Thursday, September 4, 2025

OIC - SAS Token Generation for Azure Event Hub REST API Authorization in OIC

📌 Use Case

When calling Azure Event Hub REST APIs from Oracle Integration Cloud (OIC), authentication requires a Shared Access Signature (SAS) token.

  • SAS token = authorization key generated using HMAC SHA256 hashing.
  • OIC does not provide native functions to generate this.
  • Solution → Create a custom JavaScript library to build SAS token dynamically and inject it into OIC REST calls.

SAS key vs SAS Token:

An SAS Key (Shared Access Signature Key) is a security credential used in Microsoft Azure to grant limited, time-bound access to resources like Event Hubs, Blob Storage, Queues, Service Bus, etc.

🔑 How it works:

  • When you create an Azure resource (like an Event Hub namespace), Azure generates Access Keys for it.
  • These are usually two keys: Primary Key and Secondary Key.
  • Using one of these keys, you (or your code) can generate an SAS Token.
  • The SAS Token contains:
    • Resource URI (what you want to access)
    • Expiry time (when the token becomes invalid)
    • Signature (HMAC-SHA256 signed using the SAS Key)

👉 The SAS Key is the secret you store securely, and from it you generate SAS Tokens that your app or OIC flow uses in the Authorization header.

⚠️ Important:

  • Never expose the SAS Key directly in your apps or clients.
  • Always generate SAS Tokens from it and use those instead.
Solution - FLow diagram:


⚙️ Solution Steps

1. Build the OIC Custom Library

  • Download CryptoJS v3.1.2 from GitHub → CryptoJS v3.1.2.
  • Copy content from:
    • rollups/hmac-sha256.js
    • components/enc-base64.js
  • Append the following function at the bottom:
function createSharedAccessTokenUpd(uri, saName, saKey) {
    if (!uri || !saName || !saKey) {
        throw new Error("Missing required parameter");
    }

    var encoded = encodeURIComponent(uri);
    var now = new Date();
    var week = 60 * 60 * 24 * 7; // 1 week in seconds
    var ttl = Math.round(now.getTime() / 1000) + week;
    var signature = encoded + '\n' + ttl;

    var hash = CryptoJS.HmacSHA256(signature, saKey);
    var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);

    var sasToken = "SharedAccessSignature sr=" + encoded +
                   "&sig=" + encodeURIComponent(hashInBase64) +
                   "&se=" + ttl +
                   "&skn=" + saName;

    return sasToken;
}
  • Save file as OICHmacSHA256.js.
  • Upload it into OIC Libraries.



2. Generate SAS Token inside OIC Mapping

  • In the integration, open your mapping canvas for the REST call.
  • For the Authorization header, call the custom JS function:
createSharedAccessTokenUpd(
  "https://<your-namespace>.servicebus.windows.net",
  "DefaultFullSharedAccessSignature",
  "<your-shared-access-key>"
)

Here, the function dynamically generates the SAS token and places it in the Authorization header.


3. Mapping in the Integration XML

In the integration file, OIC internally translates this mapping into XSLT/XML. Example:

<ns25:StandardHttpHeaders>
  <ns25:Authorization>
    <xsl:value-of select="ora:js: createSharedAccessTokenUpd(
      &quot;https://test-ns.servicebus.windows.net&quot;,
      &quot;DefaultFullSharedAccessSignature&quot;,
      &quot;wjoLBJ...= &quot; )"/>
  </ns25:Authorization>
</ns25:StandardHttpHeaders>

This ensures every REST call to Azure Event Hub uses the correct SAS token dynamically generated at runtime.


Summary

  • Built a custom OIC library with CryptoJS HMAC-SHA256 + Base64.
  • Added SAS token generator function (createSharedAccessTokenUpd).
  • Called the function in OIC mapping → populated the Authorization header.
  • Verified via XSLT/XML that the SAS token gets injected into the REST API call.

This approach ensures secure and reusable Azure Event Hub connectivity from OIC.



No comments:

Post a Comment

Featured Post

OIC - SAS Token Generation for Azure Event Hub REST API Authorization in OIC

📌 Use Case When calling Azure Event Hub REST APIs from Oracle Integration Cloud (OIC), authentication requires a Shared Access Signature ...