Manage External Application Access
Purpose: Use the Manage External Application Access screen to create, review, and work with external applications that integrate with Order Broker using OAuth, and define the web services that use OAuth authentication for inbound web service requests to Order Broker.
About OAuth: OAuth requires the requesting system to provide an access token with the web service request. Oracle Cloud Services use IDCS (Oracle Identity Cloud Service) or OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) as the authenticating service. The requesting system will use its configured client ID and secret to request an OAuth token from IDCS or OCI IAM and then include that token in service requests.
In addition to being more secure, OAuth provides better performance than basic authentication.
How requests are validated with OAuth:
- The requesting system first passes a client ID and a client secret to an authenticating service, such as IDCS or OCI IAM.
- The authenticating service, such as IDCS or OCI IAM, generates a short-lived token.
- The requesting system submits the token to the destination system, rather than a password and user ID as with basic authentication.
- The destination system validates the token and client ID.
The following is required in order to support OAuth between Order Broker and other Omnichannel products, including Order Management System and Xstore Cloud Services or Xstore Office (On Premises), as well as an external system such as an ecommerce system:
- The IDCS or OCI IAM client ID and client secret for the integrating system must be created through an Omnichannel cloud service, if it does not already exist.
- The system receiving the web service request needs to have a record of the client ID with assigned access for the web service API.
- A system sending the web service request needs to be able to request the token from IDCS or OCI IAM.
- The system sending the web service request needs to include the token so the system receiving the web service request can validate the request.
For example, if your ecommerce system will communicate with Order Broker using OAuth, you can use this page to:
- Create a client ID and secret, which you can then provide to the ecommerce system.
- Create the associated web service authentication records for the ecommerce system.
Related Tenant-Admin settings: The Identity Cloud Service Settings at the Tenant-Admin screen are required for communication with IDCS or OCI IAM:
- Use IDCS: This flag must be selected for new installations or upgrades to Order Broker Cloud Service 18.0 or higher.
- Client ID: The Name identifying Order Broker as an application in IDCS or OCI IAM. Typically formatted as RGBU_OBCS_ENV_APPID, where OBCS identifies Order Broker and ENV identifies the environment, such as production.
- Endpoint URL: The URL to use when requesting information from IDCS or OCI IAM through the Manage External Application Access screen.
- Client Secret: The client secret for Order Broker to use when requesting a token for outbound OAuth authentication.
About store locations and XOffice On Prem: The XOffice On Prem application differs from other applications in that it serves as the parent for any related store locations. Any store locations that are assigned a parent ID are not displayed at this page; instead, you configure external access for XOffice On Prem, and this “parent” handles authentication for all related store locations.
When authentication is required for a request originating from any location associated with the XOffice On Prem parent ID, the parent ID’s authentication credentials are used.
Example: XOffice On Prem is the parent for location A, so the XOffice On Prem authentication credentials are used.
For more information: See the Omnichannel Web Service Authentication Configuration Guide on My Oracle Support (2728265.1) for web service configuration instructions.
OAuth summary by product:
Product | Inbound Support | Outbound Support |
---|---|---|
Order Broker |
18.2 or higher |
19.1 or higher |
Order Management System |
18.3 or higher; 19.0 or higher supports XOffice On Prem validation of stores with parent ID. |
19.1 or higher |
Customer Engagement |
18.0 or higher; 18.3 or higher supports XOffice On Prem validation of stores with parent ID. |
not currently supported |
Note:
Oracle Retail Integration Cloud Service (RICS) and Omnichannel Cloud Data Service (OCDS) do not currently support using OAuth for authentication of inbound messages. The Authentication Type at the RICS Integration tab and the OCDS Integration tab of the System screen should be set to Basic.Troubleshooting: Options at this page that require communication with IDCS or OCI IAM, including generating a new client, regenerating the secret for a client, and refreshing the displayed applications, will fail if the administrative properties listed above are not set correctly. See the Identity Cloud Service Settings at the Tenant-Admin screen for more information on setting up these properties, or contact your Oracle representative for more help.
Outbound web services using OAuth authentication: The following outbound services support OAuth authentication:
- OMS Service: Used for authentication for the inventory request message to be sent to Order Management System. Use the Inventory tab tab of the System screen to define the OAuth Authentication Type, Client ID, and Client Secret for Order Management System. If you are using Basic authentication, it is recommended to move to OAuth.
- Job Notification Service: Used for authentication for the job notification message to be sent to an external application. Use the Event Logging screen, and select OAuth as the Authentication Type. If you are using Basic authentication, it is recommended to move to OAuth.
Outbound web services using basic authentication: OAuth is not supported for the following:
- SIM: Used for authentication of web service requests to request inventory updates through Importing Data from Merchandising Cloud Services (RMFCS) through the Omnichannel Cloud Data Service (OCDS). Configure on the Inventory tab of the System screen.
- RICS: Used for authentication for the pre-order (backorder quantity update) notification message that is part of Order Fulfillment through RICS Integration. Configure on the RICS Integration tab of the System screen.
- OCDS: Used for authentication for RESTful web service requests sent to the Omnichannel Cloud Data Service. Configure on the OCDS Integration tab of the System screen.
Note:
If any other existing Oracle Cloud Services are configured for basic authentication and support OAuth, you should migrate these services to OAuth.For more information: See the Oracle Retail Omnichannel Web Service Authentication Configuration Guide, on My Oracle Support at https://support.oracle.com/epmos/faces/DocumentDisplay?id=2728265.1, for information on configuring the Omnichannel products for OAuth.
How to display this screen: Select Manage External Application Access from the Systems Menu.
Note:
Only users with Manage External Application Access authority can display this screen. This authority is not delivered automatically, so you must assign it manually. See the Role Wizard for more information.Before you start: The first time a user advances to this screen, no applications are displayed.
Select Refresh to request existing applications from IDCS or OCI IAM and create records for them in Order Broker, which are then displayed, provided the Identity Cloud Service Settings at the Tenant-Admin screen are populated correctly.
Options at this screen
Option | Procedure |
---|---|
refresh the displayed applications |
Click Refresh to update the list of currently existing application clients from IDCS or OCI IAM:
|
create a new client application |
Select New Client to open the Generate Application Client window. Note: Typically, before beginning the generation steps, you would select the Refresh option to confirm that the required client application was not already created. |
work with the web services to which the client application has access |
Select the edit icon () for an application to open the Edit Web Services window, where you can review, select, or unselect the web services that can be authorized through the application. |
regenerate the client secret for the application |
Select the new secret icon () for an application to open the Regenerate Application Client Secret window, where you can generate a new client secret to use when requesting an OAuth token. Note: This option is available only for external application clients that were created through Order Broker. |
search for a client application |
To search based on application description: Enter a full or partial Application Description and click Search to display applications that contain your entry. Note: External applications that were generated through Customer Engagement Cloud Services have a blank Application Description. Search for them by using the Client ID.To search based on web service assignment: Select a Web Service from the drop-down list and click Search to display applications assigned to that web service. For example, select Discovery from the drop-down list and click Search to display applications that are configured to authenticate discovery web service requests. Optionally, you can search based both on Application Description and Web Service assignment. This screen displays records only if they are not associated in IDCS or OCI IAM with a parent ID. If you use XOffice On Prem, each store location record in IDCS or OCI IAM is associated with the XOffice On Prem application as its parent ID. Because there can be many store locations associated with the parent application record, this screen displays just the XOffice record rather than the individual store locations. |
Fields at this screen
Field | Description |
---|---|
Search Fields | |
Application Description |
The description of the client application created for web service authentication. This is the Description in IDCS or OCI IAM. Alphanumeric, 50 positions. Note: External applications that were generated through Customer Engagement Cloud Services have a blank description. |
Web Service |
The Order Broker inbound web service to which the application has access. Optionally, select one of the following to restrict your search results:
Note: If Vendor access is selected, the client ID is available for selection as the Vendor Client Id for an integrated vendor at the New Vendor or Edit Vendor screen, provided the client ID has not already been assigned to a different vendor.For more information: See the Vendor Integration Guide for details on the above messages. |
Search Results | |
Application Description |
The description of the application created for web service authentication. This is the Description in IDCS or OCI IAM. Alphanumeric, 50 positions. |
Client ID |
The client ID uniquely identifies the client in IDCS or OCI IAM:
This is the Name in IDCS or OCI IAM. Note that the Display Name in IDCS or OCI IAM is the Client ID without the _APPID suffix. Alphanumeric, 255 positions. Display-only. Note: The client ID is similar to a user ID in that it identifies a client application to the authentication service, in this case IDCS or OCI IAM. You can create client IDs through the Manage External Application Access screen, in IDCS or OCI IAM, or through other applications, such as Customer Engagement. |
Web Service Access |
The list of Order Broker inbound web service to which the application has access. See Web Service, above, for a list of possible web services. You can use the Edit Web Services window to work with the inbound web services. Display-only. |
Date Created |
The date when the application record was created or regenerated in Order Broker, which could be when the record was received from IDCS or OCI IAM, or generated during the creation of a new record through Xstore On Prem authentication, as well as through the Generate Application Client window. Display-only. |
Edit Access |
Select the edit icon () for an application to open the Edit Web Services window, where you can review, select, or unselect the web services that the application can authorize. |
New Secret |
Select the new secret icon () for an application to open the Regenerate Application Client Secret window, where you can generate a new client secret to use to request an OAuth token. Note: This option is available only for external application clients that were created through the Generate Application Client window in Order Broker. |