3-Legged OAuth flow to invoke Fusion Apps Rest Endpoints

Amit Gokhru
Oracle Developers
Published in
4 min readJan 16, 2018


This is fifth blog in the series of blogs that I am writing to explain identity integration of Oracle Fusion Application with PaaS services using Identity Cloud Service to achieve single-sign-on between services. Here is list of blogs in this series

  1. Understanding the Integration Architecture — Fusion Application with Platform services
  2. Enable Federation with Fusion Apps as Identity Provider
  3. Enable Federation with Identity Cloud Service as Identity Provider
  4. Setting up users and roles synchronization between Fusion Apps and Identity Cloud Service
  5. 3-legged OAuth flow to invoke Fusion Apps rest endpoints.

In this blog I will explain how we can leverage 3 legged OAuth which is a new functionality enabled by IDCS integration with Fusion Application.

Please note that federation and sync setup as described in #2, #3 and #4 are prerequisite for this.

Some of the important use-cases which required this are -

  1. Custom applications displaying Fusion data with user login and consent.
  2. Third Party applications fetching user’s Fusion data with consent.

Here is the application architecture for such application which leverage 3-legged OAuth

Application flow is as follows -

  1. User access the area in the web application which require access to his Fusion Application’s data.
  2. Custom application redirect user to IDCS for authentication.
  3. IDCS display login page, user login with his credential and provide his consent to allow application to access his data.
  4. IDCS return back to the application with AUTH CODE
  5. Application request the access token from IDCS submitting auth-code, client-id and client-secret
  6. IDCS return the access-token
  7. Application invoke the Fusion Application’s Rest endpoint.
  8. Fusion Application validates the access-token and return the user data to application.

Let us see how we can implement the above flow -

  1. Configure the OAuth Resource for Fusion Application Rest endpoint if not already available
  • Login to IDCS admin console > click “Applications” tab > “Add”
  • In the application wizard, select “Trusted Application”
  • On the “App Details” page, provide application name and description and click Next
  • Skip the client configuration and click “Next”
  • Select the radio button “Configure the application as resource server now” to configure Fusion Application API path as OAuth resources

— Provide “Primary Audience” = Host of FA endpoint

— Click “Add” on “Allowed Scope” to add allowed scope on the primary and secondary Audience

  • Review Audience and Allowed Scope and click Next. You can add specific API as scope and then request access-token for those allowed-scope. When you add “/” as allowed scope, make sure the use “audience” + “/” as scope when requesting access-tokens.
  • click Finish
  • Activate the application

2. Configure the Oauth Client for your custom application

  • Login to IDCS admin console > click “Applications” tab > “Add”
  • In the application wizard, select “Trusted Application”
  • On the “App Details” page, provide application name and description and click Next
  • Select “Configure Application as Client Now”

— Select “Authorization Code” and “Refresh Token” as Allowed Grant Types

— Provide your application URL to redirect after user login in “Redirect URL”

— Provide your application logout URL in “Logout URL”

— Provide your post logout URL in “Post Logout Redirect URL”

— Add API from FA resource in “Allowed Scopes”

  • Click Finish
  • Note down the client-id and client-secret
  • Activate the application

3. Application configuration — Redirect user to IDCS endpoint which he access the private content as

https://<IDCS HOST>/oauth2/v1/authorize?client_id=<CLIENT - ID>&response_type=code&redirect_uri=<REDIRECT URL AS CONFIGURED IN CLIENT>&scope=<SCOPE AS CONFIGURED IN CLIENT ALLOWED SCOPE>

4. After successful authentication, IDCS will redirect back to the application as per given REDIRECT URL with AUTH-CODE in request parameter. Get the auth-code from request (JAVA code)

String code = httpReq.getParameter("code");
if (code == null || code.length() == 0) {
LOGGER.log(Level.SEVERE, "Invalid Code");
String authCode;
try {
authCode= URLEncoder.encode(code, "UTF8");
} catch (Exception e) {
LOGGER.log("Exception occurred!!")

5. Get the access token from auth code by submitting the auth-code, client-id and client-secret on IDCS token endpoint (JAVA Code)

String IDCSTokenURL = "https://<IDCS HOST>/oauth2/v1/token";
String postBody = "grant_type=authorization_code"+"&code="+authCode;
Response httpResponse;Map<String, String> requestOptions = new HashMap<>();
requestOptions.put("Accept", "*/*");
String authzHdrVal = "<CLIENT-ID>" + ":" + "<CLIENT-SECRET>";
requestOptions.put("Authorization", "Basic " + DatatypeConverter.printBase64Binary(authzHdrVal.getBytes("UTF-8")));
httpResponse = execHttpRequest(IDCSTokenURL , "POST", requestOptions, postBody);String result = httpResponse.getResponseBodyAsString("UTF-8");
JSONObject json = new JSONObject(result);
IDCSAccessToken = json.getString("access_token");

6. Invoke the Fusion Application’s REST endpoint with the access token (JAVA Code)

Client client = null;
WebResource resource = null;
ClientConfig cc = new DefaultClientConfig();
client = Client.create(cc);
String fusionAPIURL = new String(<FA API URL>);
resource = client.resource(url);
ClientResponse clientResponse= null;
clientResponse= resource.header("user.tenant.name", "<FA tenant name>").header("Authorization", "Bearer " + accessToken).accept("application/json").get(ClientResponse.class);

7. Once you have the data from Fusion, your application can display that in the application UI as required.

This concludes our implementation of 3-legged OAuth which enable run-time user authentication and consent to third party application to access user’s fusion data.

The views expressed in this post are my own and do not necessarily reflect the views of Oracle.