Complete Prerequisites: Create and Activate the Client Application

Configure and activate the confidential client application, then take note of the client ID and secret. You'll need that information to connect from third-party applications.

When you configure the confidential client application, you specify the grant type and assign scopes and roles. The confidential client application requires the ServiceInvoker role.

  1. Access the identity domain.
    1. Log in to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials.
    2. In the navigation pane, click Identity & Security.
    3. Click Domains.
    4. Select your compartment.
    5. Select the identity domain.
    6. In the menu bar, click Integrated applications.

      This is the location at which you create the client application for your grant type.


      The Details, User management, Administrators, Dynamic groups, Directory integrations, Integration applications (which is selected), Oracle cloud services, Federation, and Domain policies tabs are shown.

  2. Create and configure the client application.
    1. Click Add application.
    2. Select Confidential Application, then click Launch workflow.
    3. Enter a name.
      The remaining fields on this page are optional and can be ignored.
    4. Click Submit.
    5. Click the OAuth configuration tab, then the Edit OAuth configuration subtab.
    6. In the Client configuration panel, select Configure this application as a client now.
    7. For client credentials, select Client credentials in the Allowed grant types section


      The Edit OAuth Configuration panel is shown. The radio button Configure this application as a client now is selected. The Allowed grant types section is shown. Options are available for Resource owner, Client credentials (which is selected), JWT assertion, Refresh token, Device code, Authorization code, Implicit, SAML2 assertion, and TLS client authentication.

    8. Leave the Redirect URL, Post-logout redirect URL, and Logout URL fields blank.
    9. For Client type, ensure that Confidential is selected.
    10. Bypass several fields and scroll down to the Token issuance policy section.
    11. Select Confidential in the Authorized resources section.
    12. Click the Add Resources toggle.
    13. Click Add scope.
    14. Find and expand the Oracle Integration application for your instance.
    15. Select the two scopes appended with the following details: urn:opc:resource:consumer::all and ic/api/.


      The Add scope section is shown. A table with columns for Name and Description are shown. The Oracle Integration application name is expanded to show the two types of scopes selected.

    16. Click Add.

      The scopes are displayed in the Resources section.

    17. Ignore the Add app roles check box. This selection is not required.
    18. Click Submit.

      The details page for the client application is displayed.

  3. Add the ServiceInvoker role to the client application.
    1. In the menu bar, click Oracle cloud services.


      The Identity domain navigation pane shows entries. The Overview option is selected. Below this are selections for Overview, User management, Administrators. Dynamic groups, Directory integrations, Integrated applications, Oracle Cloud Services, Federation, and Domain policies.

    2. Click the specific application corresponding to the Oracle Integration instance.
    3. In the menu bar, click Application roles.
    4. For client credentials, expand ServiceInvoker, then click Actions Actions icon next to Assigned applications.

      Select to assign users, groups, and applications to the instance application.


      Tabs for Details, OAuth configuration, Web tier policy, Application roles (which is selected), Access token, Users, and Groups are shown. The Application roles section shows buttons for Import and Export, and a Search section. Below is a table with a column of check boxes, and additional columns for Name, Description, Assigned users, Assigned groups, and Assigned applications. The Name column lists all Oracle Integration application roles. The ServiceInvoker role is expanded to include entries for Manage users, Manage groups, and Manage applications.

  4. Activate the confidential application.
    1. From the Actions menu at the top, select Activate, and then Activate application to activate the client application for use.
  5. Get the confidential client application client ID and secret.

    In the General Information section, note the client ID and client secret values. These values are required for the third-party application that is communicating with the identity domain.


    The General Information section shows the Client ID and Client secret values. The Client secret value is available through the Actions menu.

  6. Get the access token for the client credentials grant type.
    1. Fetch the access client to make an access token request with the client credentials.
      ##Syntax
curl -i -H 'Authorization: Basic <base64Encoded clientid:secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=client_credentials&scope=<app scope>'
###where
#### <base64-clientid-secret> - Base 64 encode clientId:ClientSecret
#### <app scope> - Scope added while creating application in client configuration section (Ends with urn:opc:resource:consumer::all)
 
##Example
curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>/oauth2/v1/token -d 'grant_type=client_credentials&scope=https://<Resource APP Audience>urn:opc:resource:consumer::all'

      Where Identity_Domain_Service_Instance is the value in the Domain URL field of the Details tab of the instance application.


      The Details (which is selected), User management, Administrators. Dynamic groups, Directory integrations, Integrated applications, and Oracle Cloud Services tabs are shown. The Details section for the domain shows fields for OCID, Domain type, Description, Domain replication, Home region, Created, Show domain on login, and Domain URL.

    2. Capture the access_token from the response to use for authorization.
      {
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600
}
Next Step: Register an Integration as an Agentic AI Tool