How to Set Up JWT Authentication for Oracle Analytics Application

Modified on Wed, 29 Apr at 9:37 AM

This article walks you through the complete JWT (JSON Web Token) authentication setup for Oracle Analytics. Once configured, BI Connector can authenticate automatically to Oracle Analytics without requiring MFA (Multi-Factor Authentication) prompts.

The setup involves two steps:

Generate an X.509 key pair using OpenSSL
Register an OAuth Confidential Application in Oracle Identity Cloud Service (IDCS)

One-time setup: Once completed, BI Connector authenticates automatically without any manual intervention.

Step 1: Generate X.509 Key Pair Using OpenSSL

First, you need a private key and a public certificate. The private key signs your JWT tokens, while the public certificate gets uploaded to Oracle so it can verify those tokens.

We use OpenSSL for this. It is an open-source toolkit widely used for creating and managing SSL/TLS certificates and encryption keys. Make sure OpenSSL is installed on your system before continuing.

1.1 Create a working directory

mkdir oauth-keys cd oauth-keys

1.2 Generate a 2048-bit RSA private key

openssl genrsa -out private_key.pem 2048

1.3 Generate the public certificate (valid for 365 days)

openssl req -new -x509 -key private_key.pem -out public_cert.pem -days 365

OpenSSL will prompt you to enter certificate details. Fill in your organization information. For the Common Name, use your Oracle Analytics instance URL (for example, your-instance.analytics.ocp.oraclecloud.com).

At this point, you should have two files:

private_key.pem — Keep this secret. It signs your JWT tokens.
public_cert.pem — This gets uploaded to Oracle Analytics for verification.

1.4 Generate the certificate fingerprint (x5t)

Now we need the certificate fingerprint. This value (called x5t) goes into the JWT header. As a result, Oracle knows which certificate to verify against.

Run the following command to generate the SHA-1 fingerprint:

openssl x509 -sha1 -in public_cert.pem -noout -fingerprint

You will get output like:

SHA1 Fingerprint=74:88:BB:C2:5A:EE:18:8B:38:86:E9:FA:FA:55:D8:70:E4:5D:A9:88

Copy the fingerprint value after the = sign and convert it to Base64 using one of the following commands:

If you are using Command Prompt or PowerShell:

powershell -command "$hex='74:88:BB:C2:5A:EE:18:8B:38:86:E9:FA:FA:55:D8:70:E4:5D:A9:88'.Replace(':',''); $bytes = for ($i=0; $i -lt $hex.Length; $i+=2) {[Convert]::ToByte($hex.Substring($i,2),16)}; [Convert]::ToBase64String($bytes)"

If you are using Git Bash:

echo "74:88:BB:C2:5A:EE:18:8B:38:86:E9:FA:FA:55:D8:70:E4:5D:A9:88" | tr -d ':' | xxd -r -p | base64

Important: Save this Base64 value. This is your Token Fingerprint (x5t), and you will need it when configuring BI Connector.

Step 2: Register OAuth Confidential Application in Oracle Identity Cloud Service (IDCS)

This is where you create the OAuth Confidential Application. After this step, you will have a Client ID and Client Secret for your BI Connector integration.

Prerequisite: Your Oracle Analytics environment must be integrated with Oracle Cloud Infrastructure (OCI) / IDCS. If OAC uses a federated SSO provider outside of IDCS, JWT authentication may not work.

2.1 Create the Application

Login to Oracle Identity Cloud Service (IDCS) with administrator credentials.
Navigate to Identity & Security → Domains.
Select your identity domain and go to Integrated Applications.
Click Add Application.
Select Confidential Application and click Launch Workflow.
Enter a Name (for example, MyApp_OAuth_Client).
Enter a Description (for example, OAuth client for API integration using JWT assertion).

2.2 Configure OAuth Settings

Resource Server Configuration:

Keep "No Resource Server Configuration" selected.

Client Configuration:

Select "Configure this application as a client now".
Grant Types: Check Resource Owner and JWT Assertion.
Client Type: Select Trusted.
Upload Public Certificate: Upload your public_cert.pem and give it an alias (for example, MyApp_JWT_Cert_2024).
Allowed Operations: Check Introspect and On behalf of.
Client IP Address: Set to Anywhere.
Authorized Resources: Check All.
Add Resource: Add the required Scope (for example, urn:opc:resource:consumer::all).

2.3 Submit and Copy Credentials

Click Submit.
A dialog will show the auto-generated Client ID, Client Secret, and all other details.
Copy and save them securely.

Also note down the following from the application details:

Key Alias (Certificate alias you provided)
Scope

Important: Make sure the application status is set to Active.

Credentials Summary

After completing both steps, securely store the following values. You will need them when configuring BI Connector:

Value	Where It Comes From
Client ID	Integrated Application → OAuth Configuration
Client Secret	Integrated Application → OAuth Configuration
Username	Oracle Analytics username for BI Connector
Scope	Integrated Application → OAuth Configuration
Key Alias	Integrated Application → OAuth Configuration
Private Key	Generated in Step 1 (`private_key.pem`)
Token Fingerprint (x5t)	Base64-encoded SHA-1 fingerprint from Step 1
Identity Domain URL	Your Identity Domain URL (e.g., `https://idcs-xxxxx.identity.oraclecloud.com`)

Where to find the Domain URL: Login to Oracle Identity Cloud Service (IDCS), navigate to Identity & Security → Domains, and select your identity domain. The Domain URL is listed on the domain details page.

Tips and Best Practices

Track certificate expiry: The public certificate has a validity period (365 days in our example). Set a reminder to rotate it before it expires. Otherwise, BI Connector integration will stop working.
IDCS integration is required: The JWT setup must be done within Oracle Cloud Infrastructure (OCI) / IDCS. If the Oracle Analytics environment uses a federated SSO provider outside of IDCS, JWT authentication may not work.
Keep credentials secure: Store the Client ID, Client Secret, and Private Key in a secure location. Do not share them over email or other unencrypted channels.