OAuth 2

OAuth 2 Client Credentials flow is available as the authentication protocol for inbound REST API and XML integration using HTTP POST. The authorization service is managed by Oracle Identity Cloud Service (IDCS) (also used for single sign-on application user accounts).

The following steps must be followed to configure an external integration application to use OAuth 2 for inbound integration.

1. Configure external integration application in IDCS to obtain client ID and secret
2. Assign client ID generated in step 1 above as Nickname for Transportation and Global Trade Management Cloud integration user account, i.e. user account authorized to process inbound integration messages for all required application resources.

IDCS Configuration

1. Sign in to the Oracle Cloud Console.
2. Navigate to Identity & Security > Identity > Domains.
3. Select the Domain listed as the "Current Domain".
4. Click the Integration applications tab.
5. Click Add application.
6. Select Confidential Application and click Launch workflow.
7. Enter a Name and click Submit.
8. Click the OAuth configuration tab.
9. Click Edit OAuth configuration.
10. In the Resource Server Configuration section:
    1. Select Configure this application as a resource server now.
    2. Under Configure appplication APIs that need to be OAuth Protected, enter a value for Access token expiration (seconds).
    3. Provide a value for the Primary audience, for example, https://{host-id}/ where {host-id} is the Transportation and Global Trade Management Cloud server. The actual value might depend on whether the target application is REST API (https://{host-id}/logisticsRestApi/) or XML integration (https://{host-id}/logisticsXmlApi/).
    4. Select Add scopes.
    5. Click Add.
       1. Enter a name for the scope.
       2. Click Add.
    6. Click Submit.
11. Click Edit OAuth Configuration. In the Client Configuration section:
    1. Select Configure this application as a client now.
    2. In the Authorization section, under Allowed grant types, select Client credentials.
    3. In the Token issuance policy section, select Add resources.
    4. Click Add scope.
       1. Search for the Confidential application you created.
       2. In the Select scope section, select the available scope.
       3. Click Add.
    5. Click Submit.
12. Click Actions > Activate.
13. Be sure to save the Client ID and Client Secret in a secure place. These will be used by the external application to authenticate with IDCS when using the target application and when configuring the application user Nickname.

Transportation and Global Trade Management Cloud Configuration

1. Obtain the Client ID associated with target application previously configured in IDCS.
2. Edit the integration user account via the User Manager page.
3. Place the Client ID in the Nickname field.
4. Save.

Runtime Authentication

The OAuth 2 Client Credentials protocol works by completing the following stages, which MUST be performed using HTTPS:

1. Client submits Authorization request to obtain a token.
2. Client requests resource and pass token.

The first step requires the URL for the IDCS instance:

https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token

The HTTP request will use HTTP Authentication (Basic) header to pass the Client ID and Client Secret. The message body will use the “x-www-form-url-encoded” content type to send the following name/value parameters in the message body:

• grant_type=client_credentials
• scope=[Copy the scope from the Confidential Application Client configuration > Token Issuance policy > Resources > Scope.]

A successfully authenticated request will receive the HTTP 200 status code and a JSON message body containing the required "Access Token". This access token must then be passed as the HTTP "Authorization: Bearer" header.