Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Set Up JWT Authentication for Oracle Fusion Cloud Applications

            Modified on Thu, 12 Mar at 5:44 AM

            This article walks you through the complete JWT (JSON Web Token) authentication setup for Oracle Fusion Cloud Applications.

            The setup involves three steps:

            1. Generate an X.509 key pair using OpenSSL
            2. Configure the API Authentication Provider in Oracle Fusion Security Console
            3. Register an OAuth Confidential Application in OCI Identity Domain
            Note: This is a one-time setup. Once done, you won't need to repeat these steps again.

            Step 1: Generate X.509 Key Pair Using OpenSSL

            You need a private key and a public certificate. The private key signs your JWT tokens, while the public certificate gets uploaded to the Oracle Fusion Security Console and the OAuth Confidential Application in Oracle Cloud Infrastructure (OCI) Identity Domain for token verification

            We use OpenSSL for this.  It is an open-source toolkit widely used for creating and managing SSL/TLS certificates and encryption keys. Make sure OpenSSL is installed on your system before continuing. 

            Note: The OAuth Confidential Application requires an X.509 certificate. SSH keys are not supported 

            1.1 Create and open a working directory 

            mkdir oauth-keys 

cd oauth-keys

            1.2 Generate a 2048-bit RSA private key

            openssl genrsa -out private_key.pem 2048

            1.3 Generate the public certificate (valid for 365 days)

            openssl req -new -x509 -key private_key.pem -out public_cert.pem -days 365

            OpenSSL will prompt you to enter certificate details. Fill in your organization information.

            At this point, you should have two files:

            • private_key.pem — Keep this secret. It signs your JWT tokens.
            • public_cert.pem —  Upload to Oracle Fusion Security Console and OCI Identity Domain for verification.

            1.4 Generate the certificate fingerprint (x5t)

            The fingerprint value (called x5t) goes into the JWT header so Oracle knows which certificate to verify against.

            Run the following command to generate the SHA-1 fingerprint:

            openssl x509 -sha1 -in public_cert.pem -noout -fingerprint

            You will get output like:

            SHA1 Fingerprint=74:88:BB:C2:5A:EE:18:8B:38:86:E9:FA:FA:55:D8:70:E4:5D:A9:88

            Copy the fingerprint value after the = sign and convert it to Base64 using one of the following commands:

            Note: The fingerprint shown above is a sample value. Replace it with the actual fingerprint generated from your certificate.

            If you are using Command Prompt or PowerShell:

            powershell -command "$hex='74:88:BB:C2:5A:EE:18:8B:38:86:E9:FA:FA:55:D8:70:E4:5D:A9:88'.Replace(':',''); $bytes = for ($i=0; $i -lt $hex.Length; $i+=2) {[Convert]::ToByte($hex.Substring($i,2),16)}; [Convert]::ToBase64String($bytes)"

            If you are using Git Bash:

            echo "74:88:BB:C2:5A:EE:18:8B:38:86:E9:FA:FA:55:D8:70:E4:5D:A9:88" | tr -d ':' | xxd -r -p | base64
            Important: Save this Base64 value. This is your Token Fingerprint (x5t), and you will need it when configuring BI Connector.

            Step 2: Configure API Authentication Provider in Oracle Fusion Security Console

            This step tells Oracle Fusion to trust tokens signed by your private key.

            2.1 Create the Authentication Provider

            1. Login to Oracle Fusion as a user with the Security Manager role.
            2. Navigate to Navigator → Tools → Security Console.
            3. Click API Authentication.
            4. Click Create Oracle API Authentication Provider.
            5. Click Edit.
            6. Set Trusted Issuer to a name that identifies your application.
            7. Set Token Type to JWT.
            8. Click Save and Close.


            2.2 Upload the Public Certificate

            1. From the left-hand menu, select Inbound API Authentication Public Certificates.
            2. Click Add.
            3. Set Certificate Alias to a friendly name (for example, ORA_ASE_JWT_MYCOMPANY).
            4. For Certificate File, browse and select your public_cert.pem.
            5. Click Done.


            Verify that the Trusted Issuer is listed and Token Type shows JWT.

            Step 3: Register OAuth Confidential Application in OCI Identity Domain

            In this step, you create the OAuth Confidential Application. After this step, you will have a Client ID, Client Secret, Scope, and Key Alias  for your BI Connector integration.

            3.1 Create the Application

            1. Login to your OCI Identity Domain with administrator credentials.
            2. Navigate to Identity & Security → Domains.
            3. Select your identity domain and go to Integrated Applications.
            4. Click Add Application.
            5. Select Confidential Application and click Launch Workflow.
            6. Enter a Name (for example, BIC_OAuth_Client).
            7. Enter a Description (for example, OAuth client for API integration using JWT assertion).
            8. Click Submit.

            3.2 Configure OAuth Settings

            Go to the OAuth configuration tab and click "Edit OAuth configuration".

            Resource Server Configuration:

            • Keep "No Resource Server Configuration" selected.

            Client Configuration:

            1. Select "Configure this application as a client now".
            2. Grant Types: Check Resource Owner and JWT Assertion.
            3. Client Type: Select Trusted. 
            4. Upload Public Certificate: Upload your public_cert.pem and give it an alias (for example, MyApp_JWT_Cert_2024).
            5. Allowed Operations: Check Introspect and On behalf of.
            6. Client IP Address: Set to Anywhere.
            7. Authorized Resources: Check All.
            8. Add Resource: Click the Add Scope button and add the required scope (for example, urn:opc:resource:consumer::all).

            3.3 Submit and Copy Credentials

            1. Click Submit.
            2. The Client ID, Client Secret, and other configuration details will now be visible on the OAuth configuration page.
            3. Copy and save them securely.
            Important: Make sure the application status is set to Active.

            Credentials Summary

            After completing all three steps, securely store the following values. You will need them when configuring BI Connector:

            ValueWhere It Comes From
            Client IDIntegrated Application → OAuth Configuration
            Client SecretIntegrated Application → OAuth Configuration
            UsernameOracle Fusion Cloud username for BI Connector
            ScopeIntegrated Application → OAuth Configuration
            Key AliasIntegrated Application → OAuth Configuration
            Private KeyGenerated in Step 1 (private_key.pem)
            Token Fingerprint (x5t)Base64-encoded SHA-1 fingerprint from Step 1
            Identity Domain URLYour Identity Domain URL (e.g., https://idcs-xxxxx.identity.oraclecloud.com)
            Where to find the Domain URL: Login to OCI Identity Domain, navigate to Identity & Security → Domains, select your identity domain. The Domain URL is listed on the domain details page.
            Preview
            0 of 0