Manage Your Instance in Another Identity Domain Using OAuth

When an Oracle Visual Builder, Oracle Integration, or Oracle Cloud Applications instance in your environment is not in the same identity domain as your VB Studio instance, you set up OAuth tokens (via three-legged OAuth flows) to securely access the instance.

1. OAuth tokens for an instance in a different identity domain can be created when adding the instance to an environment. Instances from a different identity domain have the Authorization column set to OAuth in the Add Service Instance dialog.

   Before any OAuth tokens can be created, a one-time authorization must be provided to handle OAuth requests for the instance. VB Studio automatically detects an instance being added from a different identity domain and prompts you for authorization. Click Authorize, then sign in with the credentials of a user that can connect and deploy to the target instance.

   (If you don’t have valid credentials to provide authorization, you can safely remove the instance by clicking Remove Instance from the instance’s actions menu. Talk to your administrator to request credentials that you can use, then re-add the instance.)

   Note:

   It is recommended that you authorize your OAuth connection during initial configuration. If you skip this step, developers won't be able to publish changes from the Designer until the required authorization is provided.

   For detailed information on adding an instance, refer to these topics:

   • To create an environment with a Visual Builder instance, see Create and Set Up a Project for Development.
   • To create an environment with an Oracle Cloud Applications instance, see Add an Oracle Cloud Application Instance to an Environment.
   • To create an environment with an Oracle Integration instance, see Add an Oracle Integration Instance to an Environment.

   Note:

   In addition to OAuth set up from the Environments page, OAuth can be configured in build jobs that deploy artifacts to your environment’s instance, for example, in the deploy build job used by the Publish action in the Designer to deploy visual applications or extensions, or in the export Integration build job used to export an Integration package.

   • To configure the deploy build job that deploys a visual application to a Visual Builder instance for OAuth, see Configure the Deployment Job. OAuth is also supported in other build jobs used to import and export data, lock, unlock, roll back, or undeploy a visual application.
   • To configure the deploy build job that deploys an extension to an Oracle Cloud Applications instance for OAuth, see Create a Deployment Build Job. OAuth is also supported in build jobs used to delete an extension.
   • To configure build jobs used to import and export Integration artifacts from and to an Oracle Integration instance (as well as to activate or delete an Integration), see Manage Integrations. OAuth is also supported in build jobs used to manage Integration projects, packages, lookups, and connections.
2. OAuth tokens (access and refresh) are cycled during regular use. A refresh token is used to obtain an access token whenever a user accesses the target instance. This refresh token is typically valid for seven days. (The token expiration time is set in the IDCS resource app and may be different based on your security requirements.) If the user authenticates with the target instance within the seven-day period, the active refresh token generates a new access token and a new refresh token. This cycle continues indefinitely as long as the refresh token stays valid. If the refresh token expires during extended periods of inactivity (say, when you're away on vacation), you'll need to renew the access and refresh tokens.
   • To renew OAuth tokens on the Environments page, click Actions and select Renew OAuth Access.
   • To renew OAuth tokens on the Builds page, locate your build job, then click Renew Authorization on the Steps tab. You can also run the job manually, so you'll be prompted to authorize any expired OAuth tokens.

   Note:

   Service administrators can control the OAuth access or refresh token's expiration in the IDCS resource app. For example, to change this for Oracle Cloud Applications, you set the value in the Fusion Applications Cloud Service resource app under Oracle Cloud Services in your identity domain's resource app. See Edit High-Level Information for Oracle Applications.