SSO “like” functionality with Oracle Fusion JWT Tokens

Introduction

There are many instances where customers want to extend Oracle’s Fusion SaaS applications with PaaS components. Depending on the Oracle PaaS components being used, they may get SSO with Fusion Applications pre-configured OOTB however sometimes this is not the case and they will need to manually setup SSO federation to achieve their needs. If they are using non Oracle PaaS then setting up federation to achieve SSO is usually a requirement.

Whilst it is possible to configure “proper” Single Sign On with other PaaS services using SAML certificates and synchronizing users by scripts or manually, this level of configuration may not be available to some developers, thankfully for simple use cases there easy way which doesn’t require all of that.

This short blog details how you can use JWT tokens to achieve “SSO like” functionality without having to set up full SSO. This document should be read in conjunction to the following document Using JSON Web Token for Oracle Sales Cloud Mashups

 

Using JWT Tokens to achieve “SSO like” functionality

According to https://jwt.io

“JWT tokens, also known as JSON Web Tokens, are an open, industry standard RFC 7519 method for representing claims securely between two parties”

It is a mechanism where a system can give access, perhaps for a limited amount of time, to its services to another system without passing around a username/password credential.  The token can be generated by a system, signed for validity checking and can be time limited (i.e. only works for a short period).

Oracle Fusion SaaS allows the generation of these JWT tokens using either expression language or groovy scripting in Sales Cloud (CRM). A developer can therefore easily generate a JWT token in SaaS and pass this token to a PaaS application, which can then:

  • Use the token to query the SaaS Service, and importantly execute the service calls as the user who generated the token
  • Determine which user generated the token

Using this approach you can create a SaaS extension using PaaS which is hosted on any PaaS, not just  Oracle PaaS, for example Microsoft Azure. The resulting app can then give the end user the “impression” of Single Sign On without actually implementing proper single sign on.. I.e. they navigated out to an external PaaS Extension and it knew whom the user was without them having to log in again.

An Example Flow

angelo_jwt_flow

  • User Logs into Oracle Sales Cloud
  • Navigates to a tab which hosts a PaaS Extension in an iFrame
  • The URL to the PaaS application contains an extra query parameter called “jwtToken” which is populated with a newly generated JWT Token
  • The PaaS Application receives the request and after detecting the JWT token being passed (i.e. via a url query parameter which could be called “jwt”) the application needs to determine who the user is.The recommended approach is to execute a SOAP Query to the Oracle SaaS UserDetails SOAP Service (http://FusionSaaSHCMURL/hcmPeopleRolesV2/UserDetailsService?wsdl) findSelfUserDetails() using the JWT token as the authentication principal. If the token is valid, the service will then return the user information of the executing user; if not then you will get an authentication error.

Once the PaaS application has validated the user it can then

  • Store the valid JWT token in an application wide non-persistent cache. That way the next time the user executes a request it can check this cache instead of going to Fusion SaaS each time, thus saving network calls.
  • NB : The cache should also age the stored tokens so that they expire too
  • Display the username on the screen somewhere
  • Display data stored in PaaS database based on a custom security policy (ie only display Angelo’s expense reports)
  • Execute queries against Oracle Fusion SaaS, knowing full well that the data returned is conformant with the data security provided by that SaaS product (i.e. Angelo can only query the opportunities he has access to, just like the real Fusion SaaS UI)

 

Advantages

  • No user synchronization between PaaS and SaaS is required (not sure I agree with this 100% if the JWT decryption method is used to identify logged-in user)
  • PaaS Services can be in different Oracle Data Centres and not associated
  • PaaS Services can be written in virtually any language which supports SOAP calls (e.g. Oracle Application Container Cloud Service, Java Cloud Service, Microsoft .NET/Azure, Python, PHP etc.)

Disadvantages

  • The application MUST be deployed with NO platform security; all security must be built into the app itself.
  • Native platform security (e.g. JEE Security, JAAS is not used)
  • You lose single sign out

 

Conclusion

This short blog article describes how you can use JWT tokens to give the illusion of SSO to a user without going through all the steps required to implement proper SSO. It should be highlighted that if SSO is available for your environment then this should be used in preference to using JWT tokens, as this will also enforce global security across the entire environment, as opposed to implementing it within your app.

 

Appendix : How do I?

 

Generate a JWT Token in Fusion Applications (HCM/ERP/SCM etc.)

  • Option 1 : Using Expression Language, this is used when building a callout to an application from an Oracle Fusion menu item or when embedding using New Page Integration Wizard
#{applCoreSecuredToken.trustToken}
  • Option 2 : If you are using Sales Cloud you can execute the following groovy script within a trigger or when generating a dynamic url for a page
def myJWTToken= new oracle.apps.fnd.applcore.common.SecuredTokenBean().getTrustToken())

How do I call a SOAP Service, or REST Service, and pass the JWT token as the authentication header?

Both methods send a authorization header with their requests. All you need to do is set the value to be “Bearer : <JWT String> See the code example on Using JSON Web Token for Oracle Sales Cloud Mashups

How do I call a Fusion SOAP Service and pass the JWT Token from common tools like SOAP UI

You need to create a custom header in the SoapUI request called “Authorization” and within the value prefix the JWT token with the prefix JWT

 

angelo_jwt_soapapi

Do we have any sample code I can look at?

 

Yes, please see the “NearMe” sample in https://cloud.oracle.com/developer/solutions?scenarioid=1383852819711, this is a SaleCloud example that uses JWT tokens to log into the PaaS application and display data from SalesCloud

NearMe is an application used to organize on-site sales-related activities in a geographically defined area. From the account details page for a customer, sales representatives can use a query to locate other accounts within a defined radius. The application returns either a listing of accounts meeting the defined criteria, a notification that no nearby accounts were found, or a message that the active account does not have location data.

angelo_jwt_nearme

 

Add Your Comment