Thursday, December 6, 2018

Authenticate Non-Fusion Application via the Oracle Fusion Cloud


Hi Folks,

Today, I’ll explain you to implement authentication mechanism to Non-Fusion application through the Oracle Fusion cloud.  Basically my business flow is, user should log into Oracle Fusion cloud first and then access to Non-Fusion application through the external URL available in Fusion Springboard or Navigator.

Following diagram depicted the authentication flow, I’ll explain each process flows, it will easy to understand the authentication process.

Authentication Flow

Fusion user to Application Session Bean

First user should log into the Oracle Fusion cloud. Then the user click the icon on Oracle fusion springboard/Navigator. Oracle Fusion provide JWT (JSON Web Token) to identify logged user uniquely, we should have implement a mechanism to pass the generated JWT key as an URL parameter to Non-Oracle application. For generate JWT, we can use simple expression language like this.

https://<Non-Fusion Application URL>?jwtparam= #{applCoreSecuredToken.trustToken}  

JSON Web Token validation 
   
This step bit tricky, because we have mechanism to avoid misusage of JWT key. Each time user click the URL, oracle generate JWT on demand. This key has 4hrs lifetime within this time period user can use generated JWT key multiple times. For avoid that, we can implement validation to allow fresh JWT each time by looking JWT generated time.
To get JWT generated time, you can simply decode JWT header using standard library provide by jwt.io web. Here’s the implementation of validation method.  



Validate the Logged User

Now we have Oracle generated JWT, but we are unable to decode verify signature for identified user details directly. So we need to use SOAP service for get the logged user details. In hcmService/UserDetailsServiceV2 request we can pass the JWT as Authorization Header along with Bearer keyword.

In above mentioned flow, I used internal user details stored data base to verify against fusion result. But it’s not mandatory.

Happy Coding,

Regards,
Denuwan Himanga Hettiarachchi