API Security

1.1 API Security

This topic describes about the API Security.

Oracle Banking Collections and Recovery application provides the API Layer (also known as the Service API Layer), which is used by the external users to access the Oracle Banking Collections and Recovery functionalities.

Access to the API Layer is granted only through the following methods,

OAuth with OAM (Oracle Access Manager)
OAuth without OAM
Oracle Banking Routing Hub

As stated before, in case the customer does not have OAM, an enterprise API Management layer should be implemented to protect the service API(s)

New Oath users can be registered with Oracle Banking Microservices Architecture using the below endpoint.

Sample Headers:

Header: appId: SECSRV001

Header: Content-Type: application/json

Header: userId: <USERID>

Header: Authorization: Bearer <<JWT Access Token>>

Sample Request Body:

{
          "UserList": [  
              {
                  "clientId": "<< clientId >>",
                  "clientSecret": "<< clientSecret >>",    
                  "validity": "<< Validity in seconds >>"
               },
               {
                  "clientId": "<< clientId >>",
                  "clientSecret": "<< clientSecret >>",
                  "validity": "<< Validity in seconds >>"
               }
               ]
}

Modify Token Expiry of Registered OAuth Client

Token expiry time can be updated using the below endpoint:

Sample headers:

Header: appId: SECSRV001

Header: Content-Type: application/json

Header: userId: <USERID>

Header: Authorization: Bearer <<JWT Access Token>>

Sample Request Body:

{"client_id":"<< clientId >>","validity":"<< Validity in seconds >>"}

API Security with OAuth

OAuth with OAM

The flow is depicted below

Figure 1-1 OAuth with OAM

Description of "Figure 1-1 OAuth with OAM"

API clients pass the client id & client secret and grant type as CLIENT CREDENTIALS. To get the access token, use the endpoint /oauth2/rest/token.
API clients passes the access token in the authorization header as bearer token in their subsequent calls to access the Service API's.
API Gateway validates the client access token on OAM Authorization server.
If valid, it passes the request onto the Svc API's and gets the response.
The client can refresh to get a new token before the current token expires. If the token expires, they can pass the client ID and client secret to get a new token.

OAuth without OAM

The flow for token generation is depicted below:

Figure 1-2 OAuth without OAM - Token Generation flow

Description of "Figure 1-2 OAuth without OAM - Token Generation flow"

The flow for accessing svc is depicted below:

Figure 1-3 OAuth without OAM - Accessing svc flow

Description of "Figure 1-3 OAuth without OAM - Accessing svc flow"

API clients passes the client id & client secret in the body and other required headers. To get the access token, use the below endpoint.
```
http://<<hostname>>:<<port>>/api-gateway/platojwtauth/.
```
API clients passes the access token in the authorization header as bearer token in their subsequent calls to access the Service API's.
API Gateway validates the client access token on Authorization server.
If valid, it passes the request on to the Svc API's and gets the response.
The client can refresh to get a new token before the current token expires. If the token expires, they can pass the client ID and client secret to get a new token. Additional facility of increasing the tokens are also provided.

Access APIs through Oracle Banking Routing Hub

If the external services (services in bank or consulting) need to access APIs in Oracle Banking Microservices Architecture modules, the services will first have to generate an access token using Oracle Banking Routing Hub endpoints and then use the token to authorize themselves to access the endpoints.