Securing Oracle JET Web Application using Azure AD

Photo by Shahadat Rahman on Unsplash

Hi Folks,

This post contains a combination of architectural concepts, security protocols, and technologies which we can use as a standard best practices in OracleJET web application development.

Before we jump into technical details, I want to make sure you have a clear picture of Oracle JET security concepts. In oracle JET documentation, under the ‘Securing Applications’ section contains three different layers which we need to focus on security perspective,

1. Oracle JET Components and Security/ Oracle JET Security and Developer Responsibilities.
2. Oracle JET Secure Response Headers.
3. Oracle JET Security Features.

The first two topics focus on the features and practices you should follow to prevent JavaScript security risks such as cross-scripting attacks (XSS) attacks, packet sniffing, and clickjacking. Oracle JET provides the components to follow best practices for security, and also as developers we have to pay our attention to their recommendations as well.

Under ‘Oracle JET Security Features’, describe the details which we need to focus on to protect server-side endpoints. Specially frameworks that are run on client-side have limitations and risks from a security point of view. But Oracle JET provides the inbuilt class to support OAuth 2.0 to mitigate the limitations of security. According to the Oracle documentation OAuth plugin they describe as this,

You can use the OAuth plugin to manage access to client (end-user) private data. The Oracle JET API includes the OAuth class which provides the methods you can use to initialize the OAuth object, verify initialization, and calculate the authorization header based on client credentials or access token.

Up to now, I tried to provide an architectural overview of Oracle JET security features. As a prerequisite, I expect you have a basic idea about how OAuth 2.0 works. If you don’t have a basic idea about OAuth, please go through at least following topics,

1. OAuth 2.0 Grant Types
2. OAuth 2.0 Bearer Tokens
3. JSON Web Token (JWT)

After acquiring all the prerequisite conceptual knowledge, now we can focus on the Microsoft Azure Active Directory (Azure AD). Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps to manage organization employees’ sign-in activities and access resources. The important point is, Azure AD provides the standards libraries using various technologies including JAVA, JavaScript to easily integrate Azure AD features to your applications. The only challenge is you have to follow the best practices and need to identify the correct steps to configure your application in Azure AD portal.

To register your application in the Azure AD portal, you need to follow the steps which are mentioned under the ‘Register your application with your AD tenant’ section in ‘Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow’ Azure AD developer guide.

Note:
After successfully register your application you need to get Application ID (Step #07 in ‘Register your application with your AD tenant’) and Tenant ID from the portal.
Azure AD doesn’t allow unsecured redirect URLs except for http://localhost:<port>. For the development period, you can use the Oracle JET web application default localhost endpoint.

Demo

For this demo, I’ll use Oracle JET 7.0 frontend and Restful web service which is built on top of Springboot 2.2.0. The following diagram depicts the high-level architecture of implementation.

High-Level Architecture Diagram

Oracle JET Web Application

1. Import Node Package

As I mentioned earlier, Azure AD provides integration libraries for different technology platforms. For Oracle JET, we need to use Active Directory Authentication Library (ADAL) for JavaScript library. For that, we need to use Node Package Manager,

npm install adal-angular

If you are familiar with ‘Add Third-Party Tools or Libraries to Your Oracle JET Application’ then you can simply import the installed node package into your project. For import adal-angular node package, the following files in your Oracle JET project should change.

azure-ad-jet\scripts\config\oraclejet-build.js

azure-ad-jet\src\js\path_mapping.json

azure-ad-jet\src\js\main.js

2. Authentication and acquire JSON Web Token

Now we need to get the JSON Web Token (JWT) for access secured server-side Restful endpoints. To acquire JWT, we will check the cached user details and execute the acquire token method to get JWT from Azure AD. For future usage, we store the acquired token inside local storage. For that, we need to implement the following methods inside the appController.js file in your Oracle JET project.

azure-ad-jet\src\js\appController.js

3. Access Secured RestFul web endpoints using acquired JSON Web Token

Now we need to pass acquired JSON web token as an Authorization header in the request. As a best practice in my demo, I’m using Oracle common model,

The Oracle JET Common Model and Collection API provide a two-way data binding model using Knockout. Use the Model and Collection classes to build Create, Read, Update, Delete (CRUD) applications that integrate REST services or data from any web service that returns data in the form of JSON objects.

This departmentfactory.js factory is responsible for manage CRUD operation which is provided from department RestFul web endpoint. Inline #5 I access the session storage and pass acquired JWT as a bearer authentication header.

azure-ad-jet\src\js\factories\departmentfactory.js

I hope you have an extensive idea about how to access secured RestFul endpoint after executing a client-side authorization process inside the Oracle JET web application.

Happy Coding…