If you're familiar with Oracle Cloud, I'm assuming you are not hearing for the first time about Oracle Identity Cloud Service. But for those who didn't already register their Free Tier Oracle Cloud accounts, I'm going to provide a brief introduction.

Oracle Identity Cloud Service

Every Oracle Cloud account has associated an Identity Cloud Service (IDCS) instance. Why? Because we are relying on it to handle identity management in our public or hybrid cloud deployments. For example, the PaaS services which are not 2nd generation cloud-native built (like Content and Experience, Oracle Streaming, etc.) are automatically configured within your IDCS instance as Applications. Go ahead and explore the functionalities available directly by accessing your cloud account.

Oracle IDCS comes free of charge if you use it only in the scope of Oracle Cloud (it's called Foundation tier) but it becomes an amazing solution when you start to use it at it's best. I will mention some features which I find to be really useful, but go ahead and check the documentation in order to understand how IDCS can secure your entire IT environment:

  • Enable users securely to authenticate with multiple applications by using just one set of credentials (SSO)
  • Implement MFA for your existing or new applications, either if we speak about on-premise systems or offered by cloud providers like Google, Salesforce, Workday, etc.
  • Tailor the relationships that your users and groups have with heir applications, by configuring security policies
  • Gain visibility of your user activity by running operational or historical reports
  • Federate your IDCS with the existing Active Directory, allowing you to use AD as the authoritative source

Support for Industry Standards

When considering centralized identity management, it's important to support compatibility with other systems. IDCS is built from the ground up being open standards-compliant: SCIM, REST, OAuth or OpenID Connect. Based on your application capabilities, you can consume these APIs in your applications to take advantage of identity management capabilities.

Custom Python App using Django and IDCS SDK

It's fairly easy to get started with IDCS API, using the SDK's available for Node.js, Python, Ruby, Java or .NET. Oracle released sample apps using these SDK which can be downloaded from Github and used as a reference for your projects.

This is exactly what I did for the event I'm going to attend, Moldova Cyber Week. Started from the Python sample app, I changed it a bit and Voila! we have a hands-on lab covering how you can securely deploy your app in Oracle Cloud and integrate it with IDCS using OAuth.

In order to get started, you will need to get familiar with OAuth and have a basic understanding of how it works. Don't worry, you don't need to read the RFC, should be enough to watch these two videos published by Oracle.

Once you cover the basic terminology, pay attention to the Authorization Code grant type in the following video, as this is going to be used in our application.

With these things in mind, don't forget to check also the official tutorial for the Python SDK. The configuration on IDCS side is pretty straight forward, our end goal is to register the application (for which we will need the public IP/DNS name) and get the CLIENT ID and CLIENT SECRET. We will need to configure those two in our application.

You will edit the config file (config.json) by replacing several parameters: ClientID, ClientSecret,BaseUrl and redirectURL.

{   "ClientId" : "123456789abcdefghij",   
    "ClientSecret" : "abcde-12345-zyxvu-98765-qwerty",   
    "BaseUrl" : "https://idcs-abcd1234.identity.oraclecloud.com",          
    "AudienceServiceUrl" : "https://idcs-abcd1234.identity.oraclecloud.com",   
    "scope" : "urn:opc:idm:t.user.me openid",   
    "TokenIssuer" : "https://identity.oraclecloud.com/",   
    "redirectURL": "http://localhost:8000/callback",   
    "logoutSufix":"/oauth2/v1/userlogout",   
    "LogLevel":"DEBUG",   "ConsoleLog":"True"	}
config.json

We can check what's going on in the back-end if we take a look at our console. We can see some HTTP GET requests, those are coming from the Load Balancer and are used as health checks. But if you give it a second, you will see also the callback and the access token generated. Cool, isn't it?

Let's do it together

Don't worry if this is the first interaction with Oracle Cloud, deploying a highly available secure architecture was never easier! You can follow this video tutorial and in under one hour, you will get from zero to a fully deployed application. If you have any questions regarding the end-to-end cloud architecture (virtual network, compute, load balancer, etc.) feel free to drop a comment on Alex Serban's Youtube channel.

Register your Oracle Cloud free tier account and we will have the chance to follow this lab together this week, in Chisinau! I'm planning to edit this article after the event, publishing all the sources and maybe even a video recording. You will be able to follow it at home, in your own rhythm.

Stay safe,

Alex