X
  • Monday, October 27, 2014

Using JWT To Secure Your Cloud Application Integrations

By: Richard Bingham | Senior Development Manager

What is a JWT token?

A JSON Web Token (JWT - sometimes pronounced "jot") is a parameter that
is generated by one application and is passed to other integrated applications via a URL. In Fusion Applications it is used to hold the username for the current session. The
external application can then use this value to display appropriate data or to take context sensitive actions such as callbacks, preventing the need for repeated authentication or exposing dummy credentials. To be clear the purpose is to share information between integrated systems, and JWT is not a user authentication process.

What's Inside The Token?

JWT token text contains a set of claims. These are a
combination of standard and user-defined unique name:value pair fields. The target system parses the token as a JSON document and
takes the appropriate actions. In Fusion
Applications JWT tokens we include three mandatory fields along
with a single optional field (prn) where we put the username. The fields included are:

  • iat - issued at time (UTC unix)
  • exp - expiration time (UTC unix)
  • iss - issuer of the claim
  • prn - primary subject of the claim
Since JWT is an extensible open standard, you could extending the claims in the token using
custom Expression Language and/or Groovy code, however the supported
intention is to share only the current username.

What Does It Look Like?

In this example, a Fusion Sales Cloud dashboard page has the 'Click Here' hyperlink added using Page Composer. This link has been configured using a JWT token so the target system will know the current user and display the appropriate data.The status bar region at the bottom shows the encrypted token string after the id_token URL parameter.

The configuration here allows you to select your existing 3rd Party Application as the base for the hyperlink (defined in Setup and Maintenance), here with the name "IDSystem". You then provide the remainder of the endpoint URL ("/oauth2/v1/tokeninfo"), and finally the token name (id_token).

The result, given here, is put into Expression Language as it includes calls to build the final link at runtime (on one line).

#{EndPointProvider.externalEndpointByModuleShortName['IDSystem']}
/oauth2/v1/tokeninfo?id_token=#{applCoreSecuredToken.trustToken}

If you take the token text created a run-time and decode it (site), you'll see the claims output as described above. The generated JWT token is base64 encoded and also signed (MACed) using a standard algorithm and a common shared secret.

User Interface Use-Cases

Firstly let's consider the use-cases related to the user interface, where we'd want to maintain the users own context as they navigate between different systems. To support this you can include JWT token generation as part of creating the following page customizations:

  • Creating new global Navigator menu items via Manage Menu Customizations task in setup and maintenance.
  • Adding hyperlinks to pages and dashboards via the Add Content option in Page Composer.
  • Adding a link to an Image component
  • Adding a webpage (iframe) region using page composer. Commonly used in creating hybrid pages with a mashup of source system information.
  • In addition composer you could add groovy to a link or button created in the "Actions and Links" feature (see below).

Backend Use-Cases

As mentioned above, a token could be used as part of enabling an integrated system to make callbacks with appropriate data. For example an external system might want to use web services to get a list of records associated with your Fusion Applications user, therefore getting this from the JWT token allows the external system to build the request payload data.

Obviously the JWT latest the lifetime of the user session (4 hour default) and do not replacing existing WS security
policies, as per guide documentation.

The following diagram is taken from the documents accompanying the OTN Sample Code for Sales Cloud Integration,
as found in the project zip entitled "Rich UI with Data Visualization Components
and JWT UserToken validation extending Oracle Sales Cloud– 1.0.1".

It
illustrates how the Sales Cloud user interface passes the JWT token in the URL as a
HTTP Request and the sample ADF application performs validation and then reuses
the token to perform a secured web service call back to Sales Cloud.

How To Get A Token?

For User Interface implementations the following video illustrates the points where you can configure a JWT token.


In addition, this could be done using a Expression Language statement directly as given above, or if you are an Oracle Sales Cloud customer then you could use Groovy inside Application Composer, passing the result in the final URL string.

def JWTtoken = (new oracle.apps.fnd.applcore.common.
SecuredTokenBean().getTrustToken())
Alternatively, the JWT token can be added to the header section of a SOAP request payload, under the Key: Authorization and Value: Bearer <Your JWT Token>(NB - there is a space after the word Bearer. Here is an example here using the HCM finSelfUserDetails operation.

References


Join the discussion

Comments ( 4 )
  • guest Wednesday, December 10, 2014

    Nice overview of what JWT means for Oracle SaaS Cloud. Thanks for putting the refernece links together.


  • guest Saturday, April 9, 2016

    When you download the sample it's good to know that you may have to change weblogic.xml.

    I changed the first line to

    <weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.5/weblogic-web-app.xsd" xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">

    Because it contained references to bea.

    And I removed <specification-version>2.0</specification-version>.

    Now I can deploy the app for testing!


  • Micha Gruler Tuesday, December 19, 2017
    Hi Richard,

    this functionality has been around for quite a while, but ever since it came out, I missed the option to open a hyperlink in the current browser window in full screen.
    The Page Integration Wizard opens the page within a subpage. The direct link from the Structure Menu opens the link in a new tab. But how to change the current page to show a link?

    Do you know if this is possible, and if not, if there are any plans on allowing it in the future?

    Thanks

    Micha
  • Richard Friday, January 12, 2018
    Hi Micha
    I suspect the enforcement to keep the current page open is to reduce the likelihood of browser back button use, which can disrupt the page session context data.
    If you have suitable business/usability needs then I'd recommend logging it with our Support team as an enhancement request upon which a review can be done.
    Kind regards
    Richard
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha