OAuth2: Getting Started Follow
In IDCS, the URL usually looks like: <tenant-id>.identity.
Step 1: IDCS client app configuration
Open your IDCS admin console, then go to "Applications":
https: //<tenant-base-url>/ui/ |
Open your client side application, or create a new (confidential) application by clicking on "+ Add":
1. In "Details" tab, enter Name for your app (free text), and check "Display in My Apps".
2. In "Configuration" tab:
Register Client | V |
---|---|
Allowed Grant Types | JWT Assertion |
Redirect URL | (application URL where the user is redirected after authentication) |
Client Type | Trusted |
Certificate | (import your signing certificate that the client uses) |
Allowed Operations | (none) |
Token Issuance Policy | Specific |
Resources | (none) |
Grant the client access to... Admin APIs | (none) |
3. In "Resources" tab:
Register Resources | V |
---|---|
Primary Audience | https://<vbcs-base-url> |
4. Click on "Save".
5. Click on "Activate".
Step 2: IDCS ServiceManager server configuration
On the IDCS admin console, go to "Applications":
Open your client side application, or create a new (confidential) application by clicking on "+ Add":
1. In "Details" tab:
Name | ServiceManager |
---|---|
Application URL | http://<ServiceManager-host>/ |
Display in My Apps | V |
2. In "Configuration" tab:
Register Client | V |
---|---|
Allowed Grant Types | JWT Assertion |
Client Type | Confidential |
Allowed Operations | (none) |
Token Issuance Policy | Specific |
3. In "Resources" tab:
Register Resources | V |
---|---|
Primary Audience | https://<ServiceManager-host>/ |
4. Click on "Save".
5. Click on "Activate".
Step 3: VBCS configuration
On the menu to the left go to Service Connections > (click on your connection).
1. In "Service" tab, set "Service Base URL" to:
http: //<ServiceManager_ |
2. In "Authentication" tab, set the following:
Define Authentication | V |
---|---|
Authentication Mechanism | User Assertion OAuth 2.0 |
Client Id | (client_id of client app*) |
Secret | (client_secret of client app*) |
Scope | urn:opc:idm:__myscopes__ |
* Open the IDCS app configuration as described in step 1 of this document to obtain client_id and client_secret ("Configuration" tab > "General Information" section).
Step 4: ServiceManager System Properties
Refer to your OpenID configuration document to obtain the following settings:
https://<tenant-base-url>/.
The following properties must be set in Admin > System Properties:
|
|
---|---|
OAUTH2_JWKS | URL of the public signing keys. Usually defined by jwks_uri property in the OpenID configuration document. |
OAUTH2_ISSUER | Expected issuer. If the access_token has a different issuer then validation will fail. Usually defined by issuer property in the OpenID configuration document. |
OAUTH2_AUDIENCE | Expected audience. If the access_token doesn't include this audience then validation will fail. Usually the same as tenant-base-url. |
OAUTH2_HIDDEN_CLAIMS |
(optional) Comma-separated list of claim keys that should not be accessible from input parameters nor printed in log. |
Example configuration for Oracle IDCS:
OAUTH2_JWKS = https: //<tenant-base-url>/ OAUTH2_ISSUER = https: //identity.oraclecloud. OAUTH2_AUDIENCE = https: //<tenant-base-url> OAUTH2_HIDDEN_CLAIMS = scope,clientAppRoles, |
Step 5: ServiceManager ServiceEditor
Open your service by clicking on it in "Services" tab, and click on "Edit".
- In "Advanced Details" section, select "Authentication Type" = "OAuth2".
-
In the "Default Value" of "Input Parameters" section, you may refer to claims from the OAuth2 access_token by:
${oauth2.<claim_key>}
(<claim_key> is the name of the desired property inside the JWT access_token)
If you are not sure what <claim_key> to use, save the service and run it once.
You should be able to see in your 'Admin > View Log' a log line of the decoded JWT, consisting of claim_keys and claim_values.
Comments
0 comments
Please sign in to leave a comment.