Thursday, 2 July 2020

OIC - Create Non Expiry Service Accounts


One of the common and important requirements in OIC implementation is to configure a service account or a basic authentication account which will never expire.

It can be achieved using following options.

  1. Create an account in IDCS and Update the Custom Password policy to set the expiry as none. This will impact all the users and it will be a security issue.
  2. Create a Service account in IDCS  using Application Client configuration.  Configure a confidential application with a specific name like XXXX_BASICAUTH  as a client id and assign this client to OIC role. 
    • Application accounts are not going to expire and it will solve the issue. 
Follow below steps to configure Application Client. 

1. Client Application to get the OAUTH Token.
  • Create a new confidential application to get the Authentication token or use an existing application.
  • Login to IDCS console 
  • Got to Applications
  • Select Create Confidential Application
  • Give a name  - Token 
  • Select Register as a Client
  • Select Client Credentials and JWT Assertions options under allowed grants.
  • Under - Grant the client access section.
    • SELECT
      • Identity Domain Administrator
      • Me
  • Finish and note down the client id and secret.








2. Steps to Create a Service Account using REST API and Token.
  • Create a new confidential application which will be used as a Service Account.
  • Use a REST API to create a Client Application. 
  • This will allow us to provide  required Client ID. Console will not provide this option. 
  • Give Client ID as XXXX_BASICAUTH
  • It is mandatory to follow above naming convention.  XXXX can be anything and it should have _BASICAUTH
  • Invoke following rest API using Authentication Token. 
  • https://idcs-XXXXX.identity.oraclecloud.com/admin/v1/Apps
    • Invoke IDCS to get the token
    • https://idcs-XXXXXXXX.identity.oraclecloud.com/oauth2/v1/token
    • SCOPE : urn:opc:idm:__myscopes__
    • Grant Type :  Client Credentials
    • Client Id and Secret from Above application.
  • Use the Token Generated from the above steps and invoke the API.
  • This will create a new application with Client ID as XXXX_BASICAUTH
  • Add this client to OIC application roles in IDCS. 

        












PAYLOAD for Creating Client Application
{
"active": true,
"allUrlSchemesAllowed": false,
"allowAccessControl": false,
"allowedGrants":
["client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"attrRenderingMetadata":
[{
"name": "aliasApps",
"visible": false
}],
"basedOnTemplate":
{ "value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "JCSOIC_CLIENT",
"editableAttributes": [ { "name": "allowedGrants" },
{ "name": "protectableSecondaryAudiences" },
{ "name": "asOPCService" },
{ "name":"accessTokenExpiry" },
{ "name": "linkingCallbackUrl" },
{ "name": "isOAuthResource" },
{ "name": "appIcon" },
{ "name": "clientType" },
{ "name": "refreshTokenExpiry" },
{ "name": "trustScope" },
{ "name": "landingPageUrl" },
{ "name": "audience" },
{ "name": "samlServiceProvider" },
{ "name": "isLoginTarget" },
{ "name": "redirectUris" },
{ "name": "allowedScopes" },
{ "name": "tags" },
{ "name": "logoutUri" },
{ "name": "allowedOperations" },
{ "name": "termsOfUse" },
{ "name": "serviceParams" },
{ "name": "certificates" },
{ "name": "aliasApps" },
{ "name": "schemas" },
{ "name": "isWebTierPolicy" },
{ "name": "trustPolicies" },
{ "name": "logoutPageUrl" },
{ "name": "secondaryAudiences" },
{ "name": "displayName" },
{ "name": "serviceTypeURN" },
{ "name": "icon" },
{ "name": "description" },
{ "name": "isOAuthClient" },
{ "name": "allowedTags" },
{ "name": "showInMyApps" },
{ "name": "isObligationCapable" },
{ "name": "isMobileTarget" },
{ "name": "allowOffline" },
{ "name": "idpPolicy" },
{ "name": "appSignonPolicy" },
{ "name": "postLogoutRedirectUris" },
{ "name": "isFormFill" },
{ "name": "loginMechanism" },
{ "name": "serviceTypeVersion" },
{ "name": "errorPageUrl" },
{ "name": "signonPolicy" },
{ "name": "identityProviders" },
{ "name": "isSamlServiceProvider" },
{ "name": "appThumbnail" },
{ "name": "loginPageUrl" },
{ "name": "scopes" },
{ "name": "allowAccessControl" },
{ "name": "isKerberosRealm" },
{ "name": "allUrlSchemesAllowed" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptionAlgorithm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:groupAssertionAttributes" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:includeSigningCertInSignature" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signResponseOrAssertion"},
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:assertionConsumerUrl" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdUserstoreAttribute" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutResponseUrl" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:succinctId" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutRequestUrl" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:partnerProviderId" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdFormat" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutBinding" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:userAssertionAttributes" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signatureHashAlgorithm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:metadata" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptAssertion" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutEnabled" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptionCertificate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signingCertificate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:federationProtocol" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson" },
{"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties" },
{"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:isAuthoritative" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:enableSync" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:adminConsentGranted" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:connected" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileBundleConfigurationProperties" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:threeLeggedOAuthCredential" }, {
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundlePoolConfiguration" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileConnectorBundle" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:revealPasswordOnForm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormTemplate"
}, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormExpression" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredentialSharingGroupID" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredMethod" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:syncFromTemplate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:configuration" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formFillUrlMatch" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formType" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:masterKey" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxRenewableAge" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxTicketLife" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:supportedEncryptionSaltTypes" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:realmName" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:ticketFlags" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:defaultEncryptionSaltType" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App:requestable" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:revealPasswordOnForm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormExpression" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formType" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredMethod" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:configuration" },
{ "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formFillUrlMatch" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredentialSharingGroupID" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormTemplate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:dbcs:App:domainApp" }, { "name": "active" },
{ "name": "grantedAppRoles" }, { "name": "userRoles" }, { "name": "adminRoles" }, { "name": "clientSecret" }
], "infrastructure": false, "isAliasApp": false, "isManagedApp": false, "isMobileTarget": false, "isOAuthClient":
true, "isOAuthResource": false, "isOPCService": false, "isSamlServiceProvider": false, "isUnmanagedApp": false,
"isWebTierPolicy": false, "loginMechanism": "OIDC", "migrated": false, "name": "JCSOIC_BASICAUTH",
"showInMyApps": false, "trustScope": "Explicit", "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App":
{ "requestable": false },
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App"]
 }

No comments:

Post a Comment