FAQs for the Confidential Client Application

A prerequisite to use OAuth with trigger connections and the Oracle Integration Developer APIs is that you create a confidential client application in Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), configure the authorization grant, assign scopes, assign roles, and activate the confidential client application. You must be the OCI tenant and domain administrator to configure the confidential application.

When do you need a confidential client application?

You need to configure a confidential client application when you use OAuth with a trigger connection, or when you use the Oracle Integration Developer APIs. The confidential client application acts as the configuration to enable OAuth on associated integration applications.

What are the steps to configure the confidential client application and use OAuth in Oracle Integration?

The steps that you need to follow depend on your use case. To know more about where you can use OAuth in Oracle Integration and a summary of configuration steps for each use case, see:

• Use OAuth with Inbound Calls to Oracle Integration
• Use OAuth with Outbound Calls from Oracle Integration
• You Must Use OAuth with the Oracle Integration Developer APIs

You must be the OCI tenant and domain administrator to configure the confidential application

You must be the OCI tenant and domain administrator to configure the confidential application, assign scopes and roles, and activate it.

How many confidential client applications do I need?

How many confidential applications you configure depends on your use case.

• In general, you need one confidential application per Oracle Integration instance. You can configure one confidential client application to handle one or more OAuth authorization grant types.

• If you want to isolate the configuration users use, configure different confidential client applications per OAuth authorization grant type.

• If you have multiple identity domains, you need to configure one confidential client application per domain, because you can only access the confidential client application within a domain.

Which OAuth authorization grant type do I use?

In general, these are the supported grant types:

• JWT User Assertion
• Client credentials
• Authorization code
• Resource Owner Password Credentials (not recommended)

Which one you configure in your confidential application depends on which ones your client supports.

• If the client is programmatic or SDK-based, use Client credentials or JWT User Assertion.
• If the client is browser-based and requires user interaction, use Authorization code.

For additional information on OAuth authorization grant types, see About OAuth 2.0 Grants

What are the scopes and which ones are required?

Scopes limit what have access to in the Oracle Integration instance.

There are two Oracle Integration instance scopes that you add to the confidential application:

It's recommended to assign both scopes to the confidential application.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs:

https://<id>.host.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs:

https://<id>.host.oraclecloud.com:443/ic/api/