Different ways to consume Fusion SaaS API using OAuth authentication
More and more customers these days are asking for options to connect to Fusion using OAuth security as they want to go away from Basic authentication mechanism.
In this blog lets discuss about different ways of setting OAuth security for connecting to Fusion API.
Listed down the high level comparison between the different options and the steps as this blog is going to be lengthy.
Note — For Option 2 and Option 3 the domain details that you will collect and the resource server and confidential application that you will creating will be the fusion domain and not the default domain.
A) Get domain details.
Login to OCI -> Identity and Security -> Domains -> Default Domain
Copy the domain URL as this will be needed later to create the API to authorize and get token.
B) Create resource server application
In default domain -> Integrated Application -> Add Application
Select
- Confidential Application — Launch workflow
- Provide app name -> Hit Next
- Select Configure this application as a resource server now
- Access token expiration (seconds) as 3600
- Check Allow token refresh
- Keep the Refresh token expiration (seconds) as 604800
- Enter the URL for the Fusion instance as below in Primary audience
https://XXXXXX.fa.ocs.oraclecloud.com:443
- Click on Add Scopes
Scope as /
Display Name - Can keep it empty
Description can be given as All
Requires user consent should be checked.- Click on next and finish the setup.
- Activate the application.
C) Create confidential application.
In default domain -> Integrated Application -> Add Application
Select
- Confidential Application — Launch workflow
- Provide app name -> Hit Next
- Select Configure this application as a client now
- Selection of Allowed grant types will vary based on the Option
For Option1 and Option 2 Allowed grant type check Authorization code and Refresh token
For Option 3 Allowed grant type as check Client Credentials and Refresh token- Value for Redirect URL will vary based on the Option
For Option1 and Option 2 set Redirect URL to
OIC URL u(if you are creating connection in OIC) or
Postman URL (if you want to test this in Postman)
https://XXXXXXXX.ocp.oraclecloud.com/icsapis/agent/oauth/callback
For Option 3 select dont put any value for Redirect URL- Set Client type as Confidential.
- In the resources section Click on Add Scope and add resource application that was created in Step b and also add Fusion Application Cloud service Resource.
- Click on next and finish the setup.
- Activate the application. Save the client id and the client secret as they will be needed while configuring the connections.
Screenshots for Option1 and Option2
Screenshots for Option3
D) Create service account user in OCI.
For option 1 and option 2 we need to create an user in OCI for service account. lets say ERP_OIC_INTG is the username
Note — This user should be assigned Service Administrator role as while configuring the OIC connection we need to login in OIC instance with the service account user and provide consent.
For option 3 there is no need to create service account user in OCI.
E) Create service account user in Fusion.
For option 1 and option 2 we need to create an user in Fusion with same username. In this case it is ERP_OIC_INTG.
It is very important to assign the user following roles
a. Integration Specialist
b. SOAOperator
c. FND_MANAGE_CATALOG_SERVICE_PRIV
Follow below document to assign roles to the user.
For Option 3 the username should match client id of the confidential application created in Step c.
F) Upload certificates in Fusion.
In Option 2 and Option 3 the domain where confidential application is created is Fusion domain. Thus token generated will be validated by Fusion SaaS without any extra steps. Whereas for Option 1 since confidential application was created in Default domain we need to upload the certificates from default domain into Fusion. This is done because the token generated is from default domain and when passed to Fusion fusion needs some certificate to validate the token.
Execute below API in postman
REST URL : https://XXXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk
REST Operation : GET
It returns keys in which there will be 2 x5c keys. First one is IDCS and the other one is for CA.
We need to raise an SR with oracle and get the certificates uploaded in Fusion.
G) Setups in OIC.
For option1 and option 2 Create connection in OIC for which we need to login in OIC as Service account. In this case it is ERP_OIC_INTG
It can be any adapter ERP Cloud Adapter, REST Adapter, SOAP Adapter and below are the parameters.
ERP Cloud Host: https://XXXXX.fa.ocs.oraclecloud.com
Client Id and Client Secret that we received from Step c.
Authorization Code URI: https://YYYYY/oauth2/v1/authorize
Access Token URI: https://YYYYY/oauth2/v1/token
YYYYY is the domain name that you received from Step a and it would be of format
YYYYY.identity.oraclecloud.com:443
Scope
https://XXXXX.fa.ocs.oraclecloud.com:443/ offline_access
where XXXXX is from Fusion.
For SOAP Adapter In Optional Security -> Select Client Authentication as Send in header.
Once you enter all the details Click on Provide Consent this will open another window where it will prompt for login from Fusion side. Login with Fusion user. It will authenticate and then you can close the window.
Go back to connections page and then click on Test. If the roles are provided properly then the connection will be 100% successful.
For Option 3 Below is the Curl command to get the token in Fusion
curl --location 'https://idcs-XXXXX.identity.oraclecloud.com:443/oauth2/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' \
--header 'Authorization: Basic ZZZZZZZZZ' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=https://YYYYYYY.fa.ocs.oraclecloud.com:443/'
where XXXX will be the from the IDCS Domain URL that we captured in Step a.
ZZZZZ is Base64 encoded value if ClientID:ClientSecret
and YYYYY is from the Fusion URL.This will return an access_token in below JSON format.
{
"access_token": "asdadasdsdasdasd"
"token_type": "Bearer",
"expires_in": 3600
}This access_token value can be passed as Bearer value to the Fusion API call. Even in OIC adapters can be configured to use the client credential approach.
Conclusion:
Option 1 and Option 2 is Authorization Code flow which requires some to manually provide consent to the user and the approach has redirect URL’s. However Option 2 is easier to implement as compared to Option 1 as there is no need to upload additional certificates in Fusion.
Option 3 is Client Credentials Code flow and is used when there is no way to specify the redirect URL and still external applications needs to call Fusion API’s.
