1 Reply Latest reply on May 15, 2020 4:35 PM by Leandroide

    ORDS with External JWT Token Authorisation

    pmckenna

      Hi

       

      i am hoping someone can enlighten me on how to deal with a proposed architecture i have been handed. apologies in advance that i do not have a detailed understanding of this area.

       

      The theory is that ORDS running on tomcat will receive HTTP requests containing JWT tokens generated by an authentication layer above us (cognito). these will contain details of the roles etc the requesting user has and the services will need to check that these are sufficient to access the requested service and also restrict data returned based on the user's rights. there will be definition within the database of what roles are associated with each service and dataset.

       

      i see that ORDS supports OAuth2 which is similar but from what i can tell that is a bit different with the token being generated based on an ords authentication process.

      i know that i can parse JSON as contained in the JWT token within plsql but how do i get the JWT body?

       

      ideally i would like to have some kind of transparent handling of the token such that the json elements are available to ords service handlers as variables

      i guess i could build a java handler to interrogate the token before passing on to the ords service but i'd really like to keep things simple.

       

       

      thanks in advance

        • 1. Re: ORDS with External JWT Token Authorisation
          Leandroide

          Hi man/woman!, I had to modify our Authentication Server, and inject the ORDS access token, according to each CLIENT, as a custom claim in our custom JWT token.

           

          Then, depending on the target:

           

          - api.yourcompany.com/java-helidon-or-spring-based-resource -> will receive and parse entire JWT

          - api.yourcompany.com/ords/schema_alias/module/template -> will receive and parse the ORDS access token.

           

          {

           

              "access_token": "TheUniqueGeneratedStringByORDS",

              "token_type": "bearer",

              "expires_in": 3600

          }

           

          Hope this helps, it was the fastest and easiest integration solution I found.

           

          1 person found this helpful