Call the Developer APIs with Resource Owner Password Credentials

Prerequisites to Complete

Before you can call the Oracle Integration Developer APIs with Resource Owner Password Credentials, you must create a confidential client application and perform other prerequisites. For instructions, see:
  1. Access the Identity Domain.
  2. Configure prerequisites for your grant type: Prerequisites for Client Credentials and Resource Owner Password Credentials.

Information You Need

The following is information you need to send requests through a client.
Information You Need Where to Find It
Design-time URL or Runtime URL, depending on your use case See Do You Use the Design-time or Runtime URL?.

Example Design-time URL:

https://design-integration-region.ocp.oraclecloud.com/

Example Runtime URL:

https://myInstance-integration-region.ocp.oraclecloud.com/

Domain Host

You can get the identity domain host from the Domain URL field of the domain you are in. For instructions on accessing your domain, see Access the Identity Domain.

Domain Details page, accessed by selecting Identity, Domains, with the Domain URL field highlighted

Client ID

Client Secret

Add the client ID for the confidential application that you configured.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

Scope

Add the same scope that you added to your confidential application. You can find the scope you added to the confidential application in your confidential application details under Token Issuance Policy.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs: 

https://415C303.integration.ocp.oraclecloud.com:443/ic/api/

Integration Instance

Name of the integration instance.

Configure Postman for Resource Owner Password Credentials

Postman Configuration page, with Authorization tab selected, fields required to complete from top to bottom are Grant Type Password Credentials, Access Token URL, Client ID, Client Secret, User name, Password, Scope, Client Authentication. There is also a Get New Access Token button
  1. Use the Design-time URL or Runtime URL depending on your use case. See Do You Use the Design-time or Runtime URL?.

    Example Design-time URL with a call to the Oracle Integration Developer API for connections: 

    https://design-integration-region.oraclecloud.com/ic/api/integration/v1/connections

    Example Runtime URL:

    https://myInstance-integration-region.oraclecloud.com/ic/api/integration/v1/connections

    Note:

    If you use the Runtime URL, you'll need to configure Postman to Follow Authorization Header in the request settings. This is because if you call the Oracle Integration Developer APIs with the Runtime URL, Oracle Integration redirects to the Design-time URL for the Developer APIs and the call will fail if the authorization header is missing from the request header.

    In cURL, use the -l option to forward the authorization header during the redirection.

    To configure Postman to forward the authorization header when using the Runtime URL:
    1. In the request, click Settings and enable Follow authorization header. Postman Settings tab selected with Follow authorization header highlighted to be set to ON.
  2. In the Authorization tab, fill in the required fields.
    Field What to enter

    Authorization type

    		 OAuth 2.0

    Grant Type

    		 Password credentials

    Access Token URL

    		 Use the identity domain host you identified from your Domain URL.

    Example: https://<identity_domain_host>/oauth2/v1/token

    Client ID

    Add the client ID for the confidential application that you configured.

    Client Secret

    Add the client secret for the confidential application that you configured.

    User Name and Password Provide a valid user name and password. This will generate the token with the resource owner password credentials.

    Scope

    Add the same scope that you added to your confidential application.

    Client Authentication

    		 You can choose anything here, does not apply.
  3. Click Get New Access Token.
  4. You are prompted to enter a user name and password.

    This user must have been created in the IAM domain. You cannot use a single sign-on user name and password as this is a different authentication method. If you have single sign-on for your instance, you will need to copy the same users in IDCS and maintain a separate password for local IAM access.

  5. Click Use Token.

    Your token is attached to your request in the Header section.

  6. Click Send to make the call to the API. You should get a list of connections.

cURL command for Resource Owner Password Credentials

  1. To fetch the access client, make a request with the user name and password in the payload. For example:
    curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>/oauth2/v1/token -d 'grant_type=password&username=sampleUser&password=SamplePassword&scope=https://<Resource_APP_Audience>urn:opc:resource:consumer::all%20offline_access'
    Syntax:
    
curl -i -H 'Authorization: Basic <base64Encoded_clientid:secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<App_Scope>%20offline_access'
    Where:
    • <base64-clientid-secret> - Base 64 encode clientId:ClientSecret
    • <username> - user for token needs to be issued (must be in serviceinvoker role).
    • <password>- password for above user
    • <app_scope> - Scope added while creating application in client configuration section (Ends with urn:opc:resource:consumer::all)
  2. Capture the access_token and refresh_token from the response.
    {
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "AQAgY2MzNjVlOTVhOTRh...vM5S0MkrFSpzc="
}
  3. Use the access_token in the authorization header to invoke the Oracle Integration trigger endpoint.
    curl --location --request GET 'https://OIC host/OIC endpoint' \
--header 'Authorization: Bearer eyJ4NXQjG...dfsdfsFgets2ed'
  4. To update the access token, use the refresh token and make a request.
  5. Capture the access_token and refresh_token from the response for further use. For example:
    curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token  -d 'grant_type=refresh_token&refresh_token=AQAgY2MzNjVlOTVhOTRh...vM5S0MkrFSpzc='
    Syntax:
    curl -i -H 'Authorization: Basic <base64-clientid-secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token  -d 'grant_type=refresh_token&refresh_token=<refresh_token>'