Oracle Analytics Cloud (OAC) Embedding — Public User Access — Part 2
Introduction
In the first part of this blog series, I described how to configure Oracle IDCS so that you could use the IDCS API to obtain tokens for authenticating embedded Oracle Analytics cloud canvases that may be incorporated into a webpage or web application. In this blog, I’ll describe how to use the Oracle Functions and API Gateway cloud services to automate the token generation and authentication.
This could be used to make embedded OAC canvases available on a website without the user needing to login, i.e., public user access.
Oracle Functions Service
In part one, I showed an example of the curl command used to obtain an authentication token from IDCS.
curl — request POST \
— url https://<IDCS-domain>.identity.oraclecloud.com/oauth2/v1/token \
— header ‘authorization: Basic <base64 encoded clientID:ClientSecret>’ \
— header ‘content-type: application/x-www-form-urlencoded;charset=UTF-8’ \
-d ‘grant_type=password&username=<username>&password=<password>&scope=<scope copied from resource section in IDCS confidential application>’
For public user access, we need to obtain this token using a script. There are many ways to call an API programatically, in this example, I’m going to discuss using JavaScript and Node.js.
One option is to install Node.js on your own server then create JavaScript code that calls the IDCS API and exposes the resulting token using another API. It’s important to call the IDCS API using code running on a secure sever since you don’t want to expose any sensitive information to the client.
An easier, more convenient way to set this up is to use the Oracle Functions service to run the JavaScript that calls the IDCS API then expose this function using the Oracle API Gateway service. The Functions service provides an easy to follow quick start guide to configuring your cloud environment, network settings, policies and creating a function. Another benefit of using this service is that you can do it all from within the Oracle Cloud console using the Cloud Shell.
The following is a sample of code that could be run using the Oracle Functions service to obtain a token from IDCS.
//
// This is SAMPLE CODE illustrating how to obtain a token from IDCS using Oracle Functions service
//const fdk=require(‘@fnproject/fdk’);
const fetch = require(‘node-fetch’);
fdk.handle(async function(){var url =’<URL TO IDCS INSTANCE>’;
var headers = {
“Content-Type”: “application/x-www-form-urlencoded;charset=UTF-8”,
“authorization”: “Basic <base64 encoded client ID:Client secret>”
}let details = {
“grant_type”: “password”,
“username”: “<username>”,
“password”: “<password>”,
“scope”: “<scope from IDCS confidential application>”
};let formBody = [];
for (let property in details) {
let encodedKey = encodeURIComponent(property);
let encodedValue = encodeURIComponent(details[property]);
formBody.push(encodedKey + “=” + encodedValue);
console.log(formBody);
}
formBody = formBody.join(“&”);
console.log(formBody);const response = await fetch(url, { method: ‘POST’, headers: headers, body: formBody})
const data = response.json()
return data;})
Oracle API Gateway
The API Gateway service provides an ideal way to create an API to your Oracle Function created earlier. Again, there is comprehensive documentation available that describes how to create and configure an API. This service also provides a way to configure cross origin domains, which are a key aspect of embedding content from Oracle Analytics.
There are also options for configuring authentication to the API (for a public use case you can choose to not have authentication) as well as rate limiting the access to the API (in terms of number of requests per second). It’s also possible to view metrics on the APIs you’ve created.
Using the Token for Embedded OAC Canvases
In part one, I showed sample HTML for how you could test the token for your embedded OAC canvases, taking this one step further, the sample below illustrates how you can call an API you’ve created using the API Gateway that invokes a function running on the Oracle Cloud service to obtain a token from IDCS.
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8">
<title>Oracle Analytics Embed Example Using a Token</title>
<meta id=”viewport” name=”viewport” content=”width=device-width, initial-scale=1, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no”/> <style>
.bitech-layout-component {
background: black;
}
body
{
background-color: black !important;
}
h1 {
color: white !important;
margin-left: 40px !important;
}
.bi_filterbar_padding_left{
position: unset !important;
}
</style> <script src=”https://<OAC Instance — tenancy>.analytics.ocp.oraclecloud.com/public/dv/v1/embedding/standalone/embedding.js” type=”application/javascript”>
</script>
</head>
<body>
<h1>Sales Analytics</h1> <div style=”border:1px solid black;position: absolute; width: calc(100% — 40px); height: calc(100% — 120px)” > <oracle-dv
project-path=”/@Catalog/shared/Embed/Dark_Theme_Embed”
active-page=”canvas”
active-tab-id=”1"
project-options=’{“bDisableMobileLayout”:false, “bShowFilterBar”:true}’>
</oracle-dv></div> <script>
// Get bearer token from an API (e.g. Oracle API Gateway)
//
var Url = ‘<URI to API Gateway service that gets a token from Oracle Functions service>’;
var token_request = new XMLHttpRequest();
token_request.open(“GET”, Url, false);
token_request.send(null);
{
if (token_request.status = 200) {
var idcs_token = JSON.parse(token_request.response).access_token;
requirejs([‘jquery’, ‘knockout’, ‘obitech-application/application’],
function($, ko, application) {
application.setSecurityConfig(“token”, {tokenAuthFunction:
function(){
return idcs_token;
}
});
ko.applyBindings();
}
);
} else {
console.log(‘error ${token_request.status} ${token_request.statusText}’)
}
}
</script> </body></html>
Summary
In this two -part blog series, I’ve described how you can create a setup that allows public user access to your Oracle Analytic Cloud canvases on your own website or web application. The main points are :
(1) Create an IDCS application to act as a proxy to your OAC instance. Ideally a separate OAC instance would be used for this use case. In addition, you’ll want to size this instance for the expected user load.
(2) Use this IDCS application to obtain an authentication token using the IDCS API. We recommend that you obtain a token using a minimally privileged user (e.g. a member of Consumer role) and that they only have access to data that you’re willing to be viewed publicly.
(3) Create a script that runs at the server level e.g. using the Oracle Functions service to obtain a token
(4) Expose this function using an API e.g. using the Oracle API Gateway service.
(5) Reference this API Gateway endpoint in your HTML that embeds the OAC canvases.