How VBCS authentication works
VBCS applications authenticate using Oracle Identity Cloud Service (IDCS) or OCI IAM by default. When a user opens a VBCS app, they’re redirected to the identity provider login page, authenticate, and get redirected back with an access token. VBCS manages this token lifecycle transparently.
The user object in VBCS
After authentication, VBCS exposes user details via $application.user:
$application.user.login // username
$application.user.email // email address
$application.user.firstName // first name
$application.user.lastName // last name
$application.user.roles // array of role strings
$application.user.locale // user's preferred locale
Use these to personalise the UI, pre-populate forms, and enforce role-based access.
Session timeout handling
VBCS sessions expire based on the identity provider’s token lifetime (typically 8 hours). When a session expires mid-use, REST calls start returning 401 errors. Handle this gracefully:
- Add a global error handler action chain
- Check for 401 status in the failure path of REST calls
- If 401 detected, show a session-expired message and redirect to login
// In action chain error handler
if ($chain.results.callRestAction1.status === 401) {
// Redirect to re-authenticate
location.href = location.href; // forces IDCS redirect
}
Multi-role applications
For apps serving different user types (managers, employees, admins), check roles at both page entry and component visibility. Use $application.user.roles.includes('ROLE_NAME') in visibility expressions.
Create a helper page-level function that centralises role checking:
function hasRole(roleName) {
return $page.variables.currentUserRoles.indexOf(roleName) > -1;
}
Pre-populate currentUserRoles in the page’s vbEnter lifecycle event.
Embedded vs standalone authentication
VBCS apps embedded inside Oracle Fusion (as extensions) inherit the Fusion user’s session — users don’t need to log in separately. Standalone VBCS apps require separate IDCS authentication.
For embedded apps, the Fusion session context includes the current user’s Fusion roles — use these for access control rather than managing separate IDCS roles.
Token forwarding to OIC
When a VBCS app calls an OIC integration endpoint, the call includes the user’s IDCS token in the Authorization header automatically when using Oracle Cloud Applications service connections. OIC validates the token against IDCS, ensuring the end-to-end authentication chain is intact.