Use Case: Data Replication using OAuth2 Security

This topic includes details on how the replication of member data is achieved from an OHI Enterprise Policy Administration deployment to an OHI Claims Adjudication and Pricing deployment.

Both applications make use of the same application or sub-system for maintaining that data. Customers can use the Persons HTTP API message based service or the Data File Set interface for maintaining personal data in both Policies and Claims.

For more information about Data Replication, refer to the Developer Guide on the Data Replication Integration Point.

Data Replication use cases are supported using the OAuth 2.0 client credentials grant type grant_type=client_credentials.

To replicate the data from OHI Enterprise Policy Administration to OHI Claims Adjudication and Pricing, follow these steps:

Step 1: Register the Client Applications and Configure the OAuth 2.0

Before a client application sends a request for access to a resource server, the client application must be registered with the Oracle Cloud Identity Domain as an OAuth client.

For the Data Replication mechanism, the following two clients are registered with the Oracle Cloud Identity Domain. The Client ID and Client Secret are auto-generated.

  • The first client is used by the OHI Claims Adjudication and Pricing application for retrieving change events.

  • The second client is used by the OHI Claims Adjudication and Pricing application for retrieving entities.

For retrieving change events and entities, use the scope https://<app-deployment-name>/urn::ohi-components-apis while registering the client.

Ensure that the Client Credentials grant type is supported.

Step 2: Provision the Data Replication Person Entities and Data Replication Person Event User

A proper access role needs to be provisioned to access the application. In this use case, provision Data Replication Entity user to get entities and Data Replication Events user to get events.

To achieve this, submit the following PUT request with the specific request body to the Oracle Health Insurance Policy:

HTTP Method

PUT

Base URL

https://<app-deployment-name>/policies/api/users

Content-Type

application/json
Entity User Request Body
{
"loginName": "<DataReplicationPersonEntities-ClientId>",
"displayName": "<DisplayName>"
"alternateUserIdentifier" : "<client ID generated by the confidential application">,
"active": true,
"userRoleList":

["DR_ACCESS_ROLE"]
}

Here, alternateUserIdentifier is the client ID generated by the confidential application.The alternateUserIdentifier attribute provides an alternative way to uniquely identify a user. Its main use case is to support OAuth 2.0 or JWT tokens in which users are identified by non-functional or technical unique identifiers.

Event User Request Body
{
"loginName": "<DataReplicationPersonEvents-ClientId>",
"displayName": "<DisplayName>"
"alternateUserIdentifier" : "<client ID generated by the confidential application>",
"active": true,
"userRoleList":
["DR_ACCESS_ROLE1"]
}

Step 3: Configure the REST Client in Oracle Health Insurance Claims

Configure the REST Client in Oracle Health Insurance Claims, so that it supports calling OAuth-secured services.

The following REST requests are used to support Data Replication:

  • DataReplicationPersonEvents: This request is used to query person-related change events in the source system. Oracle Health Insurance Policies for this use case.

  • DataReplicationPersonEntities: This request is used to retrieve the changed Person entities data.

To specify that Oracle Health Insurance Claims call the above OAuth secured Oracle Health Insurance Policies resources with a proper OAuth access token, configure the following properties by sending the following request:

HTTP Method

POST

Base URL

https://<app-deployment-name>/claims/api/generic/properties

Content-Type

application/json
Request Body

The following JSON structure is an example for the request body:

{
"name":"ohi.service.DataReplicationPersonEvents.client.authentication",
"value":OAuth
}

{
"name":"ohi.service.DataReplicationPersonEntities.client.authentication",
"value":"OAuth"
}

Next, configure the REST clients in Oracle Health Insurance Claims so that an OAuth Access token is obtained using the OAuth Client Credentials grant type.

For the DataReplicationPersonEvents client, submit the following POST request:

HTTP Method

POST

Base URL

https://<app-deployment-name>/claims/api/generic/oauthclientcredentialsgrantconfigurations

Content-Type

application/json
Request Body
{
"restClientId": "DataReplicationPersonEvents",
"clientId": "<client id generated after registration of application for retrieving event in IDCS>",
"tokenURI": "https://identity-cloud-service-instance-url/oauth2/v1/token",
"scope": "<https://<app-deployment-name>/urn::pol-api>"
}

Here, identity-cloud-service-instance-url is your Oracle Identity Domain hostname.

Above mention details like token URI,clientId, and so on are specific to Oracle IDCS. For Azure, AWS, and other cloud services refer to the respective documentation.

For the DataReplicationPersonEvents client, send the following PUT request to configure the client secret:

HTTP Method

PUT

Base URL

https://<app-deployment-name>/claims/api/generic/oauthclientconfigurations/{id}/setclientsecret

Content-Type

application/json

Here, replace {id} with ID of the DataReplicationPersonEvents client.

Request Body
{ "clientSecret": "<Client Secret - from IDCS APP for person events>"
}

The Client Secret can be reset for the DataReplicationPersonEvents client using the above URL and request body.

Now, to configure the DataReplicationPersonEntities client, submit the following POST request:

HTTP Method

POST

Base URL

http://<app-deployment-name>/claims/api/generic/oauthclientcredentialsgrantconfigurations

Content-Type

application/json
Request Body
{
"restClientId": "DataReplicationPersonEntities",
"clientId": "<client id generated after registration of application for retrieving entities in IDCS>",
"tokenURI": "<https://host/oauth2/v1/token>",
"scope": "<https://<app-name/urn::policies/api>"
}

To configure the DataReplicationPersonEntities client, submit the following PUT request:

HTTP Method

PUT

Base URL

https://<app-deployment-name>/cla-api/oauthclientconfigurations/{id}/setclientsecret"

Content-Type

application/json

Here, replace {id} with the id of the DataReplicationPersonEntities client.

Request Body
{ "clientSecret": "<client secret from IDCS APP for person entities>"
}

The Client Secret can be reset for the DataReplicationPersonEvents client using the above URL and request body.

Step 4: Specify Event Retrieval Interval

To specify the event retrieval interval, submit the following POST request:

HTTP Method

POST

Base URL

https://<app-deployment-name>/claims/api/generic/properties

Content-Type

application/json
Request Body

The following JSON structure is an example of the request body:

{
"name":"ohi.datareplication.event.retrieval.interval",
"value":30 (Time in secs)

In this example, the time interval for retrieving events is defined as 30 seconds.

Step 5: Specify Person Base URL

To specify the base URL of the environment from which a person needs to get replicated, configure the property in the target environment by sending the following request. For example, if replication is set between policies to claims, then configure the property to claims that point to the host of the API policies.

HTTP Method

POST

Base URL

https://<app-deployment-name>/claims/api/generic/properties

Content-Type

application/json
Request Body

The following JSON structure is an example of the request body:

{
"name":"ohi.ws.sourcesystem.person.baseurl",
"value":<app-deployment-name>/policies/api
}

In this example, the property is set to replicate the data from policies to claims.