Using OAuth 2.0 Authorization Protocol with OCI (Gen2) Environments

EPM Automate can use the OAuth 2.0 authentication protocol to access OCI (GEN 2) Oracle Enterprise Performance Management Cloud environments to execute commands, especially for automating the running of commands.

To enable OAuth 2.0 access, an Identity Domain Administrator must register your application as a public client in Oracle Cloud Identity Services. OAuth is enforced for the application; not across your subscription.

For detailed instructions on setting up OAuth 2.0 for your OCI (Gen 2) environments, see Authentication with OAuth 2 - Only for OCI (Gen 2) Environments in REST API for Oracle Enterprise Performance Management Cloud .

Note:

  • addUsers, removeUsers, assignRole, and unassignRole commands do not work with OAuth 2.0. They still require basic authentication.
  • Basic authentication works even when OAuth is enabled for an environment. Be sure to not overwrite the existing encrypted password file if you plan to use it in the future.

Creating an Encrypted Password File Containing Refresh Token and Client ID

Service Administrators who want to use OAuth 2.0 for EPM Automate access to environments require these details to create their encrypted password file, which is then used to sign into the environment:

  • Refresh token

    See steps under "EPM Cloud Service Administrator tasks to get a refresh token:" in Authentication with OAuth 2 - Only for OCI (Gen 2) Environments in REST API for Oracle Enterprise Performance Management Cloud for detailed instructions on how to get the refresh token.

  • Client ID

    The Client ID is generated when the Identity Domain Administrator configures the application for OAuth. It is visible on the Configuration tab of the application, under General Information.

To create the encrypted password file for OAuth authentication:

  1. Start an EPM Automate session and sign into an environment.
  2. Execute a command similar to the following:

    epmautomate encrypt REFRESH_TOKEN KEY PASSWORD_FILE ClientID=CLIENT_ID

    See encrypt for detailed instructions.
  3. Sign out.
  4. Use the newly generated password file to sign in using OAuth. For automated script executions, be sure to update scripts to point to the newly generated password file.