JWT Token Security with Fusion Sales Cloud

When integrating SalesCloud with a 3rd party application you often need to pass the users identity to the 3rd party application so that 

  • The 3rd party application knows who the user is
  • The 3rd party application needs to be able to do WebService callbacks to Sales Cloud as that user. 

Until recently without using SAML, this wasn't easily possible and one workaround was to pass the username, potentially even the password, from Sales Cloud to the 3rd party application using URL parameters..

With Oracle Fusion R8 we now have a proper solution and that is called "JWT Token support". This is based on the industry JSON Web Token standard , for more information see here

JWT Works by allowing the user the ability to generate a token (lasts a short period of time) for a specific application. This token is then passed to the 3rd party application as a GET parameter.  The 3rd party application can then call into SalesCloud and use this token for all webservice calls, the calls will be executed as the user who generated the token in the first place, or they can call a special HR WebService (UserService-findSelfUserDetails() ) with the token and Fusion will respond with the users details.

Some more details 

The following will go through the scenario that you want to embed a 3rd party application within a WebContent frame (iFrame) within the opportunity screen. 

1. Define your application using the topology manager in setup and maintenance

2. From within your groovy script which defines the iFrame you wish to embed, write some code which looks like this :

def thirdpartyapplicationurl = oracle.topologyManager.client.deployedInfo.DeployedInfoProvider.getEndPoint("My3rdPartyApplication" )
def crmkey= (new oracle.apps.fnd.applcore.common.SecuredTokenBean().getTrustToken())
def url = thirdpartyapplicationurl +"param1="+OptyId+"&jwt ="+crmkey
return (url) 

This snippet generates a URL which contains

  • The Hostname/endpoint of the 3rd party application
  • Two Parameters
    • The opportunityId stored in parameter "param1"
    • The JWT Token store in  parameter "jwt"

3. From your 3rd Party Application you now have two options

  • Execute a webservice call by first setting the header parameter "Authorization" to the value "Bearer <JWT token>" then calling your webservice of choice. The webservice call will be executed against Fusion Applications "As" the user who execute the process
  • To find out "Who you are" , set the header parameter "Authorization" value to "Bearer <JWT Token>" and then execute the  webservice call findSelfUserDetails(), in the UserDetailsService

For more information 


What to do if jwt token returns Unauthorized error?

Posted by guest on August 08, 2014 at 06:38 PM BST #

but providing your going back to the same Sales Cloud instance then all should be ok...So Im thinking coding error..?

Posted by angelo santagata on August 11, 2014 at 11:07 AM BST #

I was testing the token through soap UI. And I am going back to the same Sales Cloud instance. Still It is giving the Unauthorized error.

Posted by guest on August 11, 2014 at 11:48 AM BST #


i am trying to run one of the sample,

Rich UI with Data Visualization Components and JWT UserToken validation extending Oracle Sales Cloud– 1.0.1

I made the changes in the config file and provided my own URLs but i am getting following error:

com.sun.xml.ws.client.ClientTransportAccessException: The server sent HTTP status code 401: Unauthorized: https://hcm-aufsn4x0XXX.oracleoutsourcing.com/hcmPeopleRolesV2/UserDetailsService

Please help me on this.

Thanks & Regards

Posted by apoorv Jain on August 19, 2014 at 03:43 PM BST #

Hi there,

Ive done some R&D and it might be that you SalesCloud instance doesnt have JWT token enabled.. apparently depending on circumstances it might not be enabled. Best approach is to log a service ticket with support and get them to check.

Posted by angelo santagata on August 22, 2014 at 09:52 AM BST #


I have raised the request let them get back to me, in the meanwhile just tell me when i integrated it with my sales cloud, i am getting the JWT token for example:


so in case if it is not enabled then i should get this right?

Posted by apoorv Jain on August 22, 2014 at 12:37 PM BST #


Afraid not, that simply means your generating the token, the other part (OWSM based) needs to detect and action the token....

please send me the sr# by email so I can examine it

Posted by angelo santagata on August 22, 2014 at 02:09 PM BST #

Post a Comment:
  • HTML Syntax: NOT allowed

Architect & Technology Evangelist - If its middleware,PaaS/SaaS integration then I'm interested

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« April 2015