OIC No Password Expiration for Basic Authentication

The following is a supplement to the Oracle public docs for Use the Service Integration Account with No Password Expiration. Although the documentation is fairly detailed, there is some consistent points of confusion that have surfaced and the use of the curl command may not be available (or desirable) for many folks. Therefore, this blog will walk through the steps in the online documentation and get everything setup for a non-expiring Service Integration Account using the attached Postman Collection and Environment exports:

Collection Export
Environment Export

The Postman Environment variables are named the same as the variables detailed in the online docs. For example, there is a Postman variable called OIC_APP_ID and you will see this in the first section of the online docs as ${OIC_APP_ID}.

Things you will need to do before you can run any of these Postman requests:

1. The IDCS host name associated with the OIC instance we will be targeting for this Service Integration Account. This will be used for the IDCS_HOST Postman environment variable.
2. Locate the Application ID for the auto-generated OIC Application associated with the instance we will be targeting for this Service Integration Account. This is the section in the online docs titled "Obtain the PaaS Application Oracle Identity Cloud Service Application ID" and the applications are typically prefixed with OICINST_. This will be used for the OIC_APP_ID Postman environment variable.
3. Create the Service Administrator Application that will be used to retrieve the OAuth access token to authorize the requests in the Postman collection. This is the section in the online docs titled "Configure the Service Administrator Application". Once created, the Client ID and Secret will be used to set the SA_CLIENT_ID and SA_CLIENT_SECRET Postman environment variables.

NOTE: Be sure to activate this application once it is created. This step is missing in the online docs.

4. Determine what your Service Integration Account (application) will be called. To be consistent with the online docs, the name should have a suffix of _BASICAUTH. For example, OICINST-Dev_BASICAUTH. This will be the value for the SI_CLIENT_ID Postman environment variable.

Now that we have all the initial tasks completed and information gathered, we can move onto working with Postman.

Setup Postman

1. Import the attached Postman Collection and Environment exports into your Postman application (https://www.getpostman.com/downloads/).

Once the import is complete, you should see something like the following:

2. Update Postman Environment variables with information gathered earlier

To update the Environment variables, simple locate the variable name and update the CURRENT VALUE for that variable:

Update the CURRENT VALUE for the following variables:

• IDCS_HOST
• OIC_APP_ID
• SA_CLIENT_ID
• SA_CLIENT_SECRET
• SI_CLIENT_ID

NOTE: The Postman requests will use these CURRENT VALUEs in the request URLs, request parameters, and request payloads so you will not have to duplicate this information for each of the IDCS API requests.

We are now ready to start going through the various IDCS API calls to get the Service Integration Account application created and associated with the OIC IDCS Application. The way the collection requests are named are in order of execution. There will be times where the results returned from the API call will require Environment variables to be updated before moving onto the next request.

Step 1 - Get OAuth Access Token

Open the No Pass Expire - Step 1 Get OAuth Access Token request in Postman and review how the request is setup. Notice that the URL and Authorization are using the Environment variables we setup earlier. If you have the Environment variables updated correctly, you should see something like the following after sending the request:

Before moving onto the next request, take the value for the "access_token" (do not include the quotes) and update the ACCESS_TOKEN environment variable CURRENT VALUE. This token is good for an hour and should be enough time to finish the rest of the Postman requests.

NOTE: This step could be replaced with the Postman Get New Access Token feature for Steps 2 - 5. However, in keeping consistent with the online documentation this step has been used instead of the access token feature of Postman.

Step 2 - Create BASICAUTH Application

Open the next request called No Pass Expire - Step 2 Create BASICAUTH Application in Postman and review how the request is setup. Again, notice that the URL, Authorization, and now the payload are using the Environment variables. This request is probably the most important as it creates and configures the IDCS application that will be used to allow the triggering of OIC integrations using Basic Auth. If the Environment variables are updated correctly, you should see something like the following for the request response:

Before moving onto the next request, take the values from the response and update the SI_APP_ID and SI_CLIENT_SECRET Environment variables. Use the image above to locate the values in the response payload.

Step 3 - Activate BASICAUTH Application

Open the next request called No Pass Expire - Step 3 Activate BASICAUTH Application in Postman. Assuming the Environment variables have been updated with the response values from the previous step, you should see something like the following after sending the request:

Step 4 - Get Auto-Generated OIC Application Details

Open the next request called No Pass Expire - Step 4 Get OIC Application Details. The purpose of this request it to retrieve the ID associated with the ServiceUser role located in the auto-generated OIC IDCS Application. The response from this request will be used to update the OIC_APP_ROLE_ID Environment variable:

Before moving onto the next request, take the values from the response and update the OIC_APP_ROLE_ID Environment variable. Use the image above to locate the values in the response payload.

Step 5 - Add BASICAUTH Application to OIC Application

Open the last request called No Pass Expire - Step 5 Add BASICAUTH Application to OIC Application. When this request runs successfully, you will see something like the following:

Verify in IDCS Console

To see what we just configured in IDCS through the IDCS console, search for the auto-generated OIC Application and open it. Then navigate to the Application Roles tab and view the applications that are assigned to the ServiceUser role:

Test Using SI_CLIENT_ID and SI_CLIENT_SECRET

We can now verify the configuration by triggering an OIC integration using the SI_CLIENT_ID and SI_CLIENT_SECRET as the basic authentication credentials. The following test is an Echo integration that is activated on the OIC instance used for this blog. You can see that the request is setup for Basic Auth and is using the SI_CLIENT_ID and SI_CLIENT_SECRET Environment variables:

Here you can see that we get a valid response from OIC using the new Service Integration Account:

I do hope you find this blog helpful and clears up any confusions that you may have had about this process.