Set Up the OAuth Authorization Code Credentials Security Policy with the Oracle Fusion Applications Identity Domain

You must create a resource application to represent the Oracle Fusion Applications resource and a client application for Oracle Integration to use the OAuth Authorization Code Credentials security policy. Once these tasks are completed, you can successfully configure a connection on the Connections page. You do not need to create any JWT signing certificates for upload into Oracle Fusion Applications.

Create an Identity Domain Resource Application to Represent the Oracle Fusion Applications Resource

  1. Create an identity domain resource application to represent the Oracle Fusion Applications resource.
    1. Log in to the identity domain as the domain administrator.
    2. In the menu bar, click Identity & Security.
    3. Click Domains.
    4. Select your compartment.
    5. Click the identity domain.
    6. In the menu bar, click Integrated applications.

      This is the location at which you create the client application for your grant type.


      The Details, User management, Administrators, Dynamic groups, Directory integrations, Integration applications (which is selected), Oracle cloud services, Federation, and Domain policies tabs are shown.

    7. Click Add application.
    8. Select Confidential Application, then click Launch workflow.
    1. Provide a name (for example, FA Resource), and click Submit.
    2. Click the OAuth configuration tab, then the Edit OAuth configuration subtab.
    3. In the Resource server configuration section, select Configure this application as a resource server now.
    4. (Optional) In the Configure application APIs that need to be OAuth protected section, select a value from the Access token expiration (seconds) list.
    5. Click the Allow token refresh toggle.
    6. In the Refresh token expiration (seconds) list, select a value.
    7. In the Primary audience field, add the Oracle Fusion Applications URL and port. This is the primary recipient where the token is processed.
      https://FA_URL:443
    8. Click the Add scope toggle, then click Add.
    9. In the Scope field, enter /.
    10. In the Description field, enter All.
    11. Select Requires user consent.
    12. Click Add, then click Submit.
    13. From the Actions menu at the top, select Activate, and then Activate application to activate the application for use. The resource server representing the resource is now active.

Create the Confidential Client Application for Oracle Integration

  1. Sign in as the identity domain administrator to the Oracle Cloud Infrastructure Console.
  2. In the menu bar, click Identity & Security.
  3. Click Domains.
  4. Select your compartment.
  5. Click the identity domain.
  6. In the menu bar, click Integrated applications.
  7. Click Add application.
  8. Select Confidential Application, then click Launch workflow.
  9. Enter a name. The remaining fields on this page are optional and can be ignored.
  10. Click Submit.
  11. Click the OAuth configuration tab, then the Edit OAuth configuration subtab.
  12. In the Client configuration panel, select Configure this application as a client now.
  13. For the authorization code, select Refresh token and Authorization code in the Allowed grant types section.
  14. In the Redirect URL field, enter the redirect URL of the client application. After user login, this URL is redirected to with the authorization code. You can specify multiple redirect URLs. This is useful for development environments in which you have multiple instances, but only one client application due to licensing issues. For example:

    Note:

    If you don't know the following information, check with your administrator:

    • If your instance is new or upgraded from Oracle Integration Generation 2 to Oracle Integration 3.
    • The complete instance URL with the region included (required for new instances).
    For Connections… Include the Region as Part of the Redirect URL? Example of Redirect URL to Specify…
    Created on new Oracle Integration 3 instances Yes. 
    https://OIC_instance_URL.region.ocp.oraclecloud.com/icsapis/agent/oauth/callback

    Created on instances upgraded from Oracle Integration Generation 2 to Oracle Integration 3

    		 No.

    This applies to both:

    • New connections created after the upgrade
    • Existing connections that were part of the upgrade
    		 
    https://OIC_instance_URL.ocp.oraclecloud.com/icsapis/agent/oauth/callback

    For the OAuth authorization code to work, the redirect URI must be set properly.

  15. Click the Add Resources toggle.
  16. Click Add scope to add appropriate scopes.

    If the Oracle Fusion Applications instance is federated with the identity domain, the Oracle Integration cloud service application is listed among the resources for selection. This enables the client application to access Oracle Integration.

  17. Search for the Oracle Fusion Applications resource application created in Create an Identity Domain Resource Application to Represent the Oracle Fusion Applications Resource.
  18. Find and expand the resource.
  19. Select the scope, then click Add.
  20. Click Submit.

    The Details page shows the client ID and client secret values in the General Information section.

  21. Copy and save these values. You need this information when creating a connection for the OAuth Authorization Code Credentials security policy on the Connections page.
    Note the following details for successfully authenticating your account on the Connections page.
    If The... Then...
    Identity domain safeguarding Oracle Integration and the Oracle Fusion Applications resource application are the same. Log in to Oracle Integration using the local Oracle Fusion Applications user created earlier. You must create a connection and click Provide Consent on the Connections page for authentication to succeed.
    Identity domain safeguarding Oracle Integration and the Oracle Fusion Applications resource application are different. Log in to Oracle Integration using a general Oracle Integration developer account, create a connection, and click Provide Consent on the Connections page. You need to log in to the Oracle Fusion Applications resource identity domain application using the local Oracle Fusion Applications user account created earlier.
  22. From the Actions menu at the top, select Activate, and then Activate application to activate the client application for use.

Resolve Errors That Occur When Clicking Provide Consent

After you configure the OAuth Authorization Code Credentials security policy on the Connections page, you must test your connection.

If you are logged in to Oracle Integration with an Oracle Integration user account and click Provide Consent to test the OAuth flow, consent is successful. However, when you test the connection, it fails with an Unauthorized 401 error.

This error occurs because the Oracle Integration user account with which you logged in is not part of Oracle Fusion Applications.
  1. Log out of Oracle Integration and log back in with a user account that exists in Oracle Fusion Applications.
  2. Return to the Connections page and retest the connection.

    The connection is successful this time.