X

An Oracle blog about Adapters

  • April 22, 2017

Integrate ICS with a third party OAuth Protected REST service using the generic REST adapter – Part 3

In the first part of the series, we provided a brief introduction of oauth and the more flexible custom  security policies available within ICS, which are particularly useful in integrating with OAuth protected RESTful services. We also had a closer look at OAuth Custom Two Legged security policy for obtaining an access token from an authorization server. The second part in the series takes a closer look at OAuth Custom Three Legged Security policy.

In this part, we will look at some recommended OAUTH Custom security configurations. These configurations are not guaranteed to work and are only suggestions. Users are advised to consult the latest oauth provider documentation.  Any field that is missing is assumed to have its default value.


Custom 2-legged Security Policies

Pre-requisites: Twitter supports OAUTH2 Client
Credentials and OAUTH 1.0a. Generic REST adapter only supports OAUTH 2. Users
are advised to use the Twitter adapter for OAuth 1.0a.

Client application can be registered @ https://apps.twitter.com/
for obtaining clientID/clientSecret

 

OAuth
Flow Type

Client
Credentials

Access
Token Request

-X POST -H
'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Basic
{base64#[YOUR_CLIENT_ID]:[YOUR_CLIENT_SECRET]}' -d
'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'

Access
Token Usage

-H
Authorization: Bearer ${access_token}

Pre-requisites: Client application can be registered
at https://dev.telstra.com/user/me/apps
for obtaining clientID/clientSecret. Please select the appropriate scope, we
are using SMS as the default.

 

OAuth
Flow Type

Client
Credentials

Access
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d 'client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=client_credentials&scope=SMS'
"https://api.telstra.com/v1/oauth/token"

Access
Token Usage

-H
Authorization: Bearer ${access_token}

Pre-requisites:  Login to commerce app to obtain a
jwt token. This token is required to obtain/refresh an access token. Commerce
supports both client credentials and resource owner password credentials.

 

OAuth
Flow Type

Client Credentials

Access
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -H
"Authorization: Bearer [commerce-jwt-token]" -d
"grant_type=client_credentials" style='color:blue'>http://<comm-uri>:<port>/ccadmin/v1/login

Refresh
Token Request

-X POST
'<host>:<port>/ccadmin/v1/refresh' --header 'Authorization:
Bearer <jwt-token>' --header 'Content-Type:
application/x-www-form-urlencoded;charset=UTF-8' --data
"grant_type=client_credentials"

Access
Token Usage

-H
Authorization: Bearer ${access_token}

 

OAuth
Flow Type

Resource
Owner Password Credentials

Access
Token Request

-X POST
'https://<host>:<port>/ccadminui/v1/refresh ' --header
'Authorization: Bearer [base64#clientID:clientSecret]' --header
'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --data
"grant_type=password&username=[commerce-username]&password=[commerce-password]"

Access
Token Usage

-H
Authorization: Bearer ${access_token}

 

Pre-requisites: Please consult Oracle Marketing cloud
to register the client application for obtaining client application
credentials. Please use appropriate scope value. 

 

OAuth
Flow Type

Resource
Owner Password Credentials

Access
Token Request

-X POST -H
"Authorization: Basic {base64#[eloqua_client_id]: [eloqua_client_secret]}"
-H "Content-Type: application/json" -d '{"grant_type":
"password", "scope": "full",   
"username": "[eloqua-resource-owner]",
"password": "[eloqua-resource-owner-password]" }'
"https://login.eloqua.com/auth/oauth2/token"

Access
Token Usage

-H
Authorization: Bearer ${access_token}

 

Pre-requisites: Please consult Sugar-crm
documentation to register the client application for obtaining client
application credentials. Please use appropriate scope value

 

OAuth
Flow Type

Resource
Owner Password Credentials

Access
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d 'client_id=[sugar_crm_client_id]&grant_type=password&username=[sugar_username]&password=[sugar_password]' shttps://orbithomes.sugarondemand.com/rest/v10/oauth2/token

Access
Token Usage

-H Oauth-token: ${access_token}

 

Pre-requisites: Please consult Akana documentation to
register the client application for obtaining client application credentials.
Please use appropriate scope value

 

OAuth
Flow Type

Client
Credentials

Access
Token Request

-X POST  class=MsoHyperlink>https://<akana-auth-uri>?grant_type=client_credentials&client_id=[your_client_id]&client_secret=[your_client_secret]&scope=api

Access
Token Usage

-H Authorization:
Bearer ${access_token}

 

Pre-requisites: Please consult Azure documentation to
register the client application for obtaining client application credentials.
Please use appropriate scope value

 

OAuth
Flow Type

Client
Credentials

Access
Token Request

-X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=[YOUR_CLIENT_ID]&scope=[YOUR_SCOPE]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=client_credentials' 'https://login.microsoftonline.com/common/oauth2/v2.0/token'

   

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds

Pre-requisites: Please consult the PLEX documentation.

OAuth
Flow Type

Client
Credentials

Access
Token Request

-X POST
'https://api.plex.com/oauth2/v1/token?subscription-key=[YOUR_SUBSCRIPTION_KEY]' -H 'content-type: application/x-www-form-urlencoded' -d
'client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_SECRET]&grant_type=client_credentials&resource=http%3A%2F%2Fapi.plex.com'
   

 

Custom 3-legged security policies

 

Pre-requisites: Client application can be registered
@ https://api.imgur.com/oauth2/addclient
to obtain the client ID and client Secret. Please specify the ICS callback URL
in imgur client registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

 

OAuth
Flow Type

Authorization

Authorization
Request

https://api.imgur.com/oauth2/authorize?client_id=[YOUR_CLIENT_ID]&response_type=code

Access
Token Request

-X POST
'https://api.imgur.com/oauth2/token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&code=${auth_code}'

Refresh
Token Request

-X POST
'https://api.imgur.com/oauth2/token?refresh_token=${refresh_token}&client_id=[YOUR_CLEINT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=refresh_token'

Access
Token Usage

-H Authorization:
Bearer ${access_token}

 

Pre-requisites: Client application can be registered
@ https://console.developers.google.com
 to obtain the client ID and client Secret. Please specify the ICS callback URL
during google client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

 

OAuth
Flow Type

Authorization

Authorization
Request

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}&scope=https://www.googleapis.com/auth/analytics.readonly

Access
Token Request

-X POST -H
'Content-Type: application/x-www-form-urlencoded'
'https://www.googleapis.com/oauth2/v4/token?code=${auth_code}&client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}'

 

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

 

OAuth
Flow Type

Authorization

Authorization
Request

https://public-api.wordpress.com/oauth2/authorize?client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}&response_type=code&scope=global

Access
Token Request

-X POST -H
'Content-Type: application/x-www-form-urlencoded' -d  'client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}&client_id=[YOUR_CLIENT_ID]&code=${auth_code}
'https://public-api.wordpress.com/oauth2/token'

 



Pre-requisites:  Please specify the ICS callback URL during client
application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

 

OAuth
Flow Type

Authorization

Authorization
Request

https://bitly.com/oauth/authorize?client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}

Access
Token Request

-X POST -H
'Content-Type: application/x-www-form-urlencoded'  -H 'Accept:
application/json'  -d 'client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}&client_id=[YOUR_CLIENT_ID]&code=${auth_code}
'https://api-ssl.bitly.com/oauth/access_token'


Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

 

OAuth
Flow Type

Authorization

Authorization
Request

https://foursquare.com/oauth2/authenticate?client_id=[YOUR_CLIENT_ID]&response_type=code&redirect_uri=${redirect_uri} 

Access
Token Request

-X GET
'https://foursquare.com/oauth2/access_token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}&code=${auth_code}'


Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

 

OAuth
Flow Type

Authorization

Authorization
Request

https://www.eventbrite.com/oauth/authorize?response_type=code&client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}  

Access
Token Request

-X POST -H
'Content-Type: application/x-www-form-urlencoded' -d 'client_secret=[YOUR_CLIENT_SECRET]&client_id=[YOUR_CLIENT_ID]&grant_type=authorization_code&code=${auth_code}'
'https://www.eventbrite.com/oauth/token'

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback


Client application registration can be done @ href="https://www.instagram.com/developer/register/">https://www.instagram.com/developer/register/

 

OAuth
Flow Type

Authorization

Authorization
Request

https://api.instagram.com/oauth/authorize/?client_id=1b94c8ba09754910aed50aeb40f6c5e4&redirect_uri=${redirect_uri}&response_type=code

Access
Token Request

-X
POST https://api.instagram.com/oauth/access_token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}&code=${auth_code}"> style='color:blue'>https://api.instagram.com/oauth/access_token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}&code=${auth_code}

Access
Token Usage

?access_token=${access_token}

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback


Client application registration can be done @ href="https://console.developers.google.com/iam-admin/projects">https://console.developers.google.com/iam-admin/projects

 

OAuth
Flow Type

Authorization

Authorization
Request

https://accounts.google.com/o/oauth2/auth?redirect_uri=${redirect_uri}&response_type=code&client_id=[YOUR_CLIENT_ID]&scope=https://www.googleapis.com/auth/blogger&approval_prompt=force&access_type=offline

Access
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d 'false'
'https://www.googleapis.com/oauth2/v3/token?code=${auth_code}&client_secret=[YOUR_CLIENT_SECRET]&client_id=[YOUR_CLIENT_ID]

Refresh
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d 'false'
'https://www.googleapis.com/oauth2/v3/token?client_secret=[YOUR_CLIENT_SECRET]&grant_type=refresh_token&refresh_token=${refresh_token}&client_id=[YOUR_CLIENT_ID]

 

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback


Client application registration can be done @ href="http://soundcloud.com/you/apps/new">http://soundcloud.com/you/apps/new 

 

OAuth
Flow Type

Authorization

Authorization
Request

https://soundcloud.com/connect?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&redirect_uri=${redirect_uri}&response_type=code

Access
Token Request

-X POST
'https://api.soundcloud.com/oauth2/token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&redirect_uri=${redirect_uri}&code=${auth_code}&grant_type=authorization_code'

Refresh
Token Request

-X POST
'https://api.soundcloud.com/oauth2/token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&redirect_uri=${redirect_uri}&grant_type=refresh_token&refresh_token=${refresh_token}'

 

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback


Client application registration can be done @ href="https://developer.uber.com/dashboard">https://developer.uber.com/dashboard

 

OAuth
Flow Type

Authorization

Authorization
Request

https://login.uber.com/oauth/v2/authorize?client_id=[YOUR_CLIENT_ID]&response_type=code&scope=profile&redirect_uri=${redirect_uri}

Access
Token Request

-X POST -H
'Content-Type: application/x-www-form-urlencoded' -d 'code=${auth_code}&client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=${redirect_uri}'
https://login.uber.com/oauth/v2/token

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback


Client application registration can be done @ href="https://console.developers.google.com">https://console.developers.google.com

 

OAuth
Flow Type

Authorization

Authorization
Request

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}&scope=https://www.googleapis.com/auth/calendar&access_type=offline&approval_prompt=force

Access
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d 'false'
'https://www.googleapis.com/oauth2/v4/token?code=${auth_code}&client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&redirect_uri=${redirect_uri}&grant_type=authorization_code'

Refresh
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d 'false'
'https://www.googleapis.com/oauth2/v4/token?refresh_token=${refresh_token}&client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&grant_type=refresh_token'

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback


Client application registration can be done @ href="https://www.linkedin.com/developer/apps/4326413/auth">https://www.linkedin.com/developer/apps/

 

OAuth
Flow Type

Authorization

Authorization
Request

https://www.linkedin.com/uas/oauth2/authorization?response_type=code&redirect_uri=https%3A%2F%2F<host-name>%3A<port>%2Ficsapis%2Fagent%2Foauth%2Fcallback&client_id=[YOUR_CLIENT_ID]&scope=r_basicprofile

Access
Token Request

-X POST -H
"Content-Type: application/x-www-form-urlencoded" -d
'client_secret=[YOUR_CLIENT_SECRET]&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fblr2211101.idc.oracle.com%3A7002%2Ficsapis%2Fagent%2Foauth%2Fcallback&client_id=[YOUR_CLIENT_ID]&code=${auth_code}'
"https://www.linkedin.com/uas/oauth2/accessToken"

      
LinkedIn expects that the redirect uri should be url encoded
before it is passed as part of the request. For this reason, users cannot
${redirect_uri} and should pass the absolute encoded value of the redirect uri.


Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

The first step is to create a facebook client application. Please use the following document for reference.  https://docs.oracle.com/en/cloud/paas/integration-cloud-service/icsfb/prerequisites-creating-connection.html
 

OAuth
Flow Type

Authorization

Authorization
Request

https://www.facebook.com/v2.10/dialog/oauth?client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}

Access
Token Request
-X GET https://graph.facebook.com/v2.10/oauth/access_token?client_id=[YOUR_CLIENT_ID]&redirect_uri=${redirect_uri}&client_secret=[YOUR_CLIENT_SECRET]&code=${auth_code}

@ref:  https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
 

Microsoft Email/Calendar

Pre-requisites:  Please specify the ICS callback URL
during client application registration as https://<ics-host>:<port>/icsapis/agent/oauth/callback

The first step is to create a client application in the microsoft developer console. Please use the following document for reference. 

OAuth
Flow Type

Authorization

Authorization
Request

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[YOUR_CLIENT_ID]&scope=https://outlook.office.com/Mail.ReadWrite offline_access&response_type=code&redirect_uri=${redirect_uri}

Access
Token Request
-X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&code=${auth_code}&redirect_uri=${redirect_uri}&grant_type=authorization_code' "https://login.microsoftonline.com/common/oauth2/v2.0/token"

@ref:  https://apps.dev.microsoft.com
 

OAuth Flow Type Client Credentials
Pre-requisites Register client application and obtain a client id and secret. @ref: https://developer.ebay.com/api-docs/static/oauth-credentials.html
REST Adapter Security Policy Create a REST connection and select the 'Custom Two Legged' Security policy.
Access token request -X POST https://api.sandbox.ebay.com/identity/v1/oauth2/token  -H 'Authorization: Basic base64([YOUR_CLIENT_ID]:[YOUR_CLIENT_SECRET])' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&scope=[YOUR_SCOPE]'


OAuth Flow Type Code authorization flow
pre-requisites Register client application and obtain a client id and secret. @ref: https://developer.ebay.com/api-docs/static/oauth-credentials.html.
Get a token via ebay for your application:

Retrieve: RuName (eBay Redirect URL name)

Register the ICS callback URL in property named "Your auth accepted URL" as following:
https://<ics-host>:<port>/icsapis/agent/oauth/callback

This is the URL where ebay will send the auth_code.
REST Adapter Security Policy Create a REST connection and select the 'Custom Three Legged' Security policy.
Authorization Request https://signin.sandbox.ebay.com/authorize?client_id=[YOUR_CLIENT_ID]&redirect_uri=[RuName (eBay Redirect URL name)]&response_type=code&scope=[YOUR_SCOPE]
Access Token Request -X POST -H 'Authorization: Basic base64([YOUR_CLIENT_ID]:[YOUR_CLIENT_SECRET])' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=${auth_code}&redirect_uri=[RuName (eBay Redirect URL name)]' https://api.sandbox.ebay.com/identity/v1/oauth2/token

 

Yammer

Name Value
Authorization request:
 
https://www.yammer.com/oauth2/authorize?client_id=[YOUR_CLIENT_ID]&response_type=code&redirect_uri=${redirect_uri}
 
Access Token Request: -X POST  -H "Accept: application/json" -H "content-type:
application/x-www-form-urlencoded"
https://www.yammer.com/oauth2/access_token?client_id=[YOUR_CLIENT_ID]&client_secret=[YOUR_CLIENT_SECRET]&code=${auth_code}&grant_type=authorization_code
$access_token token


In this part of the series, we saw the sample OAUTH configuration
for some of the OAUTH protected services. This is an evolving list and we may
add more providers here. Going forward, this configuration may not be required as
we are including in-built support for many of these. Please let us know if any
of this information is not up to date.

For more details on the options discussed for various providers, do re-visit the first part of the series, that provides a brief introduction of oauth and the more flexible custom  security policies available within ICS, which are particularly useful in integrating with OAuth protected RESTful services. This also provides an overview of OAuth Custom Two Legged security policy for obtaining an access token from an authorization server. The second part in the series takes a closer look at OAuth Custom Three Legged Security policy.

Participate

If you have an api which is not covered, then please feel free to add this in the comments. We will promote  this configuration as part of the product in due course and will advertise connectivity with your API as part of Oracle documentation.

Join the discussion

Comments ( 11 )
  • Chris Thursday, September 28, 2017
    Can you provide an example OAUTH Custom security
    configuration for facebook?
  • anuj Tuesday, October 3, 2017
    Hi Chris,
    Updated facebook details in the blog.

    regards,
    anuj
  • Steve Thursday, September 27, 2018
    Hi Chris -

    Any experience with authorising against SharePoint online to enable files to be pushed to and retrieved from sites?
  • Praveen Challa Thursday, November 8, 2018
    Hi Chris,

    Can you please provide an example of OAUTH for BOX: https://developer.box.com/docs

    Thanks & Regards,
    Praveen.
  • Praveen Challa Thursday, November 8, 2018
    Hi Chris,

    Can you please provide an example of BOX authentication (3 legged) : https://developer.box.com/docs
  • Budhaditya Monday, February 18, 2019
    Hi Chris,

    Please provide an example for OraDocs (Oracle Documents Cloud Service)
  • Laxman Tuesday, August 20, 2019
    Hi Anuj,
    We are getting the following error message when we try to connect to Salesforce REST API using "OAuth Resource Owner Password Credentials". Please check and guide us to fix the issue.

    Unable to test connection "TESTOAUTHSFDCAPICONN". [Cause: CASDK-0004]
    CASDK-0004 : Failed to authenticate against the application with the credentials provided
    Cannot request OAuth access token.
    POST https://test.salesforce.com/services/oauth2/token returned a response status of 400 Bad Request
  • Sunder Iyer Tuesday, October 15, 2019
    I have a requirement to use OAuth2.0 where the JWT generation uses RS256 (RSA Signature with SHA-256) with a public/private key pair. I don't think this is an option available within the Oracle Integration Cloud REST adapter security config options.
  • Anuj Tuesday, October 15, 2019
    Hi Sunder,
    It is currently not supported out of the box. One of the options is to write a custom adapter. Can you please share the API details and more information about the OAuth flow?
  • Nate Schmolze Monday, November 18, 2019
    Having trouble connecting to Salesforce through the REST adapter. We're trying to work around a seeming bug in the Salesforce adapter that interprets platform event publishing success as an error. Also, it would be nice to have access to custom REST resources, whereas the Salesforce adapter uses SOAP.
  • DURGA CHARAN Monday, April 6, 2020
    Dear,

    We are trying to use a REST API but getting error always.
    CASDK-0004: Failed to authenticate against the application with the credentials provided; Cannot request OAuth access token.; POST https://api.ibanity.com/isabel-connect/oauth2/token returned a response status of 400 Bad Request

    Below is the documentation. Could you help to formulate the expression for same.

    https://documentation.ibanity.com/isabel-connect/api#create-refresh-token

    Thank You.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.

Recent Content