Authenticate using OAuth 2.0

The Oracle Health Insurance Cloud Services REST API supports the OAuth 2.0 protocol for authentication to securely authenticate applications before connecting to Oracle Health Insurance data.

OAuth 2.0 is a security standard authorization protocol for implementing authorization that grants access to a set of resources, for example, Oracle Health Insurance Cloud Services APIs or user’s data. Authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.

An OAuth 2.0 access token transaction requires the following players:

  • Client: Application requesting access to a protected resource on behalf of the Resource Owner.

  • Authorization server: The server that hosts the protected resources and is able to access and verify the user’s access token. This Oracle Identity Cloud Service is the authorization server.

  • Resource server: Server that authenticates the Resource Owner and issues Access Tokens after getting proper authorization.

  • Resource Owner: The entity that owns and controls who can access the protected resource. The resources can be limited by scope.

For more information on the OAuth 2.0 document, refer to rfc6749 documentation.

Types of OAuth 2.0

There are two types of OAuth Authentication requests is used in Oracle Health Insurance:

  • Inbound Request

  • Outbound Request

The following request is explained in accordance with the Oracle Identity Cloud Service. For Azure or other cloud services, refer to respective cloud documentation.

Inbound Request

The inbound request is the authentication process of a user trying to access an Oracle Health Insurance Cloud Services application. Third-party application users can access a service of Oracle Health Insurance Cloud Services if inbound authentication is configured in Oracle Identity Cloud Service (IDCS).

OAuth 2.0 Client Credentials flow is available as the authentication protocol for inbound REST API. The authorization service is managed by Oracle Identity Cloud Service (IDCS).

When an end user needs to access an Oracle Health Insurance application or fetch data from a resource server on behalf of the end user then the user has to provide information about which client application need to access and types of grant such as Client credentials.

In Oracle Health Insurance Cloud Services the Oracle Identity Cloud Service setup with the environment is used as the Authorization server and each Oracle Health Insurance application deployment is used as a Resource service for example, <app-deployment-name>/claims/api.

The following steps are performed when a third-party application user sends an authentication request to access a service of Oracle Health Insurance Cloud Services Cloud:

  1. A user initiates a request to the client application with proper information about which client application needs to access and types of grant such as Client Credentials.

  2. The IDCS server generates an access token that includes all information.

  3. Using that access token the user can access the Oracle Health Insurance applications.

  4. Oracle Health Insurance Cloud Services authenticates the generated access token by verifying whether the user is provisioned and has the necessary permissions to access the requested resources.

  5. On successful authentication, the user gets access to the requested Oracle Health Insurance Cloud Services application or resources.

If the user is not provisioned in the Oracle Health Insurance an HTTP 500 response is displayed in the response body.

To know more about how to configure an application in IDCS, refer to Adding Applications.

Outbound Request

An outbound request in OAuth refers to a request that is sent from a client application to one of the Oracle Health Insurance application interacting with an OAuth 2.0 secured service in another Oracle Health Insurance application. Sample use cases include:

  • Sending requests from one Oracle Health Insurance applications to another, for example, as is the case for Data Replication (to synchronize member data between Oracle Health Insurance Policies and Oracle Health Insurance Authorizations) or to pass Enrollment data between Oracle Health Insurance Claims and Oracle Health Insurance Policies.

  • Clients are defined in Call Out Rules that are configured in Dynamic Logic code for accessing services in external applications.

Here, the application validates OAuth 2.0 access tokens that are sent as Bearer tokens in the HTTP Authorization header. If the token is valid and a user is identified then the request is allowed otherwise an HTTP 401 Unauthorized response is returned.

Oracle Health Insurance applications do not support sending an access token as a request parameter.

Steps for outbound Request:

  • Register a confidential application in IDCS. To know more on to Add a Confidential Application, see Create a Confidential Application in Identity Cloud Services.

  • To access the resource, create a client credential grant configuration by adding details oauthclientcredentialgrantconfigurations in the API endpoint.

  • In order to access the Polices application, provisioned the client as an OHI user in OHI Policies.