Friday, October 20, 2023

#992 OIC3 VB invoking Process Automation with Identity Propagation

This simple example is for those who need to invoke Process from VB with identity propagation. This is a common requirement, when the person is a registered user of both apps, i.e. the pre-requisite for our VB user is that they are also a valid Process user. Ergo, the VB user needs to be added to the target OPA process, with at least the use permission. This you do in the Process Workspace --> Administration --> Roles


Communication is over a VB Service connection, more about that later.


My VB app is simple, so is the Process -  



The Process message payload is as follows - 
























Process Automation is part of OIC3, however, you do enable it separately. 


Once enable, the instance is visible here - 
























Now that we have the basics, the VB and Process apps, the next step is to create the confidential application in IDCS; this will provide us with the token that will be used when Visual Builder invokes OPA.




Step 1 - Create a confidential app in IDCS




Give the app a name - 

Click Next to add the details -

Check the following Grant Types -

  • JWT Assertion - will be used by VB
  • Refresh Token
  • Authorization Code - will be used by my Postman sanity test
I like testing things out in Postman first.



shown and set redirect url to https://my OIC3.ocp.oraclecloud.com/icsapis/agent/oauth/callback


We now need to specify the scopes - essentially setting the access level(s). 

I add the scopes for OIC(Integration) and Process.  These can be easily added - 


 Here I add the scope for OIC(Integration) - 



Now for Process - 


Note the 2 scopes here - one for process, the other for decisions. Let's include both.


The result - 


Press Next on the following screens, then press Finish. Your client id and secret are displayed.

Copy these, as you will need them later. 


Step 2 - Postman Sanity Test & Visual Builder setup

Visual Builder will communicate with OPA via a Service Connection. 

You will need the following data to define the connection - 

  • Your IDCS URL
  • Client Id / Secret
  • Sample Request Payload for your Process invoke
  • The OPA REST API to invoke
Let's start with the OPA REST API - 


The docs are available here.

As you can see we're going to use /process/api/v1/instances -

The payload will be the order data our process expect, along with the following - 


Let's test in Postman -

The Authorization setup is as follows - 

Grant Type - set to Authorization Code 

Callback URL - set to the OIC callback url, used when defining the IDCS confidential app.

Auth URL - Set to https://yourIDCS//oauth2/v1/authorize

Access Token URL - Set to https://yourIDCS//oauth2/v1/token

Client Id / Secret - set to those from your IDCS confidential app

Scope - set to https://yourOPA/process

The payload is as follows - 


Finally, the api - 

https://yourOPA/process/api/v1/instances

I now get a new access token - 



Now Send the request and check the response - it includes the following - 


Looks good, so now back to our VB app - let's add the Service Connection


Select - Define by Endpoint.


Click Next -

Then click on Server


Under Security - select User Assertion -


Add your client id and secret -


Set Scope to the process scope from the IDCS confidential app, the one you used in Postman.

Set Connection Type as shown - 

Click on the Request Tab, then select Body - add the payload you used in Postman. Click the Save Request button.


Add /instances to the URL and click Send Request -
























Looks good!
You can now click Save as Example Response - then click Create to save the service connection.

Let's check out the task in the Process Workspace - 


Just before we look at invoking this from the VB application, let's talk about Backends


I could create a backend entry for OPA, this would include the server data - base url / security settings etc. Multiple service connections could then leverage this, saving me having to enter the server information for each connection.





Now to invoking the OPA api from the VB form - 


I will augment the Save functionality to include the OPA invoke.
























I'll add it to the "success" path - 


I use the VB Call REST action and then configure it to invoke the OPA api

- make sure to add this step before the page initialisation step in the action chain  - 
























Map the Request fields -
























Copy the example request to the body -
























You can leave the first 3 fields hardcoded - but the order payload fields need to be set to the values from the VB page - 
























You can set the values as follows - 


Test - by adding a new order - 


Working fine! 

Just for your troubleshooting - What response do I get if the vb user is not an OPA user?


I now add this user to OPA, as a generic user -



I now retry the send from the VB service connection - 


 Summa Summarum

Invoking OPA from VB is easy. It doesn't matter whether VB is enabled within OIC or is provisioned standalone, it's the same modus operandi.



No comments: