Introduction

A Visual Builder (VB) instance which is provisioned in the Fusion IAM identity domain will have advantages over external OCI IAM identity domains -like preconfigured SSO, OAuth and user sync. But external identity domains/tenancies have often been used for OCI SaaS extensions (ie. Oracle Integration Cloud (OIC)/Visual Builder) in the past, previously referred as PaaS extensions.

So, provisioning Visual Builder instances in the Fusion IAM identiy domain is nowadays the recommended approach over provisioning them in a separate identity domain or tenancy. However, please note this is only supported for Fusion Application extension and integration use cases.

We have covered this in blog Part 1 – Extending Fusion Applications using VBCS: OAuth Configurations

Customers who have only a SaaS subscription and are not using external IAM (ie. a PaaS subscription in a separate tenancy) can use the JWT-based API authentication mechanism out-of-the-box – Implement JWT Token Authentication with Fusion Cloud Application (REST/SOAP) & extend in Node.js based applications

However there are a few cases where VB applications are created in external identity domains (Non-Fusion IAM). In such cases the same token-based authentication to access Fusion Applications might be desired. In this blog we will provide details how the same API authentication mechanism using JWT can be achieved when creating VB service connections/backends.

Details:
 

We will cover two use cases which are available in VB service connections. These can be used to access data from Fusion applications using OAuth2.0 configuration in external OCI IAM identity domains.

  1. OAuth 2.0 Client Credentials (CC) – Fixed credentials used as service account to access resource, ignoring the signed-in end user’s identity and credentials.
  2. OAuth 2.0 User Assertion (UA) – Identity Propagation. This is used where the logged-in user identity is needed to access resource.

There are a few common steps (Step 1 – Step 5) listed below which need to be configured for both use cases. After that please follow steps in OAuth 2.0 Client Credentials (CC) or OAuth 2.0 User Assertion (UA) as per use case.

Summary of Steps –

 

Step 1 : Create New Identity Domain in External IAM (if not yet existing)

  1. Login to the OCI Console for your OCI tenancy with an administrator account – most likely this is your PaaS tenancy
  2. Navigate to the domain screen and create a new domain, in our example we have created a domain with name – FA_OAuthAccess
  4. Please select the appropriate IAM domain type for your scenario – the types are discussed in detail here, for this blog we have taken the Free domain type.
  5. Create a domain administrator with separate credentials to your tenancy account administrator
  6. Activate the IAM domain via the link that is emailed to the domain administrator account.
  7. Make sure your Visual Builder instance is associated with this IAM domain. This is accomplished by provisioning the Visual Builder instance while logged into this domain as domain administrator.
     

Step 2 : Set Up Trust Between Oracle Fusion Applications and  External Identity Domain

Create Trust between FA with external IAM

  1. Log back into the newly created external domain as the domain administrator
  2. Change OAuth issuer name

            Navigate to

Identity>Domains>FA_OAuthAccess domain>Security>OAuth

Update OAuth issuer name to your choice, the only requirements is to change it to a non-default value (different to https://identity.oraclecloud.com/). This will then be used in the Fusion Applications Security console while uploading the JWT signing certificates

            E.g. FA_OAuthAccess_Domain_RT

  1. Enable Access Signing certificate

Navigate to

Identity>Domains>FA_OAuthAccess domain>Settings>Domain settings

  1. Get the signing certificates from the Oracle OCI IAM identity domain’s JWK endpoint
    1. Get the URL of the Oracle OCI IAM JWK endpoint that gives you the signing certificates.

<OCI IAM identity domain URL>/admin/v1/SigningCert/jwk

You can look up the domain URL in the OCI IAM identity domain overview page.

    1. Call the JWT endpoint in your browser to retrieve the payloads of the certificates. There are two values in the “x5C” sections within the output
      1.     First value: OCI identity domain certificate
      2.     Second value: Certificate authority (CA) certificate

Refer – Retrieve the Tenant’s Signing Certificate in JWK Format.

    1. Copy each certificate value into a separate file. Note that the headers and footers in the files must be in the following exact format without any additional preceding or trailing characters to be successfully uploaded to Oracle Fusion Applications

—–BEGIN CERTIFICATE—–
content_of_certificate


—–END CERTIFICATE—–

You can validate the certificate. For example:

openssl x509 -in <filename> -noout -text

  1. Create API authentication provider in Fusion Cloud Application
    1. Login to Fusion Cloud Application & navigate to Tools>>Security Console>> API Authentication
    2. Press Button – Create Oracle API Authentication Provider and press Edit button
    3. Use same issuer name as you have created in step 2 (in our example: FA_OAuthAccess_Domain_RT).

The default IAM domain issuer name “https://identity.oraclecloud.com/ is reserved for the IAM identity domain already associated with FA, so it can’t be used for an additional domain, Therefore we needed to change the issuer name in our identity domain in step 2 to be able to use it here.

  1. Upload OCI IAM domain certificates in Fusion Security Console
    1. Within the “Oracle API Authentication Provider Details” page from the previous step under tab “Inbound API Authentication Public Certificates” upload both certificates downloaded in step 4.
      1. OCI identity domain certificate
      2.  Certificate authority (CA) certificate

 

 

 

Step 3: Enable CORS in Fusion Application for Visual Builder Application.

  1. Navigate to Manage Administrator Profile Values in Fusion Applications.
  2. Search for Profile option code – ORA_CORS_ORIGIN
  3. Add Visual Builder application URL as below in profile value.

E.g.

‘self’ https://fa-<domain>.builder.us-ashburn-1.ocp.oraclecloud.com

Refer here – Configure Cross-Origin Resource Sharing

 

Step 4: Create Resource Confidential Application for Fusion Applications in External Identity Domain.

  1. Navigate to Identity>Domains>FA_OAuthAccessdomain>Integrated applications
  2. Press Button – Add Application
  3. Choose Confidential Applications, choose Resource server configuration, Provide Name , in this case – FA Resource
  4. In primary Audience add – Fusion Application URL
  5. In Scope provide – /

  1. Save and Activate Application

 

Step 5: Optional – Sync User/Groups from Oracle Fusion Applications with the External Identity Domain

  1. If we want to use User Assertion (UA) to use identity propagation method, we need to Sync User/Groups from Oracle Fusion Applications with the External Identity Domain , Refer here for details.
  2. Additionally if you want to embed VBS Application as iframe into FA that requires SAML identity federation (Web-SSO) with Oracle Fusion App(Oracle Fusion Applications user federated with the External Identity Domain), Refer to Support Note Doc ID 2746354.1 for details.


OAuth 2.0 Client Credentials (CC)


Fusion CC

This method is used for application-to-application authentication scenarios where you don’t need a specific user’s credentials to connect to the service e.g. service accounts created inside Fusion application.

Step 1: Register your application with the authorization server

  1. Login into the newly created external domain as the domain administrator
  2. Navigate to Identity>Domains>FA_OAuthAccessdomain>Integrated applications
  1. Press Button – Add Application
  2. Choose Confidential Applications
  4. In Add Application details – Give name, description of your choice – 
    FA Client CC
  5. Press Next for Configure OAuth
    1. Choose Client configuration
    2. Authorization – Client credentials
    3. Client Type – Confidential
    4. Resources – Add Scope
      1. FA Resource
  6. Press Next for Configure Policy
    1. Finish.
  7. Activate Application.
  8. Make note of the application’s Client ID and Client Secret & Scope.

 

Step 2: Create the Client ID as a user in Oracle Applications Cloud

In Client Credentials flows, any call is invoked in the context of the application itself and not in the context of a user. Therefore, you must model the application’s client ID as a user in Oracle Applications Cloud.

By creating the Client ID as a user, you are indicating that the user (application) has the necessary role and privileges and is authorized to access the resources.
Complete the following steps to create the Client ID as a user:

NoteThe user creation process takes a few minutes and is not completed instantly.

    1. Sign in to Oracle Application Cloud.
    2. On the Security Console, click Users.
    3. Click Add User Account.
    4. Under User Information in the Username field, specify the Client ID of the application that you registered with Oracle IAM.
    5. Enter the other details under User Information.
    6. Click Add Role.
    7. Based on the resources that you want this application to access, add the appropriate roles.

 

You can test configuration using Postman as a client to request access token

  1. In Postman, create a new request.
  2. In the Authorization tab, select OAuth 2.0 as Client Credentials.
  3. In the Configure New Token section, enter the following client configuration information:

Fields

Values

Access Token URL

The identity domain URL appended with /oauth2/v1/token is used as the Access Token URL.

Client ID

Enter the Client ID value collected from OCI IAM domain.

Client Secret

Enter the Client Secret value collected from OCI IAM domain.

Scope

Enter the Scope value defined in OCI IAM domain.

Token Name

Generic name, can be anything.

Grant Type

Client Credentials

Client Authentication

Send as Basic Auth Header.
  1. Click Get New Access Token.
  2. Postman passes on the information to OCI IAM domain.
  3. After successful authentication, OCI IAM returns the access token to Postman.
  4. Click Use Token and to use this token to access the resources.

 

Step 3: Create Service Connections in VB

  1. Login to VB Applications.
  2. Navigate to Service connections > Press + Button to create new.
  3. Use Define by End Point
  4. Provide Resource URL which you want to access
  5. Go to Server tab and provide below details –
    1. Authentication as – Oauth2.0 Client Credentials
    2. Client ID – Refer from Confidential Client
    3. Secret – Refer from Confidential Client
    4. Scope – Refer from Confidential Client
    5. Token URL – <Replace with OCI IAM domain URL>/oauth2/v1/token
  6.  
  7. Click Save and Exit Screen
  8. Go Back to Service connection
  9. Go to end Points>>Press Send request to test your service connection.


OAuth 2.0 User Assertion (UA)

 

FA UA

This method is used when person who is logged in application will be used to connect to the fusion application, this also requires the user to sign with a valid Oracle IAM identity domain user account which is synchronized with Oracle Fusion Application i.e… User must exist in both OCI IAM domain & FA.

Step 1: Register your application with the authorization server

  1. Login into the newly created external domain as the domain administrator
  2. Navigate to Identity>Domains>FA_OAuthAccessdomain>Integrated applications
  1. Press Button – Add Application
  2. Choose Confidential Applications

 

  1. In Add Application details – Give name, description of your choice –  FA_Client_UA
  2. Press Next for Configure OAuth
    1. Choose Client configuration
    2. Authorization – JWT assertion
    3. Client Type – Confidential
    4. Resources – Add Scope
      1. FA Resource
  3. Press Next for Configure Policy
    1. Finish.
  4. Make note of the application’s Client ID and Client Secret & Scope.

 

Step 2: Create Service Connections in VB

  1. Login to VB Applications.
  2. Navigate to Service connections > Press + Button to create new.
  3. Use Define by End Point
  4. Provide Resource URL which you want to access
  5. Go to Server tab and provide below details –
    1. Authentication as – Oauth2.0 User Assertion
    2. Client ID – Refer from Confidential Client
    3. Secret – Refer from Confidential Client
    4. Scope – Refer from Confidential Client
  6.  
  7. Click Save and Exit Screen
  8. Go Back to Service connection
  9. Go to end Points>> Press Send request to test your service connection.
     

Conclusion

We hope with this blog you will be able to connect Visual Builder from an external domain to Fusion Applications using OAuth2.0 grant types, this blog provides a mechanism how to configure it and illustrates when to use it with which connection types.

References:

  1. Securing Authorizations in Oracle Cloud

https://docs.oracle.com/en/cloud/get-started/subscriptions-cloud/csimg/securing-authorizations-oracle-cloud.html

  1. Visual Builder Service Connections

https://docs.oracle.com/en/cloud/paas/app-builder-cloud/visual-builder-developer/create-service-connection.html

  1. Set Up the OAuth Authorization Code Credentials Security Policy with a Non-Oracle Fusion Applications Identity Domain

https://docs.oracle.com/en/cloud/paas/application-integration/erp-adapter/use-identity-domain-not-included-oracle-fusion-applications.html

  1. Add a Confidential Application

https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/add-confidential-application.html