1. Using the REST Adapter with Oracle Integration 3
  2. REST Adapter Concepts
  3. JWT Assertion Support for Outbound Invocations

JWT Assertion Support for Outbound Invocations

You may have a business need to invoke a service provider that does not regard an OAuth client secret as secure. For these scenarios, JWT assertions can be used. JWT assertions supplement all flavors of OAuth by authenticating the client application without the use of a client secret.

Capabilities

Trust is established with a key pair exchange instead of a client secret. No client secrets are shared. The National Health Service (NHS) and Fast Healthcare Interoperability Resources (FHIR) are examples of service providers that have moved away from client secret authentication to JWT assertions. The REST Adapter supports both JWT client and user assertions in the outbound (invoke) direction with the following security policies on the Connections page:
  • OAuth Client Credentials using JWT Client Assertion
  • OAuth using JWT User Assertion
JWT assertions provide the following capabilities:
  • Full header and body claims control
  • Multiple algorithm support (such as RSA)
  • Full customization of form-data payloads (with an option to send the client secret, if necessary). Some providers don't follow standards to get the access token and prefer to customize their payloads.
  • Session support (refresh token caching and transient access token handling)
  • User-access token assertion support
  • Support for the different implementations of JWT provided by the following services:
    • NHS
    • FHIR
    • DocuSign
    • Adobe eSign
    • Microsoft
    • Okta

JWT Assertion Authentication Process

The JWT assertion authentication process works as follows:
  1. You manually create and upload a private signing key on the Certificates page in Oracle Integration.
  2. You provide JWT header and payload files on the Connections page to formulate the JWT assertion, including entering the same private signing key name you specified on the Certificates page.
  3. Oracle Integration uses the private signing key name to generate the JWT assertion.
  4. The JWT assertion is used to call the access token URI to obtain the access token from the service provider.
  5. The access token is used to call the REST API of the service provider.

A high-level use case is provided that describes how to create an integration with JWT assertion support. See Invoke a Service Provider API with a JWT Assertion.