Supporting secure API access in Oracle Fusion Cloud Applications

October 21, 2024 | 3 minute read
Miranda Jimenez
Product Marketing Manager
Roland Koenn
SaaS Cloud Security Outbound Product Manager
Text Size 100%:

When it comes to accessing Oracle Fusion Cloud Applications APIs, choosing the right authentication method is key to safeguarding your data. In such scenarios, you have three standards to choose from: Basic authentication over Secure Socket Layer (SSL), Security Assertion Markup Language (SAML) 2.0 bearer tokens, or JSON Web Token (JWT) in the HTTP header over SSL. Each method provide different levels of security, but basic authentication is often considered the least secure option. For more details about SAML2.0 and JWT and how to use them, see REST API for Oracle Fusion Cloud Financials.

Understanding the limitations of Basic Authentication

While basic authentication is simple to implement, it comes with significant security drawbacks that users can’t ignore. This method transmits credentials encoded in Base64, which can be easily decoded and doesn’t provide strong encryption. It results in an inherent risk of exposing sensitive information, especially if the transport layer (TLS) is compromised. Managing passwords with basic authentication can be challenging because of issues with rotation, reusability, and enforcement of strong password policies. Given these easily exploitable vulnerabilities, we strongly discourage basic authentication is strongly discouraged and don’t consider it an optimal choice for securing API access.

Best practices: Restricting API access

Given the security risks associated with basic authentication, implementing extra safeguards is crucial. One of the most effective measures is restricting access to Oracle Fusion Cloud Applications APIs based on known IP addresses. By setting up IP filtering, you can limit access to only trusted sources, which helps reduce the risk of unauthorized access. For a detailed guide on how to implement IP filtering, refer to the instructions.

However, in environments with increased security requirements or where access from unknown IPs is common, IP filtering alone might not be enough. To help strengthening your security posture further, consider the option of disabling basic authentication for API access entirely for all IPs or selective based on classless CIDR blocks or countries. For example, this setup allows you to only permit basic authentication from your internal corporate network and block it from all other IPs. You can implement this measure through the WAF for SaaS service, which is included by default in every Fusion Applications environment.

: Architecture diagram for web application firewall (WAF), software as a service (SaaS), and a load balancer block malicifc traffic to Fusion Applications.

Implementing basic authentication restrictions

To disable basic authentication, you can submit a service request to Oracle. When submitting the service request, specify the problem type as Fusion Application Security, including security console, login, SSO, web application firewall (WAF), and cyber security. For detailed guidance on how to raise this service request, see this ticket from Oracle Support. This change doesn’t impact regular users logging in through the user interface. Instead WAF for software as a service (SaaS) specifically targets and blocks traffic using basic authentication for API access only.

Before rolling out this change in a production environment, we highly recommend testing in a staging or test environment. Review all existing integrations to ensure that no legacy systems rely on basic authentication because the differences lead to unintended disruptions.

Conclusion: A multilayered approach to API security

Blocking basic authentication is a key measure in boosting the security of your Fusion Applications APIs. However, it’s just one part of a comprehensive security strategy that should also include IP restrictions and the use of secure authentication mechanisms, such as SAML 2.0 and JWT. Together, these measures create a more robust security posture and resilient defense, helping \ safeguard your APIs from a wide range of potential threats.

By embracing a layered security approach, you can significantly reduce the risk of unauthorized access and protect sensitive data within your Oracle Fusion Cloud Applications. For more details on implementing these security measures, explore the following resources and the links provided throughout this post: 

 

Miranda Jimenez

Product Marketing Manager

Miranda Jimenez is a member of the Product Management team at Oracle SaaS Cloud Security where she focuses on the development of messaging strategy, content creation, product launches and other security marketing initiatives. 

Miranda is a technology enthusiast, which is why she has been attracted to pursue technology projects in her professional life in an effort to contribute to its democratization. 

Show more

Roland Koenn

SaaS Cloud Security Outbound Product Manager

Roland is a member of the SaaS Cloud Security Product Management team, focusing on SaaS cloud security products within Oracle SaaS Cloud. The team's mission is to engage, educate, and empower customers about the security controls and features embedded in Oracle’s SaaS offerings.


Previous Post

Announcing OpenId Connect in OCI Kubernetes Engine

Greg Verstraeten | 3 min read

Next Post


Benchmarking Reka models on OCI for AI inference

Sanjay Basu PhD | 5 min read
Oracle Chatbot
Disconnected