1. Using Oracle Cloud Infrastructure Process Automation
  2. Integrate with Applications and Services
  3. Work with Connectors
  4. Configure REST Connectors in Designer
  5. Secure the REST Connector

Secure the REST Connector

You can secure your REST connector by specifying a security policy and credential details.

Another way to secure your connector is to select a Process Automation Administrator defined global credential. See Use Global Credentials.

Configure Basic Auth Security

Basic authentication security provides a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with an authorization header that contains the word Basic, followed by a space, and a base64-encoded string username:password. The application or endpoint requires that users and services provide security credentials for access.

Defining a basic security policy involves providing a username and password.
  1. From a selected process application, click the Connectors tab and open a connector.
  2. Click Security Security from the side menu.
    The Security pane is displayed for the connector.
  3. Click Edit Edit.
  4. In the Security Type field, select Basic Auth from the drop-down list.
  5. Under Basic Auth Security Info, enter the username and password that users must enter to call the REST service.
  6. Click Save.

Configure OAuth Security with Client Credential

With the OAuth with Client Credential security policy, the client application directly obtains access on its own without the resource owner’s intervention using its client ID and client secret. The application or endpoint requires that users and services provide security credentials for access.

For an OAuth grant (client credential) flow, you have to know the client ID and client secret from the OAuth provider. For example, if you’re using an Oracle IDCS-based OAuth client, determine this information using the IDCS admin console.

See the Security, Authentication and Authorization section in REST API for Oracle Cloud Infrastructure Process Automation.

  1. From a selected process application, click the Connectors tab and open a connector.
  2. Click Security Security from the side menu.
    The Security pane is displayed for the connector.
  3. Click Edit Edit.
  4. In the Security Type field, select OAuth from the drop-down list.
  5. In the OAuth Security Info fields, enter the following details:
    Field Information to Enter
    Grant Type Select Client Credential.

    Client ID

    Enter the OAuth client ID.

    Client Secret

    Enter the OAuth client secret.

    Scope

    Specify the scope you defined while creating the OAuth confidential application.

    Scope sets limits on an application’s access to a user’s account. For example, use the scope parameter to enable the access token to grant different levels of access to Oracle IDCS APIs.

    OAuth Token URL

    Either select Local Identity Domain or enter the token URL from the OAuth provider. For example: https://idcs-aaaaaaaa.identity.aaaaaa.aaaa.com/oauth2/v1/token.

    • Select Local Identity Domain to auto-populate the field with the current service instance's IDCS OAuth token URL.
    • You can also manually enter the IDCS OAuth token URL in the field. For example: https://idcs-aaaaaaaa.identity.aaaaaa.aaaa.com/oauth2/v1/token.
  6. Save and test the security.
    • Click Test to validate your settings.
    • Click Save to save your settings and complete the connector’s security.

Configure OAuth Security with JWT Assertion

Configure your connector to use OAuth 2.0 to authenticate with your API.

See the Security, Authentication and Authorization section in REST API for Oracle Cloud Infrastructure Process Automation.

For an OAuth assertion grant (jwt-bearer) flow, you’ll need to:

  • Generate a key pair

  • Extract public and private keys from the key pair

  • Obtain the public certificate’s x5t thumbprint

  • Create a trusted OAuth client in the OAuth provider

See Quick Reference.

To configure OAuth with JWT Assertion:

  1. From a selected process application, click the Connectors tab and open a connector.
  2. Click Security Security from the side menu.
    The Security pane is displayed for the connector.
  3. Click Edit Edit.
  4. In the Security Type field, select OAuth from the drop-down list.
  5. In the OAuth Security Info fields, enter the following details:
    Field Description

    Grant Type

    Select JWT Assertion.

    Client ID

    Enter the OAuth client ID.

    Private Key

    Enter the base64-encoded private key

    Scope

    Specify the scope you defined while creating the OAuth confidential application.

    Scope sets limits on an application’s access to a user’s account. For example, use the scope parameter to enable the access token to grant different levels of access to Oracle IDCS APIs.

    OAuth Token URL

    Either select Local Identity Domain or enter the OAuth token URL from the OAuth provider.

    • Select Local Identity Domain to auto-populate the field with the current service instance's IDCS OAuth token URL.
    • You can also manually enter the IDCS OAuth token URL in the field. For example: https://idcs-aaaaaaaa.identity.aaaaaa.aaaa.com/oauth2/v1/token.

    X5t

    Base64 encoded SHA-1 thumbprint of public certificate.
  6. Test and save the security settings.
    • Click Test to validate your settings.
    • Click Save to save your settings and complete the connector’s security.
Note that when the connector is used for a service task, it uses the process instance creator's identity; but when the connector is used for a form control, it uses the logged-in user's identity.

Configure Security with OCI Signature Policy

You can securely call Oracle Cloud Infrastructure (OCI) APIs using the OCI Signature security policy. This policy authenticates the service consumer (client), and ensures that communication between the OCI service and the service consumer happens in a secure manner.

In this policy, the client (who makes the http request) uses an API key to encrypt the required header fields and content. The encrypted data is then added to the Authorization header in the http request. Upon receiving such a request, the OCI service can verify that the request was made by an authentic user.

See Request Signatures in OCI documentation.

Prerequisites

Before you can configure a connector to use OCI Signature Policy, you must perform the following tasks:

  1. Get the user OCID and tenancy OCID. See Where to Get the Tenancy's OCID and User's OCID.
  2. Create an API signing key. See How to Generate an API Signing Key.
  3. Get the fingerprint of the key. See How to Get the Key's Fingerprint.
  4. Optionally, if you've generated the key with a passphrase, you need to obtain the passphrase.
To configure OCI Signature Policy security for a connector:
  1. From a selected process application, click the Connectors tab and open a connector.
  2. Click Security Security from the side menu.
    The Security pane is displayed for the connector.
  3. Click Edit Edit.
  4. In the Security Type field, select OCI Signature Policy from the drop-down list.
  5. Under OCI Signature Security Info, enter the following details:
    Field Information to Enter
    Tenancy OCID

    Enter the tenancy OCID that you obtained.

    See Prerequisites.

    User OCID Enter the user OCID that you obtained.
    Fingerprint Enter the fingerprint that was generated while creating the key.
    Private Key Enter the private key that you obtained.
    Passphrase If you have generated the key with the passphrase, enter the passphrase obtained. Otherwise leave this field blank.
  6. Click Save.

Use Global Credentials

You may want to use a global credential that is already created in Workspace by a Process Automation Administrator instead of creating application specific credentials in Designer. The advantage of global credential is that you can use the same credential in multiple process applications.

See About Credentials.

Only Process Automation Administrators can create global credentials from the Workspace Administration page. A Process Automation Administrator can also edit or delete global credentials in Workspace. See Manage Credentials in Workspace.

Note that any changes a Process Automation Administrator makes to a global credential will be applied to all connectors in which you use the global credential.

To use a global credential:

  1. From a selected process application, click the Connectors tab and open a connector.
  2. Click Security Security from the side menu.
    The Security pane is displayed for the connector.
  3. Click Edit Edit.
  4. In the Security Type field, select Global Credential from the drop-down list.
  5. Search for and select a global credential.
    Only global connectors that use the same base URL display in search results.
  6. Click Save.