2 Secure Access To Your Application

How to Secure Access from External Applications Using OAuth

You can use the OAuth protocol to authorize external applications to access your communication application's REST APIs. Authorization ensures that an application is granted access to a service.

When you submit requests from external applications, the request must include an OAuth access token. To generate that access token, you need OAuth credentials. You can generate these credentials by adding your external application as a confidential application in Oracle Identity Cloud Service. You can then embed the generated OAuth credentials in the external application to generate access token while accessing your communication application's REST APIs.

You can use the OAuth credentials of the DX4C_FABRIC_<Customer_ID> application predefined in Oracle Identity Cloud Service for testing the REST API calls. The <Customer_ID> is a unique identifier of the CX Industries Framework instance. You can test the calls using the cURL command or REST API clients, such as Postman. For instructions on calling REST APIs using cURL command or REST API clients, refer to Quick Start in REST API for Oracle CX Industries Framework. However, you must add a confidential application for every external application that sends request to your communications application.

You must be an administrator to perform this task. Here's how you can create a confidential application:
  1. In the Identity Cloud Service console, expand the Navigation Drawer, and then click Applications.
  2. On the Applications page, click Add.

    The Add Application page appears.

  3. From the list of application types, select Confidential Application.
  4. On the App Details page, enter a name and a description for your application.

  5. At the top of the Add Confidential Application wizard's Details page, click Next.

    A confirmation message indicates that the application has been added in a deactivated state.

  6. On the Add Confidential Application wizard's Client page, click Configure this application as a client now, and enter this information in the Authorization section:
    • Allowed Grant Types: Select Client Credentials, JWT Assertion, Refresh Token, and Authorization Code.

      Note:

      To generate refresh tokens, you must select Refresh Token.
    • Allow non-HTTPS URLs: Select this option.
    • Redirect URL: Enter the URL of the application where responses to authentication requests are sent. The callback URL for the application where the authorization code and authorization token is sent.
    • Post Logout Redirect URL: Enter the URL where you want to redirect the user after logging out of the application.
  7. In the Token Insurance Policy section, under Authorized Resources, select Specific.
  8. In the Resources section, Click Add Scope and follow these steps:
    1. Search for the DX4C_FABRIC_<Customer_ID> application predefined in Oracle Identity Cloud Service.
    2. Click the arrow to the right of the application name.
    3. Select the scope that ends with all. The scope looks like this: urn:opc:resource:consumer::all. You can select additional scopes as needed.
    4. Click Add.
  9. In the Grant the client access to Identity Cloud Service Admin APIs section, click Add and follow these steps:
    1. Select Authenticator Client.
    2. Click Add and then click Next.
  10. In the Expose APIs to Other Applications section, leave the default Skip for later and click Next.
  11. In the Web Tier Policy section, leave the default Skip for later and click Next.

  12. On the Add Confidential Application wizard's Authorization page, click Finish.

    The Application Added page appears.

  13. Make note of the client ID and client secret. You must embed these in the external application to access your communication application's REST APIs.
  14. On the Details page for your new application, select Activate and confirm the activation.
  15. Embed the following in the external application that accesses your communication application's REST APIs:

    • The Oracle Identity Cloud Service URLs for generating authorization codes and requesting OAuth access tokens. For example:

      https://<idcs_hostname>/oauth2/v1/authorize

      https:/<idcs_hostname>/oauth2/v1/token

      where <idcs_hostname> is the server of your Oracle Identity Cloud Service instance.

    • The redirect URL to send authorization codes and access tokens.
    • The client ID and client secret generated by the confidential application.

How to Access External Applications Using OAuth

If your external application is secured using an identity provider such as Oracle Identity Cloud Service, use the OAuth protocol to securely access your external server application.

Here are the things you must ensure that you do to access your external application:
  • Specify the OIDC client credentials when you integrate your external application with your communications application. When you set up the connection descriptor, specify the following details about the OIDC client application that's used to secure your external application:
    • Client ID
    • Client Secret
    • OAuth Scope to access your application
    • Identity URI to request the access token

      For more information, see the Integrate External Applications chapter within this guide.

  • If your identity provider is Oracle Identity Cloud Service, add your OIDC client application as a trusted application in Oracle Identity Cloud Service.
  • Register your communications application's signing certificate in the OIDC client of your external application. To get the signing certificate for your communications application, create a service request on My Oracle Support at https://support.oracle.com.
Related Topics

How to Set Up Basic Authentication

You can also use basic authentication to secure access from external applications.

The basic authentication doesn't require any configuration in Oracle Identity Cloud Service. You can use any user account created for your application to access REST APIs. You must provide the account credentials (user name and password) when you integrate the external application with your application. For more information, see the Integrate External Applications chapter in this guide.

For basic authentication, you pass the account credentials in the header of the HTTP request. These user credentials are converted into a basic authentication header and the sign-in URL is called to pass the basic authentication header to the authentication service. On authentication, the external application can access your application's REST APIs.