Using OAuth2 for Application and Global Connections

Application connections and global connections to Cloud EPM and Cloud ERP applications support using Open Authorization (OAuth) 2 for authentication.

Using OAuth2 in Cloud EPM Applications

Perform the following steps to set up OAuth2 authentication for Cloud EPM applications. See Authentication with OAuth 2 in REST APIs for details.

  1. Register the OAuth2 client.

    Note:

    For Oracle Fusion Cloud Enterprise Data Management, you must register separate OAuth2 clients (each with a client ID, access, and refresh tokens) for each application or global connection. For example, if you have two application connections and two global connections that you want to use OAuth2 authentication for, you must register four OAuth2 clients.
  2. Obtain and securely store the first refresh token.

    Tip:

    Set the refresh token expiry longer than the frequency of running your imports and exports in order to keep the tokens valid.
  3. Obtain an access token from the refresh token.

Using OAuth2 in Cloud ERP Applications

Cloud EDM supports OAuth 2.0 authentication when connecting to Oracle Cloud ERP applications. OAuth authentication enables Cloud EDM to obtain access tokens from Oracle Cloud Infrastructure Identity and Access Management (IAM) Identity Domain and use those tokens to access ERP integration services.

To use OAuth authentication, an identity administrator must configure a confidential application in IAM and authorize access to the target ERP environment. The administrator must also register a certificate and provide the corresponding private key that Cloud EDM uses to authenticate when requesting access tokens. See Configure OAuth Using the Fusion Applications Identity Domain in Configuring and Extending Applications.

Prerequisites for OAuth Authentication

Before configuring an OAuth connection in Cloud EDM, an identity administrator must configure OAuth authentication for the target Oracle Cloud ERP environment.

  1. Generate an unencrypted PKCS#8 private key that Cloud EDM will use to sign authentication requests. See How to Generate an API Signing Key in Oracle Cloud Infrastructure Documentation .

  2. Create a public certificate from the private key. This certificate is registered with the confidential application, while the corresponding private key is uploaded to Cloud EDM. For example, to create a self-signed certificate using OpenSSL: openssl req -new -x509 -key private_key.pem -out public_cert.pem -days 365 -subj "/CN=EDMToFusion".

  3. Create and configure a confidential application in Oracle Cloud Infrastructure Identity and Access Management (IAM). See Adding a Confidential Application in Oracle Cloud Infrastructure Documentation

    Configure the confidential application to support Cloud EDM by completing the following tasks:

    • Enable the Client Credentials grant type. See Configure OAuth Using Client Credentials Grant Type (2-legged OAuth) in Configuring and Extending Applications.

    • Import the public certificate generated in the previous step and record the certificate alias.

    • Configure access to the Oracle Cloud ERP resource by adding the appropriate OAuth scope. For example, urn:opc:resource:<service>:<context>:<identifier>:opc:resource:consumer::all.

    • Record the Client ID and OAuth Token URL for the application.

  4. Create a Fusion Applications user account whose user name exactly matches the Client ID of the confidential application.

    Caution:

    The user name must be identical to the Client ID. Any discrepancy between the Client ID and the Fusion Applications user name can cause OAuth authentication to fail.
  5. Assign the required Fusion Applications privileges.

    Grant the Fusion Applications user the privileges required to perform ERP integration operations. At a minimum, assign the following privilege:

    FUN_FSCM_REST_SERVICE_ACCESS_INTEGRATION_PRIV

  6. Obtain the OAuth configuration values.

    Before configuring the application or global connections in Cloud EDM, obtain the following information from the confidential application:

    Parameter Description
    OAuth Token URL OAuth token endpoint for the IAM domain.
    Client ID Client identifier generated for the confidential application.
    Scope Authorized resource scope for the ERP environment.
    Certificate Alias Alias assigned to the certificate imported to the confidential application.
    Private Key Private key file corresponding to the registered certificate.

    Note:

    The file must have a .pem extension and contain an unencrypted PKCS#8 private key. Encrypted or password-protected private keys are not supported.

Certificate and Private Key Requirements

The private key provided to Cloud EDM must correspond to the certificate registered with the confidential application.

During authentication, Cloud EDM uses the private key to generate a signed client assertion. Oracle Cloud Infrastructure Identity and Access Management validates the assertion using the registered certificate before issuing an access token.

If the certificate and private key do not match, authentication requests fail.

Next Steps

After obtaining the required OAuth configuration information, create the global or application connection in Cloud EDM. See Creating Global Connections or Registering Oracle Financials Cloud General Ledger Applications.