Forum Stats

  • 3,758,139 Users
  • 2,251,342 Discussions
  • 7,870,059 Comments

Discussions

Oracle BPM API's: REST / Java

Moe_ADF_541
Moe_ADF_541 Member Posts: 241

Dear experts,

I've got a question about using the BPM API's, either the java api or the REST api.

In the Java as well as the REST api, it is required to specify the credentials of the user when either making a REST call or when preparing the java class that includes the API method call.

My question is, in a real-life application, how do I pass such information?

I highly doubt that they are hard-coded into the call. I have the following situation:

I am creating an application, with a Javascript front-end, say, React JS, and I would like to use the BPM REST api to make significant calls such as getting the task list of a specific user.

To make that call, I would require to place the username and password in my api call header. However I am looking for the best way to do this as I am really not convinced on how to include explicit credentials in my service call, knowing that the parameters of these service calls, the said username and password, need to be dynamic and correspond to whoever is logged into the application.

I would greatly appreciate any hints on how this is done as I no clear idea how to achieve this.

Thanks in advance,

Regards,

Middleware version: 12.2.1.3

«1

Answers

  • Martien van den Akker
    Martien van den Akker Member Posts: 2,776 Bronze Crown
    edited May 20, 2019 3:23AM

    Hi Moe,

    There are two constructs to do this.

    1. Normally you would do one call to the Authenticate API, that will deliver you a token. This logon is often done with a system username/password. So you don't need to store username passwords for every user (you wouldn't know them). So you'll need a mechanism that will keep a safe copy of that system username password. Since you use JavaScript this is a bit hard. I assume you have an authentication mechanism of your application in place. Now, given your application user is authenticated and authorized, you would use an own REST service build on top of the JavaAPI. Then you can keep the system username/password on the ServerSide. However, you should make sure that the connection encrypted and that you can only call the REST service when authenticated.
      In stead of passing username/password every time you do the API call, you pass the WF Token.
    2. You use the on-behalf-off user to do the WF actions on particular end-user. So in subsequent calls you only provide the end-users username for the action.

    Often for a certain action (update a task, make it complete) we create custom services, based on the java api's, to prevent multiple roundtrips for a certain end-user actions. This improves the performance.

    Regards,
    Martien

    Moe_ADF_541
  • Moe_ADF_541
    Moe_ADF_541 Member Posts: 241
    edited May 20, 2019 4:11AM

    Hello Martien, and thank you for the prompt reply.

    Concerning the authentication, we are using Oracle access manager. So here I might ask, is the correct approach to use OAM REST api to authenticate the user? and this means that I create the login screen and pass the credentials? If I understand correctly.

    I have also seen examples where, after login, the token is saved in 'jwt' / Jason Web Token so I might mention that later on when I have a clear visibility on how to do this.

    2- Can you kindly elaborate more on the "on-behalf-of-user" point? Does that mean I need to create a 'super' user, or an admin, that can make the call instead of the logged in user? thanks in advance

    kind regards,

  • Martien van den Akker
    Martien van den Akker Member Posts: 2,776 Bronze Crown
    edited May 20, 2019 5:39AM

    Hi Moe,

    Concerning the authentication, we are using Oracle access manager. So here I might ask, is the correct approach to use OAM REST api to authenticate the user? and this means that I create the login screen and pass the credentials? If I understand correctly.I have also seen examples where, after login, the token is saved in 'jwt' / Jason Web Token so I might mention that later on when I have a clear visibility on how to do this.

    I guess that will be OK. In my answer I did not relate to this part of the problem. I just state that you have a means to authenticate and authorize the end user of the application. Also I state that it is important that you make sure that your REST services cannot be invoked unless you're authenticated. So, if you use Weblogic for instance, then the REST service should be secured similar to the JS application. Then based on the assymption that you have an authentication/authorization mechanism in place and the REST service is secured, then you can just have the system user/password registered on the server side.  And then you can use the WF Token to call subsequent API's for an on-behalf-off user. In this scenario the end-user does not need to authenticate to call the WF REST services.

    Regarding the On-Behalf-Off user: if each and every end-user need to authenticate against BPM, for getting tasklists, updating tasks etc., then you have a problem. You would need to have the End-User authenticate against BPM explicitly. Logon to the application (Authentication) is normally done against a system external to your application. If I assume that your JS applicatoin is deployed to Weblogic, then you would have the authentication done through Weblogic that can use an external Identity Provider through a (sequence of) authenticator(s), like Active Directory, or in your case OAM. But, after authentication of the user, the application can get the userid, but the password is only entered against the logon page of weblogic or the IdP. So, you would need to either:

    • have the end-user enter their password a second time, and keep that password in memory during the session. Not so user-friendly and secure.
    • òr have all the end-user passwords stored somewhere in your application, so you can look it up when you need to authenticate against BPM. Not so secure either, and end-users can't change their passwords so easily, because they're stored redundantly at two places that have to be in sync.
    • ór you need to have all the BPM passwords of all the end-users be the same. No need to explain that it's not so secure either.

    For this reason you can have a system user, for which you only need to store the username/password in a secured way in your application. The End user just logs on to your application, and the application uses the system user to authenticate against BPM. In the on-behalf-of  user the username of the logged on user is provided.

    Hope this makes it clear.

    Regards,

    Martien

    Moe_ADF_541
  • Moe_ADF_541
    Moe_ADF_541 Member Posts: 241
    edited May 21, 2019 12:59AM

    Hello Martien, and thanks again for the informative reply.

    I understand the explanation. However I have a couple of things to ask:

     Also I state that it is important that you make sure that your REST services cannot be invoked unless you're authenticated. So, if you use Weblogic for instance, then the REST service should be secured similar to the JS application. Then based on the assymption that you have an authentication/authorization mechanism in place and the REST service is secured, then you can just have the system user/password registered on the server side. And then you can use the WF Token to call subsequent API's for an on-behalf-off user. In this scenario the end-user does not need to authenticate to call the WF REST services.

    • Idealy, I will be using OUD as LDAP identity store for my users, and OAM as the provider. In essence, Soa-infra server as well as my JS application will both be registered under the same Webgate  / Oracle http server, so the access to the REST api's is by default governed by whether the user is authenticated or not, so I believe I got that covered.

    For this reason you can have a system user, for which you only need to store the username/password in a secured way in your application. The End user just logs on to your application, and the application uses the system user to authenticate against BPM.

    Thank you for explaining about the 'on-behalf-of' user concept. One thing though:

    In the on-behalf-of user the username of the logged on user is provided. 

    the thing is for every "personalized" API call, user-specific payload is expected, so I'm not sure how a 'on-behalf-of' user will get the user-specifc payload / tasks / etc..

    I might be asking the obvious but I'm completely new to this. Are there any resources on how this is implemented? I'd appreciate it very much if you can point out similar implementations.

    Thankful and appreciative,

    Regards,

  • Martien van den Akker
    Martien van den Akker Member Posts: 2,776 Bronze Crown
    edited May 21, 2019 3:16AM

    Hi Moe,

    ...well as my JS application will both be registered under the same Webgate  / Oracle http server...

    OHS does not do authentication. OHS, just does either reversed proxying to your Weblogic environment or delivering static content or both. So, if you make your JS application available through OHS as static content, then there's no authentication. you should put it in an ear file under a context root that is secured. Same counts for the REST services. Maybe you meant that, but I just state it in trying to be clear.

    the thing is for every "personalized" API call, user-specific payload is expected, so I'm not sure how a 'on-behalf-of' user will get the user-specifc payload / tasks / etc..

    You use the on-behalf-of user to get the task list with tasks that are assigned to that user or the groups he/she belongs too. So the tasks you get in the list are "personalized" already. Then those tasks are to be handled. You might need to change the payload, or complete them. For those action the on-behalf-of user is used as well. In short in all those action you need to provide "for whom" the system is doing things. The on-behalf-of user should have the authorization to do so.

    Regards,
    Martien

    Moe_ADF_541
  • Moe_ADF_541
    Moe_ADF_541 Member Posts: 241
    edited May 21, 2019 7:05AM

    Hello Martien,

    1.

    ...well as my JS application will both be registered under the same Webgate / Oracle http server...OHS does not do authentication. OHS, just does either reversed proxying to your Weblogic environment or delivering static content or both. So, if you make your JS application available through OHS as static content, then there's no authentication. you should put it in an ear file under a context root that is secured. Same counts for the REST services. Maybe you meant that, but I just state it in trying to be clear.

    Yes exactly what I meant. But thanks for the clarification

    2.

    the thing is for every "personalized" API call, user-specific payload is expected, so I'm not sure how a 'on-behalf-of' user will get the user-specifc payload / tasks / etc..You use the on-behalf-of user to get the task list with tasks that are assigned to that user or the groups he/she belongs too. So the tasks you get in the list are "personalized" already. Then those tasks are to be handled. You might need to change the payload, or complete them. For those action the on-behalf-of user is used as well. In short in all those action you need to provide "for whom" the system is doing things. The on-behalf-of user should have the authorization to do so.

    Understood.

    However I got my hands on some findings. From the JS application, and by designing my own login screen (as opposed to depending on the out-of-the-box OAM SSO login page) and by completing the login form (username , password), I will be authenticating against the OAM create access token API: https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.3/oroau/api-runtime-create-token.html

    With the token returned, I can use the encrypted credentials (A.K.A the 'token') to make the subsequent calls. Still theoretical, I have yet to test this API.

    Any remarks on why I should / should not continue with this approach?

    Much Appreciated.

    Regards,

  • Martien van den Akker
    Martien van den Akker Member Posts: 2,776 Bronze Crown
    edited May 21, 2019 7:21AM

    I think this approach is perfectly fine. However, you should be able to extract the username of the authenticated user, to be able to provide it to the BPM api.

    And one other thing: the weblogic running BPM should have access to the same users and groups that are registered with OAM.

    You authenticate against OAM, then you need to extract the username somehow, maybe from a header or from the token (with SAML2 it's in the token for instance), then BPM needs to know of the same user and be able to query the groups it's in. These groups need to be mapped on BPM roles. So BPM needs to be able to determine via the groups which Roles the user has and to make up the list of tasks.

    Regards,

    Martien

  • Moe_ADF_541
    Moe_ADF_541 Member Posts: 241
    edited May 21, 2019 8:13AM

    Hello Martien,

    I think this approach is perfectly fine. However, you should be able to extract the username of the authenticated user, to be able to provide it to the BPM api.

    I believe there might be no need to propagate the user name, I was able to make the API 'get task list' as follows:

    pastedImage_2.png

    Using only the encrypted token. So for subsequent calls, I might just continue using this token, which I will save in some variable.

    And one other thing: the weblogic running BPM should have access to the same users and groups that are registered with OAM.You authenticate against OAM, then you need to extract the username somehow, maybe from a header or from the token (with SAML2 it's in the token for instance), then BPM needs to know of the same user and be able to query the groups it's in. These groups need to be mapped on BPM roles. So BPM needs to be able to determine via the groups which Roles the user has and to make up the list of tasks.

    Indeed that is the case. OAM will secure all the Middleware components that we will be using, including BPM. But the thing that I really anticipate from the OAM REST API is that once a user is authenticated, SSO will be achieved and once I open my work space for example, I should be already authenticated.

    As for user groups, as mentioned before OUD is used as LDAP, so OAM will be validating against this repository for user identities and groups, which are ideally mapped to BPM roles. Essentially it is from OUD that we are mapping BPM roles.

    Thanks and Regards,

  • Martien van den Akker
    Martien van den Akker Member Posts: 2,776 Bronze Crown
    edited May 21, 2019 8:24AM
    I believe there might be no need to propagate the user name, I was able to make the API 'get task list' as follows:

    How do you tell to the BPM api for which user (on-behalf-off) you're requesting the task list?

  • Moe_ADF_541
    Moe_ADF_541 Member Posts: 241
    edited May 21, 2019 8:34AM

    On login, a user token was generated, that's how I made the subsequent call, only using the token. I included neither the user name nor the password in the 'get task list' api