JWT Token Security with Fusion Sales Cloud
By Asantaga-Oracle on Jun 10, 2014
When integrating SalesCloud with a 3rd party application you often need to pass the users identity to the 3rd party application so that
- The 3rd party application knows who the user is
- The 3rd party application needs to be able to do WebService callbacks to Sales Cloud as that user.
Until recently without using SAML, this wasn't easily possible and one workaround was to pass the username, potentially even the password, from Sales Cloud to the 3rd party application using URL parameters..
With Oracle Fusion R8 we now have a proper solution and that is called "JWT Token support". This is based on the industry JSON Web Token standard , for more information see here
JWT Works by allowing the user the ability to generate a token (lasts a short period of time) for a specific application. This token is then passed to the 3rd party application as a GET parameter. The 3rd party application can then call into SalesCloud and use this token for all webservice calls, the calls will be executed as the user who generated the token in the first place, or they can call a special HR WebService (UserService-findSelfUserDetails() ) with the token and Fusion will respond with the users details.
Some more details
The following will go through the scenario that you want to embed a 3rd party application within a WebContent frame (iFrame) within the opportunity screen.
1. Define your application using the topology manager in setup and maintenance
- See this documentation link on topology manager
2. From within your groovy script which defines the iFrame you wish to embed, write some code which looks like this :
def thirdpartyapplicationurl = oracle.topologyManager.client.deployedInfo.DeployedInfoProvider.getEndPoint("My3rdPartyApplication" )
This snippet generates a URL which contains
- The Hostname/endpoint of the 3rd party application
- Two Parameters
- The opportunityId stored in parameter "param1"
- The JWT Token store in parameter "jwt"
3. From your 3rd Party Application you now have two options
- Execute a webservice call by first setting the header parameter "Authorization" to the value "Bearer <JWT token>" then calling your webservice of choice. The webservice call will be executed against Fusion Applications "As" the user who execute the process
- To find out "Who you are" , set the header parameter "Authorization" value to "Bearer <JWT Token>" and then execute the webservice call findSelfUserDetails(), in the UserDetailsService
For more information
- Oracle Sales Cloud Documentation , specific chapter on JWT Token
- OTN samples, specifically the Rich UI With JWT Token Sample
- Oracle Fusion Applications General Documentation