Secure Access to External / Fusion APIs using OAuth 2.0 authentication

Oracle Field Service now supports OAuth 2.0 authentication to access APIs of external services. With OAuth2.0, you can propagate the user while connecting other applications from Field Service, enabling you to call APIs of external services on behalf of the same user in the external application. Field Service can request access tokens from either Oracle IDCS or a third-party OAuth 2.0 authorization server. The access tokens can be used to call into external systems securely. For example, opening a third-party mobile application using the field service plugin will be more secure using the OAth2.0 application. The option to access tokens from the Oracle Identity Cloud Service (IDCS) can be used to access application APIs such as Fusion APIs from Field Service.

Oracle Field Service already supports OAuth 2.0 authentication to access Field Service Rest APIs by registering an application "Application using REST/SOAP API" on the configuration page. This application is extended to support OAuth2.0 authentication for accessing external APIs from Field Service.

Oracle Field Service supports OAuth 2.0 authentication for external / Fusion APIs, using the OAuth2.0 application you can access third-party applications from field service on behalf of OFS user. To use OAuth 2.0 authentication you have to first register the application with Oracle Field Service. Go to Configuration >> Applications page and select the option 'Application using REST / SOAP APIs'.

API application 1

API application 1

On the Add Application configuration screen, you have the option to select Field Service API, OAuth User Assertion or OAuth Client Credentials.

Field Service API - You can configure the authentication and authorization to allow access to the Field Service APIs from third-party applications.

OAuth User Assertion - The OAuth2.0 grant type can be used when you want to access external API services without exposing user credentials from Field Service. You can access any external API services that accept tokens issued by an identity provider that supports OAuth User Assertion (e.g. you can connect Oracle Identity Service (IDCS) to access Fusion APIs).

OAuth Client Credentials - You can use the OAuth 2.0 grant type to access any external API services and you don't want to access the service on behalf of a user rather than using client id and client secret, provided that the external system implements the OAuth 2.0 token endpoint, which supports Client Credentials Grant.

API application 2

API application 2

The Field Service API will navigate you to the authentication/authorization configuration page for field service APIs as detailed here. The OAuth User Assertion option allows you to store authorization server endpoints, client credentials, and token endpoints. This can be used to get the authorization grant and OAuth2.0 token.

Table 1

Table 1

The External API option provides you with the ability to store OAuth 2.0 credentials for external application API access.

API application 3

API application 3

Table 2

Table 2

Based on the configurations provided, you can add a new application to the Configuration page. The application will have the options to modify and/or delete it. In the case of Fusion APIs, an additional option will be available to download the authentication certificate from the application UI.

Application API 4

Application API 4

This application adopts the 'OAuth 2.0 Client Credentials Grant' authentication flow, providing compatibility with any external system that implements the OAuth 2.0 token endpoint supporting Client Credentials Grant. Also, the client credentials (client_id / client_secret) are transmitted within the 'Authorization' header.

  • OAuth2.0 is a secure and standard way of accessing external service APIs from Oracle Field Service. Now you can use OFS functionalities such as Plugins to call any API without the need to transmit or store user credentials in the application. 
  • Fine-grained access control - Knowing the user ID, the external system can verify that this user is authorized to perform the action they are trying to perform. 
  • Audit - When configuring the application, you have the option to select "identify user based on login". This allows the external system to log the actual user that accessed the API, and not with a static user (e.g. "Field Service"). 
  • User-less integrations are often configured with overbroad permissions (e.g. a "Field Service" API client can be registered in an external system with access to functionality that most individual users of Field Service do not need).

Steps to Enable

You don't need to do anything to enable this feature.