Skip to content

Auth Security Token

Jump to bottom
WebbinRoot edited this page Mar 9, 2026 · 1 revision

Auth: Security Token (Session)

Table of Contents

Overview

Security Token (Session) auth is best for short-lived user credentials created through OCI CLI session workflows.

  • If you come from AWS, this is similar to temporary STS-style credentials.
  • If you come from GCP, this is similar to short-lived session credentials for a user context.

These credentials are stored on the local filesystem and include both a session token and a private key.

This page will:

  • Show how to generate session credentials with OCI CLI.
  • Show where the token and key files are stored locally.
  • Show how to map those values into the OCISigner profile.
  • Demonstrate Test Credentials and normal request signing.

Setup and Retrieve Credentials

  1. Make sure OCI CLI is installed, then run oci session authenticate.
oci session authenticate

Example interactive output (truncated):

Enter a region by index or name: 71 # for us-phoenix-1
Please switch to newly opened browser window to log in!
https://login.us-phoenix-1.oraclecloud.com/v1/oauth2/authorize?action=login&client_id=iaas_console&response_type=token+id_token&nonce=25e2753c-[TRUNCATED]&scope=openid&public_key=eyJrdHki[TRUNCATED]&redirect_uri=http%3A%2F%2Flocalhost%3A8181
Completed browser authentication process!
Enter the name of the profile you would like to create: TEST123
Config written to: /home/kali/.oci/config
  1. Complete the browser sign-in flow shown by OCI CLI.

Session picker

Figure 1. Choose to sign in with fresh profile.

Domain selection

Figure 2. Identity domain selection during sign-in.

Credential entry

Figure 3. User credential prompt for the selected domain.

Local callback success

Figure 4. Local callback page indicating authorization completed.

  1. Collect values from the generated OCI config and session files.

On local systems, OCI CLI typically writes:

  • Profile entry: ~/.oci/config
  • Session token and key: ~/.oci/sessions/<SESSION_NAME>/... 
cat ~/.oci/config
[TEST123]
fingerprint=c2:21:b5:58:c3:c3:53:7e:bf:72:5c:f0:e8:ce:e4:da
key_file=/home/kali/.oci/sessions/TEST123/oci_api_key.pem
tenancy=ocid1.tenancy.oc1..aaaaaaaagmctwyv2ud4mg6wnlanjpigtzeqid4cfe7dwtn2dzjon2snxfsaa
region=us-phoenix-1
security_token_file=/home/kali/.oci/sessions/TEST123/token

cat /home/kali/.oci/sessions/TEST123/oci_api_key.pem
-----BEGIN PRIVATE KEY-----
[REDACTED]
-----END PRIVATE KEY-----

cat /home/kali/.oci/sessions/TEST123/token
eyJraWQi...[REDACTED]...nZ48[REDACTED]

Plug Into OCISigner

  1. Choose Auth Type = Security Token (Session).
  2. Populate fields from your session profile.

For Session Token, you can provide either:

  • token file path, or
  • raw JWT token value

Token metadata (created/expiry) is parsed when you click Save.

Profile with session token values

Figure 5. Security Token profile with filepath for session token.

Token field and Save action

Figure 6. Token timestamps shown post-save.

Token timestamps after save

Figure 7. Security Token profile with raw token for session token. Masked feature enabled.

Token timestamps and signing mode

Figure 8. Token timestamps shown post-save.

Field Reference

Field Required Source
Region Recommended region (required for namespace probe via Test Credentials)
Tenancy OCID Yes tenancy
Fingerprint Yes fingerprint
Private Key File Yes key_file
Key Passphrase Optional only if private key is encrypted
Session Token Yes security_token_file path or raw token value

Run Test Credentials

  1. Click Test Credentials in the profile.
  2. OCISigner sends a signed probe request to the namespace endpoint and logs the result.
  3. Review status and signed request details in Logger.

Test Credentials button in profile

Figure 9. Test Credentials action in the Security Token profile.

Test result summary

Figure 10. Test Credentials result summary (HTTP status).

Logger entry for test request

Figure 11. Logger entry for the signed credential test request.

Sign a Request

  1. Confirm signing is enabled and the active profile is set correctly.

Signing enabled and active profile

Figure 12. Global signing and profile selection before sending traffic.

  1. Send a request from Repeater or via Proxy.

Request before signing

Figure 13. Repeater request before signature is applied.

  1. Confirm signature headers are added in Logger. Note the "keyId" portion of the signature header is the full session JWT token from our local filesystem.

Signed request in logger

Figure 14. Signed request visible in Logger.

Notes

  • In SDK mode, Session Token must point to an existing token file path.
  • Session tokens do not auto-refresh. Re-run oci session authenticate when expired choosing the same profile name at the end.
  • You need both the session token and the associated private key to sign requests.
  • If you prefer using ~/.oci/config directly, see Auth: Config Profile.

OCISigner Wiki

Clone this wiki locally