, no redirection will occur and the user will just see a message in place of the interview that says they are not authorized to access the interview.) For more information, see Get the JWK for an embedded interview below.

2. Use the active JWK to encrypt an Identity Cloud Service access token within a JWE, and include this in the embedding JavaScript API. For more information, see Embed the interview with a JWE containing an Identity Cloud Service access token below.

Get the JWK for an embedded interview

A JWK is automatically generated and activated when an interview authorization provider is first created in Intelligent Advisor Hub. If an active key is already present because an interview authorization provider was previously created then a new key is not generated. All embedded interviews should use this same key regardless of which interview authorization provider is assigned to the interview's workspace.

To get the active key for embedding interviews you need to:

1. Authenticate with the Hub REST API.

2. Access the JWK set with the purpose wd_access_token to discover what the active key's ID ("kid") is.

   GET [your Intelligent Advisor site]/opa-hub/api/12.2.27/jwksets/wd_access_token

3. Retrieve the active key using it's kid.

   GET [your Intelligent Advisor site]/opa-hub/api/12.2.27/jwksets/wd_access_token/keys/{jwkset-key-kid}

For more information on using the JWK sets REST API, including examples and other tasks that can be performed, see Using the JWK Sets REST API.

Embed the interview with a JWE containing an Identity Cloud Service access token

To embed the interview with a JWE containing an Identity Cloud Service access token:

1. Encrypt the user's Identity Cloud Service access token on the backend using the public key of the previously generated/acquired JWK. The JWK provided by the Hub will contain a public key generated by an Elliptic Curve (EC) algorithm using the P-256 curve specification (also known as secp256r1 and prime256v1). To build a JWE, the header should include an encrypted Content Encryption Key (CEK). When generating the JWE header any combination of the following CEK algorithms and encryption methods may work:

   • Algorithms: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW

   • Encryption methods: A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384 or A256CBC-HS512

   However, we recommend using ECDH-ES+A256KW algorithm with A256GCM encryption method when constructing the JWE header. The payload of the JWE (the Identity Cloud Service token) must be encrypted using the CEK from the JWE header, which itself is encrypted by the public key (the JWK provided by the Hub).

2. Expose the encrypted token on the client-facing page (embedding the interview) in JWT compact form (5 Base64 strings separated by dots).

   Note: The user's unencrypted Identity Cloud Service access token should never be revealed client-side.

3. Follow the steps for embedding an interview in another application using a div but with the addition of the encrypted Identity Cloud Service access token in the idcsToken property in the startConfig parameter for the OraclePolicyAutomationInterview.BatchStartOrResume method.

   For example:

   <div style="display: inline-block; width:100%">
       <div id="interviewDiv" style="width: 100%; display: block; margin-left: auto; margin-right:auto; float: left"></div>
   </div>
   <script>
       var intDiv = document.getElementById("interviewDiv");
       var url = "http://[your site]/web-determinations";
       var interviews = [
           {
               operation: "start",
               el: intDiv,
               deploymentName: "My deployment name",
               idcsToken: "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..s4U3JXkYC-aKPvFe.FTH[etc¿].Ttd6m_OduZ1vQpJsCc-CVQ"
           }
       ];
       OraclePolicyAutomationInterview.BatchStartOrResume(webDeterminationsUrl, startConfig);
   </script>