1. REST API for Oracle CX Sales and B2B ServiceREST API for Sales and Fusion Service in Oracle Fusion Cloud Customer Experience
  2. Reference
  3. Configure OAuth Using Oracle Identity Cloud Service or Identity Access Management

Configure OAuth Using Oracle Identity Cloud Service or Identity Access Management

To use any v1 resource, you need an OAuth token from the supported identity service provider, Oracle Identity Cloud Service (IDCS) or Oracle Identity Access Management (IAM).

In this use case, we'll explore three different ways to configure and implement OAuth, using IDCS as the authorization server.

Note:

Oracle IDCS is no longer offered as a separate service, but all features and functionality continue to exist as part of OCI IAM.

  • OAuth 2.0 Using Client Credentials and JWT Assertion
  • OAuth 2.0 Client Credentials Grant Flow (2-legged OAuth)
  • OAuth 2.0 Authorization Code Flow (3-legged OAuth)

Let's look at each of these in detail.

OAuth 2.0 Using Client Credentials and JWT Assertion

In this flow, we use a certificate to sign the JWT and then request for an access token from Oracle IDCS. Oracle IDCS validates the digital signature that is included with the JWT and returns an access token. JWT assertion flow can be used when you want servers to exchange information without having to log in every time the information is exchanged. For more information about client credentials and JWT assertion, see Client/User JWT Assertion.

Here are the steps:

  1. Register your application with the authorization server
  2. Know your product scope
  3. Obtain an access token using the client credentials and JWT assertion
  4. Access the resource using the access token
  1. Step 1: Register your application with the authorization server

    By default, all Oracle Applications are registered with Oracle IDCS. However, you must register any third-party application with Oracle IDCS. Complete the following steps to register your application with Oracle IDCS:

    1. Sign in to Oracle IDCS.
    2. Add a confidential application by using the following configuration:
      1. Grant type: Client Credentials and JWT Assertion
      2. Client Type: Trusted
      3. Certificate: Upload your application's signing certificate. Here's how you generate a certificate (link to instructions on generating a certificate).
    3. Make note of the application's Client ID and Client Secret. If you want to use ClientAssertion, then you must create the client ID as a user in your FA application.

    You can get the scope, client ID, and client secret of an application using the Search Apps method or the Get Apps method in IDCS. These details are included in the scopes section of the response.

    For Spectra services, it is required that each product area (that a service belongs to) have a different scope. You must configure the right scope in IDCS to access the service. The access to the service depends on the scope and the user authorization.

  2. Step 2: Know your product scope

    Spectra REST API services do not accept JAuth token, and requires a bearer token. The services need an audience and a scope to be defined in the claim. Spectra REST API services have different scopes for each product area. The access to the service depends on the scope and the user authorization. You must configure the right scope in Oracle IDCS to access the service. The access to the service depends on the scope and the user authorization.

  3. Step 3: Obtain an access token using the client credentials and JWT assertion
    1. Build the client assertion.
    2. Use the following parameters in your request to access token using the JWT assertion:
      • grant_type: The grant type used to obtain the token, that is, client credentials.
      • client_id: The client ID of your application from Oracle IDCS.
      • client_assertion_type: The type of client assertion. In Oracle Cloud, it is jwt_bearer.
      • client_assertion: The value of the client token obtained.
      • scope: The limit of a particular scope for an access token.
  4. Step 4: Access the resource using the access token

    Use the token you obtained from Oracle IDCS to access the resource.

    Here's an example to get the accounts resource using the token:

    curl -X GET "https://your_organization.com:port/crmRestApi/resources/11.13.18.05/accounts"   \
-H "Authorization: Bearer –data `D:\token.json`" \

OAuth 2.0 Client Credentials Grant Flow (2-legged OAuth)

The client credentials grant flow (or other forms of client authorization) can be used when the authorization scope is limited to the protected resources under the control of the client, or to protected resources previously authorized with the authorization server. Client credentials grant flow is typically used when the client is:
  • acting on its own behalf (the client is also the resource owner)
  • requesting access to protected resources based on an authorization previously authorized with the authorization server

Here are the steps in the OAuth 2.0 Client Credentials Grant Flow:

  1. Register the client with the authorization server
  2. Know your product scope
  3. Create the ClientID as a user in Oracle Applications Cloud
  4. Request an access token
  5. Access the resource using the access token
  1. Step 1: Register your application with the authorization server

    By default, all Oracle Applications are registered with Oracle IDCS. However, you must register any third-party application with Oracle IDCS.

    Complete the following steps to register your application with Oracle IDCS:

    1. Sign in to Oracle IDCS.
    2. Add a confidential application by using grant type as Client Credentials.
    3. Make note of the application's Client ID and Client Secret.

    You can get the scope, client ID, and client secret of an application using the Search Apps method or the Get Apps method in IDCS. These details are included in the scopes section of the response.

    For Spectra services, it is required that each product area (that a service belongs to) have a different scope. You must configure the right scope in IDCS to access the service. The access to the service depends on the scope and the user authorization.

  2. Step 2: Know your product scope

    Spectra REST API services do not accept JAuth token, and requires a bearer token. The services need an audience and a scope to be defined in the claim. Spectra REST API services have different scopes for each product area. The access to the service depends on the scope and the user authorization. You must configure the right scope in Oracle IDCS to access the service. The access to the service depends on the scope and the user authorization.

  3. Step 3: Create the Client ID as a user in Oracle Applications Cloud

    In Client Credentials flows, any call is invoked in the context of the application itself and not in the context of a user. Therefore, you must model the application's client ID as a user in Oracle Applications Cloud. By creating the Client ID as a user you are indicating that the user (application) has the necessary role and privileges and is authorized to access the resources.

    Complete the following steps to create the Client ID as a user:

    Note:

    The user creation takes a few minutes, and is not completed instantly.
    1. Sign in to Oracle Application Cloud.
    2. On the Security Console, click Users.
    3. Click Add User Account.
    4. Under User Information in the User Name field, specify the Client ID of the application that you registered with Oracle IDCS.
    5. Enter the other details under User Information.
    6. Click Add Role.
    7. Based on the resources that you want this application to access, add the appropriate roles.
  4. Step 4: Request an access token
    1. Use your client application to request an access token. Or, you can use Postman as a client to request the access token. Complete the following steps:
      1. In Postman, create a new request.
      2. In the Authorization tab, select OAuth 2.0 as Client Credentials.
      3. In the Configure New Token section, enter the following client configuration information:
        Fields Values
        Access Token URL The IDCS URL appended with /oauth2/v1/token is used as the Access Token URL.
        Client ID Enter the Client ID value collected from IDCS.
        Client Secret Enter the Client Secret value collected from IDCS.
        Scope Enter the Scope value defined in IDCS.
        Token Name Generic name, can be anything.
        Grant Type Client Credentials
        Client Authentication Send as Basic Auth Header.
      4. Click Get New Access Token.
      5. Postman passes on the information to Oracle Identity Cloud Service (IDCS).
      6. After successful authentication, Oracle IDCS returns the access token to Postman.
      7. Click Use Token and to use this token to access the resources.
  5. Step 5: Access the resource using the access token

    Use the token you obtained from Oracle IDCS to access the resource.

    Here's an example to get the accounts resource using the token:

    curl -X GET "https://your_organization.com:port/crmRestApi/resources/11.13.18.05/accounts"   \
-H "Authorization: Bearer `token.json`" \

OAuth 2.0 Authorization Code Flow (3-legged OAuth)

Use the authorization code flow in scenarios where the application accesses the resources on behalf of end users, and in which user consent is required. In some cases, you can also use implicit access without user content. However, this approach is not secure and is not recommended.

Note:

This flow is not recommended as it is less secure than the other flows. This is used by public clients to obtain access token. In this method, the Resource owner sends a request to the authorization server. The authorization server then sends an implicit token to the client application.

Here are the steps in the OAuth 2.0 authorization code flow:

  1. Register your client and resource applications with the authorization server (Oracle IDCS)
  2. Know your product scope
  3. Request an access token
  4. Access the resource using the access token
  1. Step 1: Register your client and resource applications with the authorization server

    By default, all Oracle Applications are registered with Oracle Identity Cloud Service (IDCS). These applications could be clients or resource applications depending on the integration scenario. However, you must explicitly register any third-party applications (client application) with Oracle IDCS.

    Complete the following steps to register your third-party application with Oracle IDCS:

    1. Log in to Oracle IDCS.
    2. Add a confidential application by using grant type as Authorization Code.
    3. Make note of the application's Client ID and Client Secret.

    Oracle IDCS also lets you add a mobile application. However, it is recommended that you add a confidential application. A confidential application runs on a protected server, while a mobile application uses OAuth 2.0. A mobile application cannot maintain the confidentiality of their client secrets.

    For Spectra services, it is required that each product area (that a service belongs to) have a different scope. You must configure the right scope in IDCS to access the service. The access to the service depends on the scope and the user authorization.

  2. Step 2: Know your product scope

    Spectra REST API services do not accept JAuth token, and requires a bearer token. The services need an audience and a scope to be defined in the claim. Spectra REST API services have different scopes for each product area. The access to the service depends on the scope and the user authorization. You must configure the right scope in Oracle IDCS to access the service. The access to the service depends on the scope and the user authorization.

  3. Step 3: Request an access token

    Now that your application is registered with Oracle IDCS, you can request an access token to access the resources.

    The process to request an access token comprises of these two steps:

    1. Request an authorization code from the authorization server.
    2. Use the authorization code to exchange the access token.

    For detailed information on how these steps can be implemented, see the Generate Authorization Code and Identity Token (3-legged OAuth Flow) topic in REST API for Oracle Identity Cloud Service documentation.

    You can also use Postman as a client to request the access token. Complete the following steps using Postman to request an access token from Oracle IDCS:

    1. In Postman, create a new request.
    2. In the Authorization tab, select OAuth 2.0 as Authorization Type.
    3. In the Configure New Token section, enter the following client configuration information:
      Fields Values
      Callback URL Enter the Redirect URL value collected from IDCS.
      Auth URL

      The IDCS URL appended with /oauth2/v1/authorize is used as the AUTH URL.

      You can get the URLs from https://idcs-<idcs-id>.identity.oraclecloud.com/.well-known/idcs-configuration
      Access Token URL

      The IDCS URL appended with /oauth2/v1/token is used as the Access Token URL.

      You can get the URLs from https://idcs-<idcs-id>.identity.oraclecloud.com/.well-known/idcs-configuration
      Client ID Enter the Client ID value collected from IDCS.
      Client Secret Enter the Client Secret value collected from IDCS.
      Scope Enter the Scope value defined in IDCS.
      State Can be left blank.
      Token Name Generic name, can be anything.
      Grant Type Authorization Code
      Client Authentication Send as Basic Auth Header.
    4. Click Get New Access Token.
    5. Postman passes on the information to Oracle Identity Cloud Service (IDCS).

      Oracle prompts the user to log in to Oracle Applications Cloud. Log in using the credentials shared during provisioning Oracle Cloud or one of the users that you created that can access the resources.

    6. After successful authentication, Oracle IDCS returns the access token to Postman.
    7. Click Use Token to use this token to access the resources that you are permitted to access.
  4. Step 4: Access the resource using the access token

    Use the token you obtained from Oracle IDCS to access the resource. Here's an example to get the accounts resource using the token:

    "https://your_organization.com:port/crmRestApi/resources/11.13.18.05/accounts"   \
-H "Authorization: Bearer `token.json`" \