Authentication and Authorization
Authentication is the process of verifying the asserted identity of a service requester. In Oracle Health Insurance Cloud Services authentication is handled by the Identity Domain of Oracle Cloud IAM, also known as Oracle Identity Cloud Service (IDCS) that is associated with the Oracle Health Insurance Cloud Services.
Oracle Health Insurance Cloud Services REST APIs along with externally exposed REST endpoints are protected by OAuth token-based authentication.
All Oracle Health Insurance users must exist in the associated Identity Domain. The login can federate with another external Identity Provider such as Microsoft Active Directory Federation Services (ADFS).
To establish access to an Oracle Health Insurance application the user also needs to be provisioned using the Oracle Health Insurance Provisioning Integration Point (IP). For more details on the use of Integration Point refer to the Product Security Guide.
Authentication
The Oracle Health Insurance Cloud Services supports the OAuth 2.0 authentication for API requests with client credentials grant type.
With OAuth 2.O authentication an access token needs to be provided. The following is an example of a request body to send an access token.
curl -H 'Authorization: Bearer <AccessToken>' https://ohi-api.oracle.com/oig-api/generic
For more details on the Authentication refer Authenticate using OAuth 2.0.
Required Properties of Access Token
Name | Value |
---|---|
|
The access token must be obtained from the Oracle IDCS token endpoint URL from the Identity Domain associated with the Oracle Health Insurance Cloud Services environment using the following POST request |
|
The principal who issued the token. Here, |
|
The |
|
The |
|
The value of the |
|
The time when the token expires (in seconds). |
|
Client Id generated after registration of application. |
|
Client secret generated after registration of application. |
Obtain Access token
Access tokens are obtained through a registered OAuth 2.0 client application in the associated Oracle Cloud Identity Domain.
See OAuth 2.0 Clients for details on OAuth 2.0 client registrations.
This Confidential application can have one or more allowed grant types. The OAuth2 standards based grant type determines how an access token can be obtained. For example with the "client credentials" grant the clientID and the clientSecret can be used to obtain a token that will have the clientID as the subject. While the "authorization code" grant allows for the three-legged flow to authenticate an end user and obtain a token with the subject of the authenticated user. Many grant types exist but Oracle Health Insurance Cloud Services do not require a specific grant type to be used, as long as the resulting token has the correct properties as listed in the aforementioned section.
Federate with Identity Providers
Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service, Microsoft Active Directory through Active Directory Federation Services (AD FS), Microsoft Azure Active Directory, Okta, and other identity providers A federated login can be configured in the Oracle Cloud Identity Domain. Users then can log in through a third party identity provider. The users need to be synchronized in the Identity Domain. The authentication is handled by the third party identity provider (IdP). See Federating with Identity Providers in the Oracle Cloud Infrastructure IAM documentation for more details.
Authorization
Authorization determines what an authenticated user or client can do in Oracle Health Insurance.
The Oracle Health Insurance Access Roles mechanism, as detailed in the Oracle Health Insurance Security Guide of the respective application, provides fine-grained access control to authorize user access to part of the application. No access is possible without an enabled access role assigned to a user.