OIC - SAS Token Generation for Azure Event Hub REST API Authorization in OIC

📌 Use Case

When calling Azure Event Hub REST APIs from Oracle Integration Cloud (OIC), authentication requires a Shared Access Signature (SAS) token.

• SAS token = authorization key generated using HMAC SHA256 hashing.
• OIC does not provide native functions to generate this.
• Solution → Create a custom JavaScript library to build SAS token dynamically and inject it into OIC REST calls.

SAS key vs SAS Token:

An SAS Key (Shared Access Signature Key) is a security credential used in Microsoft Azure to grant limited, time-bound access to resources like Event Hubs, Blob Storage, Queues, Service Bus, etc.

🔑 How it works:

• When you create an Azure resource (like an Event Hub namespace), Azure generates Access Keys for it.
• These are usually two keys: Primary Key and Secondary Key.
• Using one of these keys, you (or your code) can generate an SAS Token.
• The SAS Token contains:
  • Resource URI (what you want to access)
  • Expiry time (when the token becomes invalid)
  • Signature (HMAC-SHA256 signed using the SAS Key)

👉 The SAS Key is the secret you store securely, and from it you generate SAS Tokens that your app or OIC flow uses in the Authorization header.

⚠️ Important:

• Never expose the SAS Key directly in your apps or clients.
• Always generate SAS Tokens from it and use those instead.

Solution - FLow diagram:

---

⚙️ Solution Steps

1. Build the OIC Custom Library

• Download CryptoJS v3.1.2 from GitHub → CryptoJS v3.1.2.
• Copy content from:
  • rollups/hmac-sha256.js
  • components/enc-base64.js
• Append the following function at the bottom:

function createSharedAccessTokenUpd(uri, saName, saKey) {
    if (!uri || !saName || !saKey) {
        throw new Error("Missing required parameter");
    }

    var encoded = encodeURIComponent(uri);
    var now = new Date();
    var week = 60 * 60 * 24 * 7; // 1 week in seconds
    var ttl = Math.round(now.getTime() / 1000) + week;
    var signature = encoded + '\n' + ttl;

    var hash = CryptoJS.HmacSHA256(signature, saKey);
    var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);

    var sasToken = "SharedAccessSignature sr=" + encoded +
                   "&sig=" + encodeURIComponent(hashInBase64) +
                   "&se=" + ttl +
                   "&skn=" + saName;

    return sasToken;
}

• Save file as OICHmacSHA256.js.
• Upload it into OIC Libraries.

---

2. Generate SAS Token inside OIC Mapping

• In the integration, open your mapping canvas for the REST call.
• For the Authorization header, call the custom JS function:

createSharedAccessTokenUpd(
  "https://<your-namespace>.servicebus.windows.net",
  "DefaultFullSharedAccessSignature",
  "<your-shared-access-key>"
)

Here, the function dynamically generates the SAS token and places it in the Authorization header.

---

3. Mapping in the Integration XML

In the integration file, OIC internally translates this mapping into XSLT/XML. Example:

<ns25:StandardHttpHeaders>
  <ns25:Authorization>
    <xsl:value-of select="ora:js: createSharedAccessTokenUpd(
      &quot;https://test-ns.servicebus.windows.net&quot;,
      &quot;DefaultFullSharedAccessSignature&quot;,
      &quot;wjoLBJ...= &quot; )"/>
  </ns25:Authorization>
</ns25:StandardHttpHeaders>

This ensures every REST call to Azure Event Hub uses the correct SAS token dynamically generated at runtime.

---

✅ Summary

• Built a custom OIC library with CryptoJS HMAC-SHA256 + Base64.
• Added SAS token generator function (createSharedAccessTokenUpd).
• Called the function in OIC mapping → populated the Authorization header.
• Verified via XSLT/XML that the SAS token gets injected into the REST API call.

This approach ensures secure and reusable Azure Event Hub connectivity from OIC.

---