1.1 API Security
This topic describes about the API Security.
Oracle Banking Cash Management application provides an API Layer (also known as the Service API Layer) which is used by external consumers to access the Oracle Banking Cash Management functionality.
- OAuth with OAM (Oracle Access Manager)
- OAuth without OAM
- Oracle Banking Routing Hub
If the customer does not have OAM, they can use OAUTH without OAM or enterprise API Management layer should be implemented to protect the service API(s).
Register OAuth Clients with API Gateway
New Oath users can be registered with Oracle Banking Microservices Architecture using the below endpoint.
http://<hostname>:<port>/api-gateway/createOauthUsers
- Header: appId: SECSRV001
- Header: Content-Type: application/json
- Header: userId: <USERID>
- Header: Authorization: Bearer <<JWT Access Token>>
{
"UserList": [
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
},
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
}
]
}
Modify Token Expiry of Registered OAuth Client
Token expiry time can be updated using the below endpoint:
http://<hostname>:<port>/api-gateway/modifyvalidity
- Header: appId: SECSRV001
- Header: Content-Type: application/json
- Header: userId: <USERID>
- Header: Authorization: Bearer <<JWT Access Token>>
{"client_id":"<< clientId >>","validity":"<< Validity in seconds >>"}API Security with OAuth
OAuth with OAM
- API clients pass the client id & client secret and grant type as CLIENT
CREDENTIALS, to get the access token, using the below endpoint
/oauth2/rest/token. - API Clients will pass the access token in the Authorization Header as Bearer token in their subsequent calls to access the Service APIs.
- API Gateway validates the client access token on OAM Authorization server
- If valid, it passes the request on to the Svc APIs and gets the response.
- The client can choose to get a new token (refresh) before the expiry of the current token. In case the token expires, they will pass the client Id and client secret to get a new token.
OAuth without OAM
Figure 1-3 OAuth without OAM - Accessing svc flow
- API clients pass the client id & client secret in the body and other required
headers, to get the access token, using the below endpoint:
http://<>:<>/api-gateway/platojwtauth/ - API Clients will pass the access token in the Authorization Header as Bearer token in their subsequent calls to access the Service APIs.
- API Gateway validates the client access token on Authorization server.
- If valid, it passes the request on to the Svc APIs and gets the response.
- The client can choose to get a new token (refresh) before the expiry of the current token. In case the token expires, they will pass the client Id and client secret to get a new token.
- Also, an additional facility of increasing the token is provided.
Access APIs through Oracle Banking Routing Hub
If the external services (services in bank or consulting) need to access APIs in Oracle Banking Microservices Architecture modules, the services will first have to generate an access token using Oracle Banking Routing Hub endpoints and then use the token to authorize themselves to access the endpoints.
Refer to Authentication section under Implementation topic in Routing Hub Configuration User Guide for the further details.
Parent topic: Securing API Services