1.1 API Security
This topic describes about the API Security.
Oracle Banking Virtual Account Management application provides the API Layer (also known as the Service API Layer), which is used by the external users to access the Oracle Banking Virtual Account Management functionalities.
- OAuth with OAM (Oracle Access Manager)
- OAuth without OAM
- Oracle Banking Routing Hub
As stated before, in case the customer does not have OAM, an enterprise API Management layer should be implemented to protect the service API(s)
Register OAuth Clients with API Gateway
New Oath users can be registered with Oracle Banking Microservices Architecture using the below endpoint.
Sample Headers:
Header: appId: SECSRV001
Header: Content-Type: application/json
Header: userId: <USERID>
Header: Authorization: Bearer <<JWT Access Token>>
{
"UserList": [
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
},
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
}
]
}
Modify Token Expiry of Registered OAuth Client
Token expiry time can be updated using the below endpoint:
Sample headers:
Header: appId: SECSRV001
Header: Content-Type: application/json
Header: userId: <USERID>
Header: Authorization: Bearer <<JWT Access Token>>
{"client_id":"<< clientId >>","validity":"<< Validity in seconds >>"}
API Security with OAuth
The flow is depicted below
- API clients pass the client id & client secret and grant
type as CLIENT CREDENTIALS. To get the access token, use the endpoint
/oauth2/rest/token
. - API clients passes the access token in the authorization header as bearer token in their subsequent calls to access the Service API's.
- API Gateway validates the client access token on OAM Authorization server.
- If valid, it passes the request onto the Svc API's and gets the response.
- The client can refresh to get a new token before the current token expires. If the token expires, they can pass the client ID and client secret to get a new token.
The flow for token generation is depicted below:
Figure 1-2 OAuth without OAM - Token Generation flow
The flow for accessing svc is depicted below:
Figure 1-3 OAuth without OAM - Accessing svc flow
- API clients passes the client id & client secret in the
body and other required headers. To get the access token, use the below
endpoint.
http://<<hostname>>:<<port>>/api-gateway/platojwtauth/.
- API clients passes the access token in the authorization header as bearer token in their subsequent calls to access the Service API's.
- API Gateway validates the client access token on Authorization server.
- If valid, it passes the request on to the Svc API's and gets the response.
- The client can refresh to get a new token before the current token expires. If the token expires, they can pass the client ID and client secret to get a new token. Additional facility of increasing the tokens are also provided.
Access APIs through Oracle Banking Routing Hub
If the external services (services in bank or consulting) need to access APIs in Oracle Banking Microservices Architecture modules, the services will first have to generate an access token using Oracle Banking Routing Hub endpoints and then use the token to authorize themselves to access the endpoints.
Refer to Authentication section in Routing Hub Configuration User Guide for the further details.
Parent topic: Securing API Services