Implement Fine-Grained Access Control Oracle Integration

Implement a fine-grained access control model for Oracle Integration for scenarios where precise, role-based control over access to integrations—whether by integration type, environment, or specific user responsibilities are needed.

Use this architecture when implementing enterprise-grade governance and ensuring secure, segmented access aligned with your organization’s compliance and operational policies.

By leveraging Oracle Cloud Infrastructure (OCI) API Gateway in conjunction with a custom authorizer function (typically implemented using OCI Functions), this architecture enables centralized and dynamic authorization for all API calls routed to Oracle Integration. This pattern decouples authentication and authorization logic from individual services, ensuring consistency and re-usability across the integration landscape.

Key components:

• Oracle Integration

  Hosts the target REST endpoints that expose business processes, integrations, or custom APIs.

• OCI API Gateway

  Acts as a reverse proxy for client requests, routing them securely to the appropriate Oracle Integration endpoints. It also integrates with the authorizer function to enforce OAuth-based access control.

• Custom authorizer function (OCI Functions)

  A serverless function responsible for:

  • Validating OAuth 2.0 access tokens issued by an identity provider (such as Oracle Identity Cloud Service or any third-party OAuth provider).
  • Evaluating custom scopes embedded in the token to determine whether the requester has the necessary permissions to invoke the target API.
  • Returning an authorization decision back to the OCI API Gateway, which either allows or blocks the request based on the outcome.

Architecture

This architecture outlines a fine-grained access control model for Oracle Integration.

Architecture details:

1. The OCI API Gateway triggers OCI Functions, which acts as a custom authorizer to handle the authorization logic for the incoming request. This request includes an access token intended to grant access to Oracle Integration.
2. The authorizer function performs the following steps:
   1. It extracts the token from the request and uses it to query OCI Vault for sensitive credentials such as the client ID and client secret.
   2. Using these credentials, the function validates the token against Oracle Identity Cloud Service (IDCS) to ensure its authenticity and integrity.
   3. If the token is valid, the function returns a response containing key details such as:
      1. Token validity status
      2. Principal (user identity)
      3. Client ID and client secret
      4. Scope of access
3. The OCI API Gateway then uses scope in this response to verify the token’s scope against the required access level for the Oracle Integration integration.

If the scope matches, the OCI API Gateway forwards the original request to the Oracle Integration API which is protected by an allowlist, now enriched with validated authorization headers, allowing the integration flow to continue securely.

The following diagram illustrates this reference architecture.

Description of the illustration oracle-integration-rest-oauth-diagram.png

oracle-integration-rest-oauth-diagram-oracle.zip

The architecture has the following components:

• Region

  An OCI region is a localized geographic area that contains one or more data centers, hosting availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping classless inter-domain routing (CIDR) blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• API Gateway

  Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. The endpoints support API validation, request and response transformation, CORS, authentication and authorization, and request limiting.

• Functions

  Oracle Cloud Infrastructure Functions is a fully-managed, multitenant, highly scalable, on-demand, Functions-as-a-Service (FaaS) platform. It is powered by the Fn Project open source engine. OCI Functions enables you to deploy your code, and either call it directly or trigger it in response to events. OCI Functions uses Docker containers hosted in Oracle Cloud Infrastructure Registry.

• Integration

  Oracle Integration is a fully-managed, preconfigured environment that allows you to integrate cloud and on-premises applications, automate business processes, and develop visual applications. It uses an SFTP-compliant file server to store and retrieve files and allows you to exchange documents with business-to-business trading partners by using a portfolio of hundreds of adapters and recipes to connect with Oracle and third-party applications.

• Identity and Access Management

  Oracle Cloud Infrastructure Identity and Access Management (IAM) provides user access control for OCI and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within them. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.

• Oracle Cloud Infrastructure Vault

  Oracle Cloud Infrastructure Vault enables you to create and centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud. The default key management is Oracle-managed keys. You can also use customer-managed keys which use OCI Vault. OCI Vault offers a rich set of REST APIs to manage vaults and keys.

Explore More

Learn more about Oracle Integration integrations.

Review these additional resources:

• Overview of API Gateway in Oracle Cloud Infrastructure Documentation
• Oracle Integration 3
• Configuring OAuth in Oracle Cloud Infrastructure Documentation
• Validating Tokens to Add Authentication and Authorization to API Deployments in Oracle Cloud Infrastructure Documentation
• Oracle Cloud Cost Estimator
• Oracle Cloud Infrastructure Documentation
• Well-architected framework for Oracle Cloud Infrastructure

Acknowledgments

• Authors: Pradyumna Kodgi, Ravi Pinto, Sumit Aneja
• Contributors: John Sulyok