We left off in the last article Part 1 using Oracle's Identity Console to generate a Confidential Application and assign it certain rights to query the IDCS API. You then used the ClientId:ClientSecert string and base64 encoded the string which will be used in this article.
In this article you will make POST API call in PowerShell authenticate and authorize to generate a bearer token you can use further to call the AuditEvents API. These AuditEvents will be the Identity audit events similar to AAD AuditLogs where you see applications consented, directory syncs, users added, removed, updated, permissions granted in IDCS.
To do this in PowerShell you have to set a few variables you collected from part 1 including the FQDN of IDCS and the base64 encoded ClientId:ClientSecret
# variables to authenticate and generate OCI Access Token $b64clientidsecret = "b64-ClientID:ClientSecret" $IDCS = "idcs-uniqueguid.identity.oraclecloud.com" $siguri = "https://" + $IDCS + "/oauth2/v1/token"
As you can see you will be running the POST call to your IDCS instance and on the oauth2/v1/token API endpoint.
You will need to generate headers next to authenticate, Oracle stated to use two headers.
# Form the Header and Body Request to obtain OCI Access Token $sigHeaders = @{ 'Authorization' = 'Basic ' + $b64clientidsecret 'Content-Type' = 'application/x-www-form-urlencoded;charset=UTF-8' }
In the POST call you will need to send a string in the body call, Oracle states to use a grant that uses the client credentials and authorization scope myscopes.
$sigBody = "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
Now that you have the url, headers, and body ready as variables in PowerShell we can pass them in a Invoke-RestMethod.
$sig = (Invoke-RestMethod -Uri $siguri -Method POST -Headers $sigHeaders -Body $sigBody -Verbose).access_token
In this case you are going to create a new variable called $sig and dot source and bring back the .access_token value back.
With this access_token value you can use this to pass in Authorization headers further on IDCS API endpoint calls like the AuditEvents API.
In the next article we will take a detour in the script to make sure you can solve for start time. This is important to know where to search for results against the AuditEvents API to prevent duplicate data ingested.
You can continue to follow in Part 3
As a reminder the complete script can be found here: https://github.com/swiftsolves-msft/PowerShell-Scripts/blob/master/Get-OIDCSAuditEvents.ps1
Sources:
https://docs.oracle.com/en/cloud/paas/identity-cloud/17.3.6/rest-api/OATOAuthClientWebApp.html