How Does the Fixed Credentials Authentication Method Work?
Note:
To use local servers in conjunction with runtime server configurations, make sure your Oracle Cloud Applications instance is on 25A and that you've completed the check described in Work With Services (Limited Availability).Authentication methods like Basic Auth are called fixed credentials because they ignore the signed-in user's identity and instead apply only the credentials that are configured (fixed) for the backend.
For example, if the logged-in user is abc.xyz
, but the backend is using Basic Auth with the user credentials def.xyz
, the REST APIs connected by the backend will see only def.xyz
in their Authorization headers.
Authentication method | Description | Valid for: |
---|---|---|
None |
Select this for services that don't need authentication and don't accept Authorization headers. |
In-source servers Local servers Runtime server configurations |
Basic |
Select this for services that require a fixed user name and password for authentication. The signed-in user's credentials aren't used for authentication. This option uses the VB Studio authentication proxy, irrespective of the connection type you choose. Due to the limitations of basic authentication, it's recommended that you use this method only during development. Here's why: Suppose you set basic authentication with a particular user name and password, and later need to revoke the basic authentication for one specific application. Your only option is to revoke that particular user, which affects all applications that use basic authentication for that user. OAuth-based methods use scopes (with the client identifier and client secret) to offer you better control for managing credentials. Note: While Basic authentication is an option for service connections in VB Studio Gen 2 in government realms, it is a relatively weak security layer. If your service connections use Basic authentication to connect to Oracle Cloud Application services, it's recommended that you use one of the other available authentication mechanisms (for example, OAuth 2.0 Resource Owner Password), if possible. Consult your organization's security guidelines if you still plan to use Basic authentication, especially in production applications. |
Local servers Runtime server configurations |
OAuth 2.0 Client Credentials |
This method is recommended if you want to use a fixed credentials method and the service supports OAuth 2.0 Client Credentials. This method is part of the OAuth 2.0 grant types and is used for application-to-application authentication scenarios where you don't need a specific user's credentials to connect to the service. Consult the service’s OAuth 2.0 documentation for the values for the Client ID, Client Secret and token URL fields. |
Local servers Runtime server configurations |
OAuth 2.0 Resource Owner Password Credentials |
This method is part of the OAuth 2.0 grant types and is used when you need a specific user’s credentials to connect to the service. Consult the service’s OAuth 2.0 documentation for the values for the Client ID, Client Secret and token URL fields. |
Local servers Runtime server configurations |
OCI Signature Authentication |
This method uses a signature method to create an Application ID flow using a single Oracle Cloud Infrastructure (OCI) user to connect to OCI endpoints. All requests go through a proxy because of the requirement to sign the outgoing message. Note: Although OCI Signature authentication appears as an option, it is actually not supported for extensions at the moment. If you configure OCI Signature authentication for a backend and use it in an App UI, the service connection call will fail with a 500 error when you try to preview or deploy the extension.To use this authentication in VB Studio, you'll need these user details from the OCI console:
Once you have the details of the OCI user you want to use to connect to OCI endpoints, set up authentication in VB Studio as follows:
|
Local servers only |
The Connection Type indicates how the actual REST API should be connected to: directly from the App UI's JavaScript or from the server proxy. You should make this decision based on the CORS support your REST API has. In extensions, this attribute is only available if you have a local server. If you choose an in-source server, your REST API should already have support for CORS.
Note:
When using the fixed credentials authentication method, keep in mind these limitations:- When using the OAuth 2.0 authentication method, which uses token relay, you're limited by what the browser can send and receive.
- When using a proxy you're limited by the browser as stated above, with the exception of Oracle Cloud Infrastructure API Signature 1.0. For this method, the maximum message body size is two gigabytes (because the proxy needs to cache the entire message to sign it).
- When using a proxy, the REST call will time out after 234 seconds if no data has been sent.