JWT Token Security with Fusion Sales Cloud
- by asantaga
When integrating SalesCloud with a 3rd party application you often need to pass the users identity to the 3rd party application so that
The 3rd party application knows who the user is
The 3rd party application needs to be able to do WebService callbacks to Sales Cloud as that user.
Until recently without using SAML, this wasn't easily possible and one workaround was to pass the username, potentially even the password, from Sales Cloud to the 3rd party application using URL parameters..
With Oracle Fusion R8 we now have a proper solution and that is called "JWT Token support". This is based on the industry JSON Web Token standard , for more information see here
JWT Works by allowing the user the ability to generate a token (lasts a short period of time) for a specific application. This token is then passed to the 3rd party application as a GET parameter. The 3rd party application can then call into SalesCloud and use this token for all webservice calls, the calls will be executed as the user who generated the token in the first place, or they can call a special HR WebService (UserService-findSelfUserDetails() ) with the token and Fusion will respond with the users details.
Some more details
The following will go through the scenario that you want to embed a 3rd party application within a WebContent frame (iFrame) within the opportunity screen.
1. Define your application using the topology manager in setup and maintenance
See this documentation link on topology manager
2. From within your groovy script which defines the iFrame you wish to embed, write some code which looks like this :
def thirdpartyapplicationurl = oracle.topologyManager.client.deployedInfo.DeployedInfoProvider.getEndPoint("My3rdPartyApplication" )def crmkey=
(new oracle.apps.fnd.applcore.common.SecuredTokenBean().getTrustToken())def url =
thirdpartyapplicationurl +"param1="+OptyId+"&jwt
="+crmkeyreturn (url)
This snippet generates a URL which contains
The Hostname/endpoint of the 3rd party application
Two Parameters
The opportunityId stored in parameter "param1"
The JWT Token store in parameter "jwt"
3. From your 3rd Party Application you now have two options
Execute a webservice call by first setting the header parameter "Authentication" to the JWT token. The webservice call will be executed against Fusion Applications "As" the user who execute the process
To find out "Who you are" , set the header parameter to "Authentication" and execute the special webservice call findSelfUserDetails(), in the UserDetailsService
For more information
Oracle Sales Cloud Documentation , specific chapter on JWT Token
OTN samples, specifically the Rich UI With JWT Token Sample
Oracle Fusion Applications General Documentation