How to Configure JWT based API authentication for Oracle Fusion Application

We generally use Basic Authentication for Oracle Fusion API authentications.

The basic authentication comes with security risk and also overhead of password maintenance.

To overcome these we can switch to JWT based authentication.

JWT stands for JSON Web Token.

It consists of 3 parts, each part separated by a dot(.).

The first part of the token is encoded value of header, 2nd part is encoded value of payload and 3rd part is encoded value of signature.

Earlier , to achieve this we had to raise SR with Oracle to do the configuration, but now Oracle has made it Self Service to fasten up the configuration setup and help projects going live sooner.

We get a support document for this:

How to Use JSON Web Token (JWT) For Authorization With Fusion Cloud Application REST APIs and SOAP Web Services ? (Doc ID 2572018.1)

In this POST we will be seeing the above setups in detail:

There are different steps which we need to perform for this:

1).  Generate key with RS256 algorithm

2). Create Public certificate from this , which will be uploaded in Oracle Fusion 

3). Create Api authentication Provider In Oracle Fusion and upload the public certificate.

4). Get x5t  base64 encoded value from fingerprint of certificate

5). Create JWT header and Payload

Header: Header must contain following fields. 

 typ    - Content that is being signed or encrypted. Value must be set to JWT

 alg    - Algorithm used to sign or encrypt the JWT. Value must be RS256 (stands for RSA 256 encryption 

           algorithm)

 x5t    - Base64 encoded public certificate fingerprint
           NOTE: Certificate Thumbprint is a HEX number that needs to be converted into Bas64 encoded 

            string using online tools/ code to get the x5t value

          

Payload: Payload must contain the following fields.

 iat    - Indicates timestamp when the assertion was issued
 exp   - Indicates the timestamp when this assertion expires
 iss     - Indicates who issued this assertion
 sub   - FA username entitled for REST endpoint (optional)
 prn   - FA username entitled for REST endpoint

6). Generate JWT token (Manually from any website like jwt.io or Automatically from a program like java program using third party libraries or PL/SQL).

7). Test this from postman by passing token in Bearer Token type Auth.

 

Let's see each step in  detail:

1).  Generate key with RS256 algorithm

If we have mac or unix run this command in terminal:

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key

We can Keep the passphrase as empty/blank and press enter.

 

 This will be creating key pair.

 

Now run the below command:

openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub

 

 

2). Create Public certificate from this , which will be uploaded in Oracle Fusion 

For this run the below command, from the same folder where we have keys:

openssl req -new -x509 -key jwtRS256.key -out publickey.cer -days 365

 

It will ask to enter details like country, province, city etc. Provide the details and press enter.

This will create public certificate for us, we can change the days as required:

 

 

 3). Create Api authentication Provider In Oracle Fusion and upload the public certificate.

 Login to Fusion Application with IT Security Manager role.

Go to Navigator->Tools-> Security Console-> API Authentication

 

Here click on "Create Oracle API Authentication Provider" to register a provider:

 

 

Click on Edit in the next window.

Give the name as test.com , this will be the issuer name in our token and the same we had provided while creating the certificate.Check JWT and SAML. Click on Save and Close.

 

 

Now click on Inbound API Authentication Certificates:

 

 

 

 

Here we will give the name of the certificate and upload the public certificate which we had created from keys.

 

 

 

 

 

Click on save after uploading.

The certificate gets uploaded as below, it gives the download option of the certificate which we have uploaded, if in case we need it in future, we can download from here as well.

 

 We are done with the Fusion Application side setup.

 

4). Get x5t  base64 encoded value from fingerprint of certificate 

For this we need to run the below command to first get the fingerprint:

openssl x509 -sha1 -in publickey.cer -noout -fingerprint

This will give us the fingerprint.

 

Now we need to encode this fingerprint to base64 , which will be our x5t value. 

Run the below command:

echo "80:5A:7C:4E:55:85:FD:66:6D:49:6E:78:91:FE:B9:5C:65:1F:43:B9"|xxd -r -p | base64

Copy the encoded value, this we will be using in next step.

5). Create JWT header and Payload

 The Header will be created as below:

{
  "typ": "JWT",
  "x5t": "gFp8TlWF/WZtSW54kf65XGUfQ7k=",
  "alg": "RS256"
}

The payload will be created as below:

{
  "iss": "test.com",
  "iat": 1663830199,
  "exp": 1993830559,
  "prn": "sumit_kumar",
  "sub":"sumit_kumar"
}

6).  Generate JWT token (Manually from any website like jwt.io or Automatically from a program like java program using third party libraries).

 Here in our example we will be using jwt.io website to generate the token.

When we open the Website it will look like below:

 

 

Let us first change the algorithm to  RS256. We change  directly in header also in alg , it will update in lov automatically. 

 

Now let us copy paste the headers and payload which we had created.

If we observe the token is not yet created. This is because for RS256 it is expecting us to provide private key and public key for signature also t will say Invalid Signature.

Let us open the private key and public key in any textpad, which we had created in first step.

 Copy paste the key text in the respective sections in jwt.io

 

Now after we provided the keys we will see that the token is generated and the Signature is also verified.

 

 

We can observe  3 parts of the token, each separated by dot (.).

We have the token with us . Now we will use this in Bearer type auth in POSTMAN to call AP invoice endpoint.

 NOTE: 

        We can generate token by just passing private key only in the above website for verifysignature section, public key is not mandatory. The generated token will still work. Only thing is it will say invalid signature like below:

7). Test this from postman by passing token in Bearer Token type Auth.

Open Postman, provide the invoice endpoint URL, select the method as GET, to get all invoices.

Select the Authorization type as Bearer Token:

 

Copy the JWT token which we created in jwt.io website  and paste in token section of POSTMAN.

 

 

Click on send Button to send the request.

We will get successful response as below:

if we want diagnostic logs we can get from Oracle Fusion.

In the Same API authentication option in Oracle Fusion Security console we get "View Diagnostics Log" option.

This has to be enabled to see the logs, for this access we need to have diagnostics specific roles.

When it is enabled, this log gives details of all API calls to Oracle Fusion.

Let us see in our case.

 

We can click on the time log to see further details. 

In the next post we will see how we can generate this JWT token from PL/SQL and how to use it in OIC integration rest adapter in authorization header.