Gateway Synchronous Delegate

This document provides more information about the Gateway Synchronous Delegate functionality. This functionality is intended for on-premises systems that want to work with Oracle Insurance Gateway to integrate with applications synchronously, but cannot directly use the facilities provided by the Oracle Insurance Gateway to do so. The Oracle Insurance Gateway inherently asynchronously processes exchanges. It does, however, provide in the means to process exchanges seemingly in a synchronous fashion. This does require the calling system to follow a Post-Redirect-Get pattern, which means that it needs to be capable of dealing with HTTP 303 (See Other) headers. Not every calling system is able to deal with this however, for instance because it is a legacy system. In that case that system can use Oracle Insurance Gateway Agent’s synchronous delegate functionality. Effectively, this delegate passes on a synchronous blocking request from the calling system to Oracle Insurance Gateway. This delegate is capable of dealing with the aforementioned Post-Redirect-Get pattern.

Calling the Synchronous Delegate

Oracle Insurance Gateway Agent exposes a specific REST endpoint for this functionality: /syncdelegate/{code}. The agent subsequently routes this traffic to Oracle Insurance Gateway under the type: integration. Effectively, this means that Oracle Insurance Gateway Agent becomes a component that invokes a regular integration call to the OIG Gateway. Access Oracle Insurance Gateway Synchronous Delegate through HTTP Post method. It requires the submission of a payload. So when there is an integration (of type integration) configured in Oracle Insurance Gateway that has a code oec, calling Oracle Insurance Gateway Agent Synchronous Delegates translates to:

Oracle Insurance Gateway Agent Synchronous Delegate Call	Oracle Insurance Gateway Invocation
/syncdelegate/oec {headers} {payload}	/api/exchanges/integration/oec {headers} {payload}

Oracle Insurance Gateway Agent Synchronous Delegate Call

Oracle Insurance Gateway Invocation

/syncdelegate/oec {headers} {payload}

/api/exchanges/integration/oec {headers} {payload}

In the above table there is mention of {headers} and {payload}. In general, all the information that is provided to the delegate is used in the call to Oracle Insurance Gateway. With respect to {headers}, secure sensitive information (Authorization and host) are not passed along.

With respect to the response - the delegate relays the HTTP response code, headers and payload (as controlled by the aforementioned desired response type) it retrieves from the Oracle Insurance Gateway back to the caller.

Calling the Delegate Requires a Valid OAuth2 Token

The synchronous delegate endpoint only accepts requests that contain a valid OAuth2 Bearer token that is passed as part of the Authorization HTTP Header. In order to validate tokens, the following properties need to be configured:

Property	Description
agent.oauth2.issuerURI	Issuer URI for token validation. This is the value that is listed as 'issuer' value in the OpenID Provider metadata (see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). And it must be identical to the 'iss' Claim value in ID tokens issued from this Issuer.
agent.oauth2.clientId	ClientId or audience for token validation. The 'aud' (audience) Claim value must contain the configured value (see: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). For example, for Oracle’s IDCS, if a token is retrieved with the default scope then this is typically the base URL for the IDCS tenant. If different scopes and audience values are configured then the value for this parameter must match that configuration.
agent.oauth2.jwkSetURL	JWK Set URL for token validation. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. Make sure that the Authorization Server’s certificates are accessible without signing in. For example, in Oracle’s IDCS this needs to be configured specifically. Without enabling that, retrieving the JWK Sets results in an HTTP 401 (Unauthorized) error.
agent.oauth2.jwsAlgorithm	Name of the JSON Web Signature (JWS) algorithm that was used to sign the token. Optional, defaults to RS256.

Property

Description

agent.oauth2.issuerURI

Issuer URI for token validation. This is the value that is listed as 'issuer' value in the OpenID Provider metadata (see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). And it must be identical to the 'iss' Claim value in ID tokens issued from this Issuer.

agent.oauth2.clientId

ClientId or audience for token validation. The 'aud' (audience) Claim value must contain the configured value (see: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).

For example, for Oracle’s IDCS, if a token is retrieved with the default scope then this is typically the base URL for the IDCS tenant. If different scopes and audience values are configured then the value for this parameter must match that configuration.

agent.oauth2.jwkSetURL

JWK Set URL for token validation. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.

Make sure that the Authorization Server’s certificates are accessible without signing in. For example, in Oracle’s IDCS this needs to be configured specifically. Without enabling that, retrieving the JWK Sets results in an HTTP 401 (Unauthorized) error.

agent.oauth2.jwsAlgorithm

Name of the JSON Web Signature (JWS) algorithm that was used to sign the token. Optional, defaults to RS256.