Oracle Identity Cloud Service: First REST API Call


Options



Before You Begin

Purpose

In this tutorial, you learn to perform your first REST API call to Oracle Identity Cloud Service.

Time to Complete

15 minutes.

Background

The REST APIs provide a way to integrate Oracle Identity Cloud Service with custom applications and clients that support REST (such as Java, C#, Go, Python, or Ruby apps), so they can:

  • Manage Oracle Identity Cloud Service Users, Groups, Applications, and Settings.
  • Perform Federated Single Sign-On (SSO), using OpenID Connect and OAuth 2.0
  • Perform Authorization requests with consent, using OAuth 2.0

In this tutorial, you perform your first calls to Oracle Identity Cloud Service using the REST APIs.

Tip: This tutorial serves as a foundation for other REST API tutorials.

What Do You Need?

  • Access to Oracle Identity Cloud Service with authorization to manage Applications (Identity Domain Administrator, Security Administrator, or Application Administrator).
  • A Linux machine with cURL utility available.
  • Tip: For this tutorial, we are using Oracle Linux 7.2. This tutorial can be executed on other Operating Systems with bash terminal (such as Red Hat, Ubuntu, or OSX), or in Windows (using a bash emulator such as git bash). The commands on different operating systems may present small variations.
  • It is also recommended that you are familiar with the REST architecture style.

Register a Client Application

In this task, you register an application in Oracle Identity Cloud Service. This step is mandatory for performing REST API requests to Identity Cloud Service. In an application, you can:

  • Determine what REST API requests the application will be authorized to perform.
  • Obtain credentials (client_id and client_secret) that the application can use to obtain an access token programmatically.
  • Obtain the application access token via User Interface to perform REST API calls for testing purposes.
  1. In the Identity Cloud Service console, expand the Navigation Drawer , click Applications, and then click Add.
  2. Click Trusted Application or Confidential Application.
  3. Tip: The UI provides information about each type of application supported by Oracle Identity Cloud Service.
  4. Enter the Application Details as follow and click Next.
  5. Table containing values for the app creation
    Attribute Value
    Name Client Application
    Description This client will manage Oracle Identity Cloud Service from outside using REST APIs
  6. In the Client pane, click Configure this application as a Client now.
  7. Select Client Credentials and JWT Assertion as Allowed Grant Types.
  8. Tip: The Allowed Grant Types determine how the application access token can be obtained. The grant types are compliant with the OAuth 2.0 standard.
  9. On the Client page, scroll down to the Grant the client access to Identity Cloud Service Admin APIs. section, and click Add.
    Application
    Description of this image
  10. In the Add App Role dialog box, select Identity Domain Administrator, and then click Add.
    Select Identity Domain Administraton as role.
    Description of this image
  11. Click Next.
  12. On the following panes, click Next until you reach the last page, and then click Finish.
  13. Copy the Client ID and the Client Secret to a text file, return to the UI, and then click Close.
  14. Application Added screen in Identity Cloud Service UI - Copying the client ID and Secret
    Description of this image
    Tip: The Client ID and Client Secret are equivalent to service credentials that your client application can use for obtaining access tokens programmatically in Oracle Identity Cloud Service.
  15. Click Activate, and then click Activate Application. A confirmation message appears.

Get an Access Token

In this task, you obtain an Access Token. The Access Token provides a session (with scope and expiration), that your client application can use to perform tasks in Oracle Identity Cloud Service via REST APIs.

Get an Access Token via REST API

In this task, you learn to obtain an Access Token via REST API .
For obtaining the token, you will use the client credentials (client_id and client_secret) obtained during the application registration.

  1. In a text editor, prepare the cURL command as follows:
  2. curl -k -X POST -u "CLIENT_ID:CLIENT_SECRET" -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__" "IDCS_URL/oauth2/v1/token" -o access_token.json
    Replace:
    • CLIENT_ID: with the Client Application's client id.
    • CLIENT_SECRET: with the Client Application's client secret.
    • IDCS_URL: with your Oracle Identity Cloud Service URL (for example, https://MYTENTANT.identity.oraclecloud.com).
  3. Verify the cURL command after replacing the values above and copy its content.
    curl -k -X POST -u "9a13d35c33794908a9c6cc5925d2effd:36574581-0194-4e1f-950b-4ca047e952d9 -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__" "https://MYTENTANT.identity.oraclecloud.com/oauth2/v1/token" -o access_token.json
  4. At a command prompt, enter the cURL command.
  5. curl command and output from the command line
    Description of this image
  6. Open the Access Token file (access_token.json) in a text editor.
    Tip: In this tutorial, we break the result into multiple lines to simplify reading it.
    {
      "access_token":"eyJ4NXQjUzI1NiI6Ijg1a3E1MFVBVmNSRDJOUTR6WVZMVDZXbndUZmVidjBhNGV2YUJGMjFqbU0iLCJ4NXQiOiJNMm1hRm0zVllsTUJPbjNHZXRWV0dasdfadfe32e23e2dwe923093i2ED2E23e3dwdFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIzOTk3MWY1NTM4N2IzZjhkYWRmZDVhYzIxZjdmNzgzYiIsInVzZXIudGVuYW50Lm5hbWUiOiJGUkVEMSIsInN1Yl9tYXBwaW5nYXR0ciI6InVzZXJOYW1lIiwiaXNzIjoiaHR0cHM6XC9cL2lkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwidG9rX3R5cGUiOiJBVCIsInVzZXJfdGVuYW50bmFtZSI6IkZSRUQxIiwiY2xpZW50X2lkIjoiMzk5NzFmNTUzODdiM2Y4ZGFkZmQ1YWMyMWY3Zjc4M2IiLCJhdWQiOiJodHRwOlwvXC9zbGMwNmZnZS51cy5vcmFjbGUuY29tOjg5OTAiLCJjbGllbnRBcHBSb2xlcyI6WyJHbG9iYWwgVmlld2VyIiwiQXV0aGVudGljYXRlZCBDbGllbnQiLCJJZGVudGl0eSBEb21haW4gQWRtaW5pc3RyYXRvciJdLCJzY29wZSI6InVybjpvcGM6aWRtOnQub2F1dGggdXJuOm9wYzppZG06dC5ncm91cHMubWVtYmVycyB1cm46b3BjOmlkbTp0LmFwcCB1cm46b3BjOmlkbTp0Lmdyb3VwcyB1cm46b3BjOmlkbTp0Lm5hbWVkYXBwYWRtaW4gdXJuOm9wYzppZG06dC5zZWN1cml0eS5jbGllbnQgdXJuOm9wYzppZG06dC51c2VyLmF1dGhlbnRpY2F0ZSB1cm46b3BjOmlkbTp0LmdyYW50cyB1cm46b3BjOmlkbTp0LmltYWdlcyB1cm46b3BjOmlkbTp0LmJ1bGsgdXJuOm9wYzppZG06dC5idWxrLnVzZXIgdXJuOm9wYzppZG06dC5qb2Iuc2VhcmNoIHVybjpvcGM6aWRtOnQuZGlhZ25vc3RpY3NfciB1cm46b3BjOmlkbTp0LmlkYnJpZGdlIHVybjpvcGM6aWRtOnQuaWRicmlkZ2UudXNlciB1cm46b3BjOmlkbTp0LnVzZXIubWUgdXJuOm9wYzppZG06Zy5hbGxfciB1cm46b3BjOmlkbTp0LnVzZXIuc2VjdXJpdHkgdXJuOm9wYzppZG06dC5qb2IgdXJuOm9wYzppZG06dC5zZXR0aW5ncyB1cm46b3BjOmlkbTp0LmF1ZGl0X3IgdXJuOm9wYzppZG06dC5qb2IuYXBwIHVybjpvcGM6aWRtOnQudXNlcnMgdXJuOm9wYzppZG06dC5yZXBvcnRzIHVybjpvcGM6aWRtOnQuam9iLmlkZW50aXR5IHVybjpvcGM6aWRtOnQuc2FtbCIsImNsaWVudF90ZW5hbnRuYW1lIjoiRlJFRDEiLCJleHAiOjE0NjM0NDIzMDksImlhdCI6MTQ2MzQzODcwOSwiY2xpZW50X25hbWUiOiJDbGllbnQgQXBwbGljYXRpb24iLCJ0ZW5hbnQiOiJGUkVEMSIsImp0aSI6ImRlODU4YTEyLTQ5NjktNDE4Mi05Zjg2LWQ1MjNlNTU3ODQzNyJ9.iGqw-btCbixzefAmTDELm4oYgy2qeGA26eBVDeRN-URYiphD_LNUNQHmDsIBColTqkT3MbP5QThmwpLk-sB8tN4nLjTaxyp62pm2V0hwpeJ6kZNAmM3YJC98Dp2TiE8rGGp9L9_w2jRJd9n5AFR6uiGZHyl7pisD5iHpa-YLZN4",
      "token_type":"Bearer",
      "expires_in":3600
    }
    The access_token.json:
    • Contains the Access Token request output in JSON format. The return contains the attributes access_token, token_type, and expires_in.
    • The access_token identifies your client access in Oracle Identity Cloud Service and will be used for subsequent REST API calls. This token is encoded following the JSON Web Token (JWT) standard.
    • Tip: To check the JWT token, you can copy the access_token and verify its value using: https://jwt.io/#debugger-io
    • The token_type identifies the Access Token as a Bearer token type. In future requests, you will use this token type to identify your token in the Authorization header of your request.
    • The expires_in identifies the validity period of the Access Token.
  7. Optionally, copy the access_token value and repeat the section Perform Your First REST API Call. You should be able to perform the same calls using the token obtained programmatically.

Perform Your First REST API Call

In this task, you perform your first a REST API call to Oracle Identity Cloud Service (get a list of Applications). The objective is to show you how the REST API calls are typically executed in Oracle Identity Cloud Service.

Tip: To learn more about the Application API, visit the Oracle Identity Cloud Service REST API documentation.

  1. In the text editor, prepare the cURL command as follows:
  2. curl -k -X GET -H "Authorization: Bearer ACCESS_TOKEN" "https://MYTENTANT.identity.oraclecloud.com/admin/v1/Apps?attributes=displayName" -o list_of_applications.json
  3. Replace the ACCESS_TOKEN with the access token you copied in the previous task.
  4. Replace the IDCS_URL with your Oracle Identity Cloud Service URL. (for example, https://MYTENTANT.identity.oraclecloud.com)
  5. Verify the cURL command after replacing the values above and copy its content.
  6. curl -k -X GET -H "Authorization: Bearer eyJ4NXQjUzI1NiI6Ijg1a3E1MFVBVmNSRDJOUTR6W.eyJzdWIiOiIzOTk3MWY1NTM4N2IzZjhkYWRmZDVhYzIxZjdmNzgzYiIsInVzZXIudGVuYW50Lm5hbWUiOiJGUkVEMSIsInN1Yl9tYXBwaW5nYXR0ciI6InVzZXJOYW1lIiwiaXNzIjoiaHR0cHM6XC.iGqw-btCbixzefAmTDELm4oYgy2qeGA26eBVDeRN-URYiphD_LNUNQHmDsIBColTqkT3MbP5QThmwpLk-sB8tN4nLjTaxyp62pm2V0hw-YLZN4" "https://MYTENTANT.identity.oraclecloud.com/admin/v1/Apps?attributes=displayName" -o list_of_applications.json
  7. At a command prompt, enter the cURL command.
  8. Open the list_of_applications.json file.
  9. Tip: We reduced the command output and broke it into multiple lines to simplify the reading.
    {
      "schemas": [ "urn:scim:api:messages:2.0:ListResponse" ],
      "totalResults": 1,
      "Resources":[ { "displayName":"Client Application", "id":"39971f55387b3f8dadfd5ac21f7f783b" } ],
      "startIndex":1,
      "itemsPerPage":50
    }
    The list_of_applications.json contains a list of applications that exist in your Oracle Identity Cloud Service instance.

You've successfully executed your first REST API call.

Want to Learn More?

To learn more about the REST APIs, explore the following tutorials and documents:

To learn more about how to use the REST APIs for Federated SSO (using OpenID Connect plus OAuth 2.0), and Authorization scenarios (using OAuth 2.0), explore the following tutorials: