Copyright © 2023, Oracle and/or its affiliates.
A high-level diagram that illustrates the integration between Oracle WebLogic cluster and Helidon applications for single sign-on (SSO) on Oracle Cloud Infrastructure (OCI) using Oracle Identity Cloud Service (IDCS).
On the left side, this image shows an icon labeled Browser. On the right side, are two icons and a box arrayed one above the other. At the top is an icon labeled Oracle IDCS (IDP), in the middle is a box labeled Helidon (represents the Helidon microservice application deployed as containers) and at the bottom is a box labeled WebLogic Kubernetes Operator. Inside the box labeled WebLogic Kubernetes Operator is another box labeled WebLogic Cluster inside which is an icon labeled Application (represents the WebLogic cluster application).
In the Step labeled 1: The client uses a browser to call the protected Helidon resource without bearer token and gets redirected to the IDCS SSO login page.
This flow is indicated by the double-headed arrow connecting the icon labeled Browser
with the icon labeled Helidon. The call request is labeled
GET/helidon and the response for the call is labeled
307 Temporary redirect.
In the Step labeled 2: The client is redirected back to the Helidon application with an authorization code after a successful sign-in on the login page.
This flow is indicated by the double-headed arrow connecting the icon
labeled Browser with the icon labeled Oracle IDCS (IDP). The forward flow is labeled
SSO Login and the return arrow is labeled 302 Found +
authorization_code.
In the Step labeled 3: When Helidon receives the authorization code, the JWT token is requested from IDCS, returned and saved as a JSESSIONID cookie.
This flow is indicated by the double-headed arrow connecting the icon labeled Browser
with the icon labeled Helidon. The call request is labeled
GET/oidc/redirect?code=(authorization_code) and the response
for the call is labeled Set Cookie:JSESSIONID={jwt_token}.
In the Step labeled 4: The JWT token is requested with a new authorization code, client id, and client secret.
This flow is indicated by the double-headed arrow connecting the icon labeled Helidon
with the icon labeled Oracle IDCS (IDP). The request is labeled POST
.../openid-connect/token + authorization code and the response is
labeled {jwt_token}.
In the Step labeled 5: The last redirect leads back to the originally called resource, Helidon; this time with a valid bearer token in JSESSIONID.
This flow is indicated by the double-headed arrow connecting the icon labeled Browser
with the icon labeled Helidon. The call request is labeled GET/helidon/
JSESSIONID={jwt_token} and the response for the call is labeled
200 OK.
In the Step labeled 6: The bearer token is propagated to the client call for the WebLogic Server application resource.
This flow is indicated by the double-headed arrow connecting the icon labeled Helidon
with the box labeled WebLogic Kubernetes Operator. The call request is labeled
GET {wls.service.uri} Authorization: Bearer {jwt_token} and the
response for the call is labeled 200 OK.
In the Step labeled 7: The WebLogic Server application resource is also secured with OIDC and validates the token against IDCS.
This flow is indicated by the double-headed arrow connecting the icon labeled Oracle
IDCS (IDP) with the box labeled WebLogic Kubernetes Operator. The arrow is labeled
Validate JWT token.