Business Challenge
Oracle Fusion Applications developers and business analysts often need to test REST APIs against environments where they lack direct user/password access, especially when company Single Sign-On (SSO) is enforced. Traditional authentication methods in tools like Postman require credentials, which may not be available or practical in such secured setups. This limitation can hinder rapid testing and development workflows.
Our Solution
To overcome this, leverage your existing browser session in Oracle Fusion to extract a JWT (JSON Web Token) and use it as a Bearer Token in Postman. This approach authenticates API calls seamlessly without needing separate login credentials.
The process involves running a simple JavaScript code snippet in the Chrome Developer Console while logged into the Oracle Fusion environment. The code fetches an anti-CSRF token and then relays it to obtain the JWT access token, which you can copy and paste into Postman.
High Level Implementation Details
- Log in to your Oracle Fusion environment via Chrome browser.
- Open the Developer Console (F12 or right-click > Inspect > Console tab).
- Paste and run the provided JavaScript code to retrieve the JWT token.
- In Postman, set the authentication type to Bearer Token and input the copied token.
- Test your REST API endpoints as needed.
Detailed Implementation Details
Step 1: Extract JWT Token from Browser Session
While logged into Oracle Fusion, open the Chrome Developer Console and execute the following code:
const anticsrfResponse = await fetch('/fscmRestApi/anticsrf', {
method: 'GET',
mode: 'cors',
cache: 'no-cache',
credentials: 'same-origin',
});
const anticsrf = await anticsrfResponse.json();
// Use the anti-CSRF token to fetch the JWT token
const tokenrelayResponse = await fetch('/fscmRestApi/tokenrelay', {
method: 'GET',
mode: 'cors',
cache: 'no-cache',
credentials: 'same-origin',
headers: { "X-XSRF-TOKEN": anticsrf['xsrftoken'] },
});
const accessToken = await tokenrelayResponse.json();
console.log(accessToken.access_token);This will output the JWT token in the console. Copy it for use in Postman.
Step 2: Configure Postman for Bearer Token Authentication
- Create a new request in Postman for your desired Oracle Fusion REST API endpoint (e.g., https://your-fusion-instance/fscmRestApi/resources/latest/…).
- Under the Authorization tab, select Bearer Token as the type.
- Paste the copied JWT token into the Token field.
- Send the request — it should authenticate using your browser session’s token.
Note: The token has a limited lifespan (typically 30-60 minutes), so regenerate it as needed by rerunning the code.
Advantages of This Pattern
- No Credentials Required: Ideal for SSO-protected environments where sharing passwords is restricted.
- Quick and Secure: Uses your active session without exposing sensitive data.
- Developer-Friendly: Enables seamless API testing in Postman for rapid iteration.
- Compatible with Oracle Fusion: Leverages built-in endpoints like /anticsrf and /tokenrelay.
Outcome
This method empowers developers and analysts to test Oracle Fusion REST APIs efficiently, bypassing credential barriers while maintaining security. It streamlines workflows and ensures compatibility with SSO setups.
CID Software Solutions is here to help you overcome Fusion limitations with elegant, supportable solutions. If you have questions or need assistance implementing this or other customizations, feel free to contact us.