Obtain and Use an OAuth Token
The OAuth 2.0 token service provided by Oracle Identity Cloud Service is a mechanism that enables you to use a secured token to access Oracle Java Cloud Service REST endpoints.
An OAuth access token has an expiration value of 86,400 seconds (24 hours). If you want to make REST API requests 24 hours after getting an access token, you will need to obtain a new token.
Note:
-
The following procedure is applicable to most Oracle Cloud accounts and only applicable to those accounts that were created after 18.1.4.
-
To access Oracle Java Cloud Service that is integrated with Oracle Identity Cloud Service, the identity domain ID is the Oracle Identity Cloud Service tenant name. This tenant name begins with the characters
idcs-
followed by a string of number and letters (for example,idcs-9a888b7e6ebb44b4b65
). Access the Oracle Identity Cloud Service Console in a browser to find the tenant name in the URL. You can also find the name when you sign in to your Oracle Cloud account, navigate to Identity and then select Federation. -
cURL examples are used in the procedure to obtain an access token from Oracle Identity Cloud Service, and then access an Oracle Java Cloud Service REST endpoint with the token.
What You Need
Get the following information from the Oracle Identity Cloud Service web console.
- Oracle Identity Cloud Service instance URL
- Client ID
- Client secret
- Primary audience URL
- Allowed scope
-
Sign in to your Oracle Cloud account.
You need to have either the Identity Domain Administrator role or PaaS Administrator role to follow the steps in this procedure.
-
From the navigation menu, click Identity and then click Federation.
-
Copy the URL shown next to Oracle Identity Cloud Service Console.
For example:
https://idcs-9a888b7e6ebb44b4b65.identity.oraclecloud.com/ui/v1/adminconsole
Where
idcs-9a888b7e6ebb44b4b65.identity.oraclecloud.com
is the REST server portion of the Oracle Identity Cloud Service Instance URL (which forms part of the endpoint URL for requesting an access token). -
Click the URL to open the console. Then click the Applications icon.
-
In the search field, enter
PSM
and then click the search icon. In the results, locate the entry titled PSM App for API OAuth support.Note that the Platform Service Manager App (PSMApp) is not available for Oracle Cloud accounts that were created before 18.1.4.
-
Click the name of the application titled PSM App for API OAuth support. The name has the form
PSMApp-cacct-string-of-letters-and-numbers
.For example:
PSMApp-cacct-9z8x7c6v5b4n3m
This is the Oracle Identity Cloud Service trusted PSM client application, which is automatically created for Oracle Cloud accounts (after 18.1.4) and associated with Oracle Java Cloud Service.
-
Click Configuration. Under General Information, copy the value shown in the Client ID field.
This is the PSMApp client ID. For example:
PSMApp-cacct-9z8x7c6v5b4n3m_APPID
-
Click Show Secret, and then copy the value. .
This is the PSMApp client secret. For example:
c53b437-1768-4cb6-911e-1e6eg2g3543
-
Expand Resources. Copy the value shown in the Primary Audience field.
This is the PSMApp primary audience URL. For example:
https://psm-cacct-9z8x7c6v5b4n3m.console.oraclecloud.com
-
In the Scopes section, copy the Scope value for 1PaaS Permission.
urn:opc:resource:consumer::all
Get an OAuth Access Token
With the information you gathered, use the Oracle Identity Cloud Service REST endpoint /oauth2/v1/token
to obtain a token.
curl -k -X POST -u "client-id:client-secret" -d "grant_type=password&username=yourusername&password=yourpassword&scope=https://primary-audience-and-scope" "https://identity-cloud-service-instance-url/oauth2/v1/token"
Where:
-
client-id
is the PSMApp client ID -
client-secret
is the PSMApp client secret -
yourusername
is the user name of a cloud service user with the Java Administrator role -
yourpassword
is the password for the user name -
primary-audience-and-scope
is a concatenation of the PSMApp primary audience URL and the 1PaaS permission scope -
identity-cloud-service-instance-url
is the REST server portion of the Oracle Identity Cloud Service Instance URL
For example:
curl -k -X POST -u "PSMApp-cacct-9z8x7c6v5b4n3m_APPID:c53b437-1768-4cb6-911e-1e6eg2g3543" -d "grant_type=password&username=yourusername&password=yourpassword&scope=https://psm-cacct-9z8x7c6v5b4n3m.console.oraclecloud.comurn:opc:resource:consumer::all" "https://idcs-9a888b7e6ebb44b4b65.identity.oraclecloud.com/oauth2/v1/token"
The following shows an example of the response returned.
{
"access_token":"eyJ7NXQ...fMf46Q0yKopDxQ",
"token_type":"Bearer",
"expires_in":86400
}
The token string is truncated in the example response. You should copy the entire token string (within the quotation marks) as shown in your response.
Use the OAuth Access Token in Oracle Java Cloud Service REST API Requests
After you obtain an OAuth 2.0 access token, you provide the token in a bearer token header of the Oracle Java Cloud Service REST request.
curl -i -X GET -H "Authorization: Bearer token-string" "https://primary-audience/rest-endpoint-path"
Where:
-
token-string
is the OAuth access token you obtained -
primary-audience
is the PSMApp primary audience URL -
rest-endpoint-path
is the relative path that defines the Oracle Java Cloud Service REST resource (note that the identity domain ID of Oracle Identity Cloud Service is used in the path)
For example, the following cURL command retrieves all Oracle Java Cloud Service instances.
curl -i -X GET -H "Authorization: Bearer eyJ7NXQ...fMf46Q0yKopDxQ" "https://psm-cacct-9z8x7c6v5b4n3m.console.oraclecloud.com/paas/api/v1.1/instancemgmt/idcs-9a888b7e6ebb44b4b65/services/jaas/instances"