Best Practices from Oracle Development's A‑Team

Authorize access to Oracle Fusion Cloud Application API's by using OAuth tokens

Maximilian Froeschl
A-Team - Cloud Solution Architect


Nowadays OAuth is the method of choice to authorize access to Cloud resources for third-party systems. There are several ways how to define trust between systems and getting a valid access token.
This blog talks about the most common ways for Oracle Fusion Cloud Applications (hereinafter referred to in this article as "Fusion Apps") to do that.

Main Article

There are many different OAuth flows, but all of them get you in the end an OAuth access token.

The OAuth token format isn't defined in the OAuth 2.0 specification, so the token could theoretically be opaque or any specific format like JWT (JSON Web Token). However, Oracle's use of OAuth access tokens is the JWT format.

If we look at the decoded access token created ie. by groovy script in Oracle Engagement Cloud (one of our Fusion Apps) it looks like this:

{ "alg": "RS256",
  "typ": "JWT",
  "x5t": "cE34d8l...VDwOz78",
  "kid": "trustservice" }
{ "exp": 1540473963,
  "sub": "maximilian.froeschl@oracle.com",
  "iss": "www.oracle.com",
  "prn": "maximilian.froeschl@oracle.com",
  "iat": 1540459563 }

(https://jwt.io/ can be used for decoding JWT tokens)
The subject field "sub" is used to identify the user who wants to get access.
And only if the JWT token is signed by a token issuer trusted by the Fusion App it will be accepted by the Fusion App REST API.

As soon as you have the JWT-formatted access token you can provide it as a Bearer token in the HTTP Authorization header of your Fusion App REST API call.
curl example:

curl -H "Authorization: Bearer <access-token>" ...

If identity federation and OAuth trust has been setup ie. between your Fusion App and Oracle Identity Cloud Service (IDCS) you can also use the OAuth access token generated by IDCS as Bearer token for your Fusion App REST API call. The access token can be obtained from the IDCS OAuth Runtime Tokens REST Endpoint (see also https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/api-oauth-runtime-oauth-runtime-tokens.html).
The JWT token from IDCS looks a little bit different to the access token generated by the Fusion App itself, but will be accepted as well because IDCS has been configured as "Trusted JWT Client" in the Fusion App during the OAuth setup. The OAuth setup procedure mainly imports the JWT token issuer certificate and enables the access to the REST API using JWT tokens from this issuer.
(see also: https://docs.oracle.com/en/solutions/extend-saas-with-java-cloud-service-apps/enable-oracle-fusion-applications-cloud-service-federation-and-oauth-trust-oracle-identity-cloud-ser1.html#GUID-53C8A800-3DC3-48F0-930E-11797185406B)

Setting up a third-party system as trusted JWT token issuer for Fusion Apps works similar to the IDCS setup. You need to raise a service request with Oracle Support to get this done.

The last question is where to get the JWT access token from.
As I mentioned in the beginning there are several ways how to do that.
1. Within Fusion App groovy script you can use

def jwt = new oracle.apps.fnd.applcore.common.SecuredTokenBean().getTrustToken();

to get a JWT access token from the Fusion App itself.

2. Another way is to use the Fusion App Token Relay Service built specifically for the Web SSO flow:
https://<fusion app url>/fscmRestApi/tokenrelay
The Fusion App Token Relay Service is intended to be used within a webview. If the user isn't already authenticated the HTTP GET call gets first redirected to the Fusion App login page.
At the end or if already authenticated the Fusion App Token Relay Service will respond with the JWT access token in the response payload:

{ "principal": "maximilian.froeschl@oracle.com",
  "expires_in": 14400000,
  "token_type": "JWT",
  "access_token": "eyJhbGc...Q_1EHNw" }

3. Probably the most future-proof way to get the access token is by leveraging the OAuth capabilities of Oracle IDCS mentioned earlier in my post.

4. And last but not least a third-party system can also create and sign the JWT access token itself if it is registered as "Trusted JWT Client" in the Fusion App. Of course it needs to know for which user to create the access token.


You have seen that there are different ways to authorize access to your Fusion App REST API's. At the end the main tasks are to establish trust between the Fusion app and the access token issuer and find the most appropriate and secure way of getting the access token.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha