1. Administering Oracle Identity Cloud Service
  2. Perform Identity Administration
  3. Manage Oracle Identity Cloud Service Applications
  4. About Adding Applications
  5. Add a Mobile Application

Add a Mobile Application

You can use Oracle Identity Cloud Service to add a mobile application. Mobile applications use OAuth 2.0 and they cannot maintain the confidentiality of their client secrets.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, and then click Applications.
  2. Click Add.
  3. In the Add Application page, click Mobile Application.
  4. In the App Details section of the Add Mobile Application page, use the following table to configure the application details.
    Option Description
    Name

    Enter a name for the mobile application. You can enter up to 125 characters.

    For applications with lengthy names, the application name appears truncated in the My Apps page. Consider keeping your application names as short as possible.

    Description

    Enter a description of the mobile application. You can enter up to 250 characters.
    Application Icon

    Click Upload to add an icon that represents the application. This icon appears next to the name of the application on the My Apps page and the Applications page.

    Custom Login URL

    In the Custom Login URL field, specify a custom login URL. However, if you are using a default login page provided by Oracle Identity Cloud Service, then leave this field blank.

    Custom Logout URL

    In the Custom Logout URL field, specify a custom logout URL. However, if you are using a default login page provided by Oracle Identity Cloud Service, then leave this field blank.

    Custom Error URL

    This is an optional field. Enter the error page URL to which a user has to be redirected, in case of a failure. If not specified, the tenant specific Error page URL will be used. If both the error URLs are not configured, then the error will be redirected to the Oracle Identity Cloud Service Error Page (/ui/v1/error).

    When a user tries to use social authentication (ex: Google, Facebook, and so on) for logging into Oracle Identity Cloud Service, the callback URL must be configured in the Custom Error URL field. Social providers need this callback URL to call Oracle Identity Cloud Service and send the response back after social authentication. The provided callback URL is used to verify whether the user exists or not (in the case of first time social login), and display an error if the social authentication has failed.

    Linking callback URL

    This is an optional field. Enter the URL that Oracle Identity Cloud Service can redirect to after linking of a user between social providers and Oracle Identity Cloud Service is complete.

    When you create a custom app using Oracle Identity Cloud Service custom SDK and integrate with Oracle Identity Cloud Service Social Login, the custom app needs to have the Linking callback URL which can be redirected after linking of the user between social provider and Oracle Identity Cloud Service is complete.

    Tags

    Click Add Tag to add tags to your mobile applications to organize and identify them. See Adding Tags to an Application.

    Display in My Apps

    Select the check box if you want the mobile application to be listed for users on their My Apps pages. In this case you need to configure the application as a resource server.

    When you select the Display in My Apps check box in applications, the app is then visible in the My Apps page, but selecting this check box doesn’t enable or disable SSO to the app.

    The flag to enable or disable SSO comes from the app template. Use the Oracle Identity Cloud Service REST APIs to update this flag. You cannot set the SSO flag from the UI. See REST API for Oracle Identity Cloud Service.
    User can request access

    Select the check box if you want end users to be able to request access to the app from their My Apps page by clicking Add Access. If self service is not enabled, users won’t see the Add Access button.

  5. Click Next. A message confirms that the application has been added in deactivated state.
  6. In the Authorization and Accessing APIs from Other Application sections of the Add Mobile Application page, use the following table to configure application details.
    Option Description
    Allowed Grant Types
    Select the check box for the grant types that this application is allowed to use when requesting validation.
    • Select the Refresh Token grant type when you want a refresh token supplied by the authorization server, and then use it to obtain a new access token. Refresh tokens are used when the current access token becomes invalid or expires and don’t requiring the resource owner to reauthenticate.

    • Select the Authorization Code check box when you want to obtain an authorization code by using an authorization server as an intermediary between the client application and resource owner.

      An authorization code is returned to the client through a browser redirect after the resource owner gives consent to the authorization server. The client then exchanges the authorization code for an access (and often a refresh) token. Resource owner credentials are never exposed to the client.

    • Select the Implicit check box if the application can't keep client credentials confidential for use in authenticating with the authorization server.

      An access token is returned to the client through a browser redirect in response to the resource owner authorization request (rather than an intermediate authorization code).

    • Select the Device Code grant type if the client doesn't have the capability to receive requests from the OAuth Authorization Server, for example, it cannot act as an HTTP server such as game consoles, streaming media players, digital picture frames, and others.

      In this flow, the client obtains the user code, device code, and verification url. The user then accesses the verification url in a separate browser to approve the access request. Only then can the client obtain the access token using the device code.
    Allow non-HTTPS URLs

    Select this check box if you want to use HTTP URLs for the Redirect URL, Logout URL, or Post Logout Redirect URL fields. For example, if you are sending requests internally, want a non-encrypted communication, or want to be backward-compatible with OAuth 1.0, then you can use an HTTP URL.

    Also, select this check box when you are developing or testing your application and you may not have configured SSL. This option is provided as a convenience and is not recommended for production deployments.
    Redirect URL

    Enter the application URL where the user is redirected after authentication.
    Logout URL

    Enter the URL where the user is redirected after logging out of the application.
    Post Logout Redirect URL

    Enter the URL where you want to redirect the user after logging out of the application.
    Allowed Operations

    • Select the Introspect check box, if you want to allow access to a token introspection end point for your application.

    • Select the On behalf Of check box, if you want to ensure that access privileges can be generated from the user's privileges alone, so that a client application can access endpoints to which the user has access, even if the client application by itself would not normally have access.

    Bypass Consent

    If enabled, this attribute overwrites the Require Consent attribute for all the scopes configured for the application, and then no scope will require consent.

    Resources

    If you want your application to access APIs from other applications, then click Add Scope in the Token Issuance Policy section of the Add Mobile Application page. Then, in the Add Scope window, select the applications that your application will reference.

    Grant the client access to Identity Cloud Service Admin APIs

    Click Add to enable your mobile application to access Oracle Identity Cloud Service APIs.

    In the Add App Role window, select the application roles that you want to assign to this application. This enables your application to access the REST APIs that each of the assigned application roles can access.

    For example, select Identity Domain Administrator from the list. All REST API tasks available to the identity domain administrator will be accessible to your application.

    You can delete the application roles by clicking the x icon for the row of the required application role.

    Note:

    You can’t delete protected application roles.

    See Apps/App Roles endpoint for a complete list of which endpoints each application role can access.

  7. Click Next.
  8. If you want Oracle Identity Cloud Service to control access to the application based on grants to users and groups, select the Enforce Grants as Authorization check box. Select this check box if you want users to access only the application that you assigned or granted access to. If the check box is not selected, any authenticated user has access to the application regardless of the assignment status.
  9. Click Finish. A message confirms that the application has been added in deactivated state. To activate your application see Activating Applications.
  10. Note the Client ID that appears in the Application Added window. This information also appears on the Configuration tab in the Details section for the application. To integrate with your application, use this ID as part of your connection settings. Because a mobile application runs on a mobile device, Oracle Identity Cloud Service does not generate a Client Secret for this type of application.
  11. Click Close.