Tuesday Jun 10, 2014

JWT Token Security with Fusion Sales Cloud

When integrating SalesCloud with a 3rd party application you often need to pass the users identity to the 3rd party application so that 

  • The 3rd party application knows who the user is
  • The 3rd party application needs to be able to do WebService callbacks to Sales Cloud as that user. 

Until recently without using SAML, this wasn't easily possible and one workaround was to pass the username, potentially even the password, from Sales Cloud to the 3rd party application using URL parameters..

With Oracle Fusion R8 we now have a proper solution and that is called "JWT Token support". This is based on the industry JSON Web Token standard , for more information see here

JWT Works by allowing the user the ability to generate a token (lasts a short period of time) for a specific application. This token is then passed to the 3rd party application as a GET parameter.  The 3rd party application can then call into SalesCloud and use this token for all webservice calls, the calls will be executed as the user who generated the token in the first place, or they can call a special HR WebService (UserService-findSelfUserDetails() ) with the token and Fusion will respond with the users details.



Some more details 

The following will go through the scenario that you want to embed a 3rd party application within a WebContent frame (iFrame) within the opportunity screen. 

1. Define your application using the topology manager in setup and maintenance

2. From within your groovy script which defines the iFrame you wish to embed, write some code which looks like this :

def thirdpartyapplicationurl = oracle.topologyManager.client.deployedInfo.DeployedInfoProvider.getEndPoint("My3rdPartyApplication" )
def crmkey= (new oracle.apps.fnd.applcore.common.SecuredTokenBean().getTrustToken())
def url = thirdpartyapplicationurl +"param1="+OptyId+"&jwt ="+crmkey
return (url) 



This snippet generates a URL which contains

  • The Hostname/endpoint of the 3rd party application
  • Two Parameters
    • The opportunityId stored in parameter "param1"
    • The JWT Token store in  parameter "jwt"

3. From your 3rd Party Application you now have two options

  • Execute a webservice call by first setting the header parameter "Authorization" to the value "Bearer <JWT token>" then calling your webservice of choice. The webservice call will be executed against Fusion Applications "As" the user who execute the process
  • To find out "Who you are" , set the header parameter "Authorization" value to "Bearer <JWT Token>" and then execute the  webservice call findSelfUserDetails(), in the UserDetailsService

For more information 


About

Architect & Technology Evangelist - If its middleware,PaaS/SaaS integration then I'm interested

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
       
       
Today