1.1 API Security
The Oracle Banking Branch provides an API Layer (Service API Layer) for external users to access Oracle Banking Branch functionality.
-
OAuth with OAM (Oracle Access Manager)
-
OAuth without OAM
-
Oracle Banking Routing Hub
Note:
If the customer does not have OAM, an enterprise API Management layer should be implemented to protect the service API(s).Register OAuth Clients with API Gateway
New Oath users can be registered with Oracle Banking Microservices Architecture using the below endpoint.
http://<hostname>:<port>/api-gateway/createOauthUsers-
Header: appId: SECSRV001
-
Header: Content-Type: application/json
-
Header: userId: <USERID>
-
Header: Authorization: Bearer <<JWT Access Token>>
{
"UserList": [
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
},
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
}
]
}Modify Token Expiry of Registered OAuth Client
Token expiry time can be updated using the below endpoint:
http://<hostname>:<port>/api-gateway/modifyvalidity- Header: appId: SECSRV001
- Header: Content-Type: application/json
- Header: userId: <USERID>
- Header: Authorization: Bearer <<JWT Access Token>>
{"client_id":"<< clientId >>","validity":"<< Validity in seconds >>"}API Security with OAuth
OAuth with OAM (Oracle Access Manager)
Figure 1-1 OAuth with OAM (Oracle Access Manager)
-
API clients pass the client ID and client secret and grant type as CLIENT CREDENTIALS, to get the access token, using the below endpoint:
/oauth2/rest/token. -
API Clients will pass the access token in the Authorization Header as a Bearer token in their subsequent calls to access the Service APIs.
-
API Gateway validates the client access token on the OAM Authorization server.
-
If valid, it passes the request on to the SVC APIs and gets the response.
-
The client can choose to get a new token (refresh) before the expiry of the current token. In case the token expires, they will pass the client Id and client secret to get a new token.
OAuth without OAM
Figure 1-2 OAuth without OAM - Token Generation
Figure 1-3 OAuth without OAM - Accessing SVC
-
API clients pass the client ID and client secret in the body and other required headers, to get the access token, using the below endpoint:
http://<<hostname>>:<<port>>/api-gateway/platojwtauth/. -
API Clients will pass the access token in the Authorization Header as a Bearer token in their subsequent calls to access the Service APIs.
-
API Gateway validates the client access token on the Authorization server.
-
If valid, it passes the request on to the SVC APIs and gets the response.
-
The client can choose to get a new token (refresh) before the expiry of the current token. In case the token expires, they will pass the client Id and client secret to get a new token.
-
Also, an additional facility for increasing the token is provided.
Access APIs through Oracle Banking Routing Hub
If the external services (services in bank or consulting) need to access APIs in Oracle Banking Microservices Architecture modules, the services will first have to generate an access token using Oracle Banking Routing Hub endpoints and then use the token to authorize themselves to access the endpoints.
Refer to Authentication section under Implementation topic in Routing Hub Configuration User Guide for the further details.
Parent topic: Securing API Services