One of the common and important requirements in OIC implementation is to configure a service account or a basic authentication account which will never expire.
It can be achieved using following options.
- Create an account in IDCS and Update the Custom Password policy to set the expiry as none. This will impact all the users and it will be a security issue.
- Create a Service account in IDCS using Application Client configuration. Configure a confidential application with a specific name like XXXX_BASICAUTH as a client id and assign this client to OIC role.
- Application accounts are not going to expire and it will solve the issue.
1. Client Application to get the OAUTH Token.
- Create a new confidential application to get the Authentication token or use an existing application.
- Login to IDCS console
- Got to Applications
- Select Create Confidential Application
- Give a name - Token
- Select Register as a Client
- Select Client Credentials and JWT Assertions options under allowed grants.
- Under - Grant the client access section.
- SELECT
- Identity Domain Administrator
- Me
- Finish and note down the client id and secret.
2. Steps to Create a Service Account using REST API and Token.
- Create a new confidential application which will be used as a Service Account.
- Use a REST API to create a Client Application.
- This will allow us to provide required Client ID. Console will not provide this option.
- Give Client ID as XXXX_BASICAUTH
- It is mandatory to follow above naming convention. XXXX can be anything and it should have _BASICAUTH
- Invoke following rest API using Authentication Token.
- https://idcs-XXXXX.identity.oraclecloud.com/admin/v1/Apps
- Invoke IDCS to get the token
- https://idcs-XXXXXXXX.identity.oraclecloud.com/oauth2/v1/token
- SCOPE : urn:opc:idm:__myscopes__
- Grant Type : Client Credentials
- Client Id and Secret from Above application.
- Use the Token Generated from the above steps and invoke the API.
- This will create a new application with Client ID as XXXX_BASICAUTH
- Add this client to OIC application roles in IDCS.
PAYLOAD for Creating Client Application
{
"active": true,
"allUrlSchemesAllowed": false,
"allowAccessControl": false,
"allowedGrants":
["client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"attrRenderingMetadata":
[{
"name": "aliasApps",
"visible": false
}],
"basedOnTemplate":
{ "value": "CustomWebAppTemplateId" },
"clientType": "confidential",
"displayName": "JCSOIC_CLIENT",
"editableAttributes": [ { "name": "allowedGrants" },
{ "name": "protectableSecondaryAudiences" },
{ "name": "asOPCService" },
{ "name":"accessTokenExpiry" },
{ "name": "linkingCallbackUrl" },
{ "name": "isOAuthResource" },
{ "name": "appIcon" },
{ "name": "clientType" },
{ "name": "refreshTokenExpiry" },
{ "name": "trustScope" },
{ "name": "landingPageUrl" },
{ "name": "audience" },
{ "name": "samlServiceProvider" },
{ "name": "isLoginTarget" },
{ "name": "redirectUris" },
{ "name": "allowedScopes" },
{ "name": "tags" },
{ "name": "logoutUri" },
{ "name": "allowedOperations" },
{ "name": "termsOfUse" },
{ "name": "serviceParams" },
{ "name": "certificates" },
{ "name": "aliasApps" },
{ "name": "schemas" },
{ "name": "isWebTierPolicy" },
{ "name": "trustPolicies" },
{ "name": "logoutPageUrl" },
{ "name": "secondaryAudiences" },
{ "name": "displayName" },
{ "name": "serviceTypeURN" },
{ "name": "icon" },
{ "name": "description" },
{ "name": "isOAuthClient" },
{ "name": "allowedTags" },
{ "name": "showInMyApps" },
{ "name": "isObligationCapable" },
{ "name": "isMobileTarget" },
{ "name": "allowOffline" },
{ "name": "idpPolicy" },
{ "name": "appSignonPolicy" },
{ "name": "postLogoutRedirectUris" },
{ "name": "isFormFill" },
{ "name": "loginMechanism" },
{ "name": "serviceTypeVersion" },
{ "name": "errorPageUrl" },
{ "name": "signonPolicy" },
{ "name": "identityProviders" },
{ "name": "isSamlServiceProvider" },
{ "name": "appThumbnail" },
{ "name": "loginPageUrl" },
{ "name": "scopes" },
{ "name": "allowAccessControl" },
{ "name": "isKerberosRealm" },
{ "name": "allUrlSchemesAllowed" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptionAlgorithm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:groupAssertionAttributes" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:includeSigningCertInSignature" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signResponseOrAssertion"},
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:assertionConsumerUrl" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdUserstoreAttribute" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutResponseUrl" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:succinctId" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutRequestUrl" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:partnerProviderId" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdFormat" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutBinding" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:userAssertionAttributes" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signatureHashAlgorithm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:metadata" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptAssertion" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutEnabled" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptionCertificate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signingCertificate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:federationProtocol" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson" },
{"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties" },
{"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:isAuthoritative" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:enableSync" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:adminConsentGranted" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:connected" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileBundleConfigurationProperties" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:threeLeggedOAuthCredential" }, {
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundlePoolConfiguration" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileConnectorBundle" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:revealPasswordOnForm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormTemplate"
}, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormExpression" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredentialSharingGroupID" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredMethod" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:syncFromTemplate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:configuration" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formFillUrlMatch" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formType" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:masterKey" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxRenewableAge" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxTicketLife" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:supportedEncryptionSaltTypes" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:realmName" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:ticketFlags" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:defaultEncryptionSaltType" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App:requestable" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:revealPasswordOnForm" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormExpression" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formType" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredMethod" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:configuration" },
{ "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formFillUrlMatch" }, { "name":
"urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredentialSharingGroupID" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormTemplate" },
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:dbcs:App:domainApp" }, { "name": "active" },
{ "name": "grantedAppRoles" }, { "name": "userRoles" }, { "name": "adminRoles" }, { "name": "clientSecret" }
], "infrastructure": false, "isAliasApp": false, "isManagedApp": false, "isMobileTarget": false, "isOAuthClient":
true, "isOAuthResource": false, "isOPCService": false, "isSamlServiceProvider": false, "isUnmanagedApp": false,
"isWebTierPolicy": false, "loginMechanism": "OIDC", "migrated": false, "name": "JCSOIC_BASICAUTH",
"showInMyApps": false, "trustScope": "Explicit", "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App":
{ "requestable": false },
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App"]
}
No comments:
Post a Comment