3.1.7.6 Generate Access Token to Execute a Public RESTful API

You can generate access token using TLS to execute a public RESTful API.

Prerequisite: Organization-wide ca.crt, client.crt, and client.key (you can generate client.crt and client.key using openssl.)

Create a client.crt using openssl

Run the following command:

openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

Create a client.key using openssl

Run the following command:

openssl genrsa -out client.key 2048

Create an Integrated Application

1. Log in to Admin Console.
2. Under Domains, go to Integrated Applications.
3. Create a confidential application with an app name. Example: TLS_APP_<tenant.
4. After creating the application, edit the OAuth configuration as follows:
   1. Under the Client configuration, Select "Configure this application as a client now"
   2. Enable the below Auth grant types( TLS should be checked for TLS authorization )
   3. Enable Allow non-HTTPS URLs
   4. Add the redirect URL: http://%hostid%/cloudgate/v1/oauth2/callback
   5. Add the Logout URL: http://%hostid%/cloudgate/v1/oauth2/logout
   6. Set the client type as "Confidential"
   7. Under Certificate file, import the client.crt generated earlier.
   8. Click Submit.
5. Import the following Webtier policy:

   {
   	"cloudgatePolicy": {
   		"version": "2.6",
   		"requireSecureCookies": true,
   		"disableAuthorize": false,
   		"allowCors": true,
   		"webtierPolicy": [
   			{
   				"policyName": "default",
   				"comment": "",
   				"resourceFilters": [
   					{
   						"filter": "/.*",
   						"comment": "Protect all resources",
   						"type": "regex",
   						"method": "oauth",
   						"headers": [
   							{
   								"user_groups": "$subject.user.groups"
   							},
   							{
   								"ofs_remote_user": "$subject.user.userName"
   							},
   							{
   								"ofs_remote_username": "$subject.user.name"
   							},
   							{
   								"ofs_mapped_groups": "$subject.user.groups"
   							},
   							{
   								"ofs_remote_user_email": "$subject.user.emails"
   							}
   						],
   						"authorize": false
   					}
   				]
   			}
   		]
   	}
   }

6. Activate the application.

Creating custom scopes for the Integrated Application (Optional)

After creating the Integrated Application, edit the OAuth configuration as follows:

1. Under Resource Server Configuration, select "Configure this application as a resource server now".
2. Set the access token expiration.
3. Set the primary audience.
4. Under the Scopes, click Add.
5. Under Add Scope, provide the following details:
   1. Scope: urn:app:tls.test Note: Should begin with urn and delimited by ":"(colon)).
   2. Display name: Custom scope.
   3. Click Add.
6. Click Submit.

Set up Postman to get the TLS token

1. Get the IDCS Host URL from the domain.
2. Click on the URL to get the IDCS configuration details.

   Example: https://idcs-8523776c08804de1b5613af6d662f94e.identity.oraclecloud.com:443/.well-known/idcs-configuration

3. Search for "secure_token_endpoint" to get the secure token endpoint.

   Example: https://idcs-8523776c08804de1b5613af6d662f94e.us-ashburn-idcs-1.secure.identity.oraclecloud.com/oauth2/v1/token

4. In the Postman, paste the secure_token_endpoint in the address bar as follows:
   1. Method: POST
   2. Body:
      1. grant_type: tls_client_auth
      2. scope: urn:opc:idm:__myscopes__ # if the custom scope is required, the change the scope to <primary_audience><new_scope>
      3. client_id: caf14860726e48a18b76b80704987285 #(Client ID from the above generated app)
   3. Content-type: x-www-form-urlencoded as header.
   4. For custom scope, provide the details as follows:
      1. grant_type: tls_client_auth
      2. scope: urn:app:tls.auth.test
      3. client_id: ecccdd63304a4483a9f2bb8e1fdfe45a
5. Click on postman settings and navigate to certificates tab.
6. Enable the CA certificates and upload the ca.crt under the PEM file
7. Click Add Certificate.
8. Paste the IDCS host URL of the secure_token_endpoint under the Host column
9. Upload the cert and key file downloaded from openSSL.
10. Click the Add button to add the certificates and close the dialog box.
11. Select No Auth for Authorization.
12. Click the Send button to get the token,

Send the request via postman with TLS token and client.crt

1. Paste the endpoint in the address bar with appropriate method type.
2. On the Authorization tab, select Auth type as "Bearer token" and paste the token generated.
3. In Headers column, set the header as X-Forwarded-Tls-Client-Cert: <url_encoded_client_crt>
   1. Only encode the cert part excluding the --Begin – and – end – from the certificate.
   2. For the cert url, encode - https://www.urlencoder.org/
4. Click Send for the response.

Invoke the API through the Access Token using TLS

To invoke the API through the generated Access Token using TLS, refer to the following example executed using cURL Commands in the CLI Tool:

curl --location 'https://devcorp7.fccmcloud.us-phoenix-1.ocs.oc-test.com/l0i1a3-prd/utils-service/v1/bucket/PAR' \ -H 'X-Forwarded-Tls-Client-Cert: <Encoded cert> -H 'ofs_remote_user: aaiappuser' \ -H 'Authorization: Bearer <AUTH_TOKEN>' \ -H 'Cookie: OFSEnvID=l0i1a3-prd'