How to limit the Access of IDCS OAuth App for an OIC instance

 There are cases when we will be exposing our OIC integrations as an API to third party applications.

In such cases having OAuth gives more security over using Basic Auth as authentication Type.

In this post we will see how we can provide limited access to an OAuth app for a OIC instance.

If we do not restrict the access then it can call/invoke other integrations as well.

We can follow below steps to achieve the same:

Login to IDCS admin console-> click on menu->click on applications

 

 

Now Click on Add

 

 

A dialog appears. Here Select Confidential application.

 

 

Provide Name and click next:

 

 

In the next screen select configure this application as client now:

Select as shown below:

 

 

Click on Next.

In the resources section provide Primary audience and scope.

The Scope to get access token will be combination of primary audiaence+scope

In the primary audience if we give upto common url then it will allow us to access all the integrations, so we will have substring from the integration identifier also as part of primary audience.

The sample value for primary audience will be like below:

https://abcd-efgh-ia.integration.ocp.oraclecloud.com:443/ic/api/integration/v1/flows/rest/POC_

Here we have added POC_ at last.

This will allow this OAuth app to access only those integrations which has POC_ as the prefic in the identifier.

Now in the scope we will have remaining value from the integration:

REQUISITION_DETAILS_OUTBOUND/1.0/getRequisitionDetails

 

 

 

After this click on next. Selsct skip for later in Web tier policy.

In the Authorization, check the checkbox of Enforce Grants as Authorization.

Click on Finish

Application added dialog will appear containing client id and secret.

Now our app configuration is done. We can activate this app.

 

After it is activated, we will use this app to assign to application role to the OIC instance.

We will assign to "Service Invoker" role since we want to give minimal access , just to invoke the integration.

For this go to Menu-> Oracle cloud Services-> Search for the OIC instance 

 

 

 Click on Application Roles-> Go to Service invoker role->Assign menu->Assign applications

 

Search for the OAuth app  we created. Select the app and click ok.

Now we have given role this application for the OIC instance.

Get two or three integrations  created with identifier prefix and POC_ and one or two integration where POC_prefix is not there in identifier.

Now lets test from POSTMAN.

 

 Select Auth type and Oauth2.0

Click on Get New Access Token.

Provide the Details :

     Client ID-                 xxxxxxxxxxxxxd4ea28xxxxxx6303113605

     Client Secret-           xxxx-5ffa-466d-xxxx-8fa07f682104

     Access Token URL- https://tenant-base-url/oauth2/v1/token

     Auth  URL-              https://tenant-base-url/oauth2/v1/authorize

     Scope-                       value of primary audience+scope

     Grant type-               Client Credentials

 

 

After token is generated-> select the token->Use token

Send the request with appropriate method the OIC integration expects.

here it is GET.

We can see that the response is 200 OK, which means it was success:

 

We can also observe that the above endpoint had POC_ in the integration identifier. So the result is as per our expectation.

Now Let us take one Integration which is not having POC_  in its identifier.

So if we hit the request , it should give 401 Unauthorized Error.

 

So this way we can restrict the access  and keep our other integrations safe.