How Does Visual Builder Find a Resource Application within its Identity Domain?

When a backend or service connection is configured with the "Oracle Cloud Account" authentication type, Visual Builder tries to locate a resource application within its Identity Domain. This authentication type is equivalent to "OAuth 2.0 User Assertion" with a well known scope.

Visual Builder tries to find a resource application in this way:

Visual Builder first looks for an Oracle resource with either the primary audience or secondary audience equal to the base URL of the backend/service connection.
If it finds a resource, it then checks if the resource has either the / or urn:opc:resource:consumer::all scope.

If it can't find a resource or if the resource it finds does not have one of these scopes, then the search proceeds to the next step.
Visual Builder then tries to locate a manually-created resource with the primary audience equal to the base URL of the backend/service connection.
If it finds such a resource, it again checks if the resource has either the / or urn:opc:resource:consumer::all scope. If neither of these scopes is present the search is stopped here. Visual Builder assumes there should only be one resource with primary audience or secondary audience equal to the base URL.

If it can't find a primary audience resource, then the search proceeds to the next step.
Visual Builder then looks for a manually-created resource with the secondary audience equal to the base URL. If such a resource is found, it again checks for the / or urn:opc:resource:consumer::all scope.
If neither of these scopes is present, the search is stopped here.

If the scope is not resolved at all, you might see an "invalid_scope" error, like this:

"type": "abcs://proxy_problem/oauth/auth_token_error",
"title": "OAuth token resource returned an error",
"detail": "Invalid scope.",
"status": 400,
"o:vbcs-token-response": {
    "error": "invalid_scope",
    "error_description": "Invalid scope.",
    "ecid": "9u1We1s7N00000000"
}