All posts · VBCS Applications

VBCS Authentication and Session Management

How authentication works in VBCS applications — user sessions, token management, and integrating with Oracle IDCS for single sign-on.

Anurag Jangra · March 20, 2026 · 6 min read · ... views

How VBCS authentication works

VBCS applications authenticate using Oracle Identity Cloud Service (IDCS) or OCI IAM by default. When a user opens a VBCS app, they’re redirected to the identity provider login page, authenticate, and get redirected back with an access token. VBCS manages this token lifecycle transparently.

The user object in VBCS

After authentication, VBCS exposes user details via $application.user:

$application.user.login      // username
$application.user.email      // email address
$application.user.firstName  // first name
$application.user.lastName   // last name
$application.user.roles      // array of role strings
$application.user.locale     // user's preferred locale

Use these to personalise the UI, pre-populate forms, and enforce role-based access.

Session timeout handling

VBCS sessions expire based on the identity provider’s token lifetime (typically 8 hours). When a session expires mid-use, REST calls start returning 401 errors. Handle this gracefully:

  1. Add a global error handler action chain
  2. Check for 401 status in the failure path of REST calls
  3. If 401 detected, show a session-expired message and redirect to login
// In action chain error handler
if ($chain.results.callRestAction1.status === 401) {
  // Redirect to re-authenticate
  location.href = location.href; // forces IDCS redirect
}

Multi-role applications

For apps serving different user types (managers, employees, admins), check roles at both page entry and component visibility. Use $application.user.roles.includes('ROLE_NAME') in visibility expressions.

Create a helper page-level function that centralises role checking:

function hasRole(roleName) {
  return $page.variables.currentUserRoles.indexOf(roleName) > -1;
}

Pre-populate currentUserRoles in the page’s vbEnter lifecycle event.

Embedded vs standalone authentication

VBCS apps embedded inside Oracle Fusion (as extensions) inherit the Fusion user’s session — users don’t need to log in separately. Standalone VBCS apps require separate IDCS authentication.

For embedded apps, the Fusion session context includes the current user’s Fusion roles — use these for access control rather than managing separate IDCS roles.

Token forwarding to OIC

When a VBCS app calls an OIC integration endpoint, the call includes the user’s IDCS token in the Authorization header automatically when using Oracle Cloud Applications service connections. OIC validates the token against IDCS, ensuring the end-to-end authentication chain is intact.

Think Beyond the Implementation

Questions worth sitting with after reading this

01

Why is this architecture appropriate for this specific context — and where would it be the wrong choice?

02

What assumptions did we make that aren't stated explicitly? What happens if those assumptions are wrong?

03

What would break first if the requirements changed — volume doubled, a third system was added, or the deadline halved?

04

What alternatives did we reject, and why? Was the decision made on evidence — or habit?

AJ
Anurag Jangra
Oracle Cloud PaaS Consultant · OIC & VBCS Specialist

4.5+ years delivering enterprise Oracle Cloud integrations and VBCS applications across manufacturing, IT services, and financial sectors. OCI Certified — writes about real-world OIC, VBCS, SQL, and BI Publisher patterns from production experience.

Chat on WhatsApp