1. Mobile Plugin Framework
  2. getAccessTokenByScope Procedure

getAccessTokenByScope Procedure

You can use the getAccessTokenByScope procedure in the Plugin API to authenticate with REST APIs. This procedure provides you with the necessary access token for authentication.

Authentication and User Assertion Flow

The access token is requested using the User Assertion Flow.

  • User Identity: This means the issued token is explicitly tied to the current logged-in user.
  • Auditability: All actions and changes made to the plugin using this token will be recorded in the target systems under that user's name, ensuring full auditability.

Access Token Expiration

The OAuth access token obtained through this procedure has an expiration time of 3600 seconds (1 hour). You must handle token renewal or refreshing as needed.

The Scope Parameter

When calling the getAccessTokenByScope procedure, the scope parameter is mandatory.

  • Type: string
  • Purpose: This is a crucial security parameter used to restrict the token's access rights to a specific resource claim. It prevents the plugin from accessing data from other, unauthorized resources.
  • Format Requirement: The environment name must be included as part of the scope string to correctly identify the target environment for REST API calls.

Audience and Scopes for Oracle Fusion Field Service API

The Field Service application is configured with the following primary audience and scopes:

Audience Scopes Access Granted
urn:opc:resource:fusion:xxxxxxxxx:field-service-common (Primary) / Default scope; allows access to Swagger/OpenAPI endpoints.
/use Mobile Worker Planning: Read-write access to Activity, Resource, Inventory; Read-only access to Capacity, Metadata.
/view Read-only access for all functionality included in /use.
/events Receive Events: Access to the Event API.
/setup Administration: Read-write access to Metadata, Statistics, Parts Catalog.

Scope for Fusion API

The Oracle Fusion Field Service application is connected to the 'Fusion Applications Cloud Service' resource, providing access to the Fusion REST API with the following scope:

'urn:opc:resource:faaas:fa:XXXXXXXXXurn:opc:resource:consumer::all'

Note: The application integrator must explicitly define the required scope for each specific API call within the plugin code. This defined scope is then included in the request to IDCS (Identity Cloud Service) to retrieve the final JWT access token.

Example of "getAccessTokenByScope" procedure

Request

 {     "apiVersion": 1,     "method":             "callProcedure",
                    "callId": "1111111111",     "procedure":             "getAccessTokenByScope",
                    "params": {                            "scope":
                    "urn:opc:resource:faaas:fa:XXXXXXXXXurn:opc:resource:consumer::all"
                    } }

Response

{     "apiVersion": 1,     "method":             "callProcedureResult",
                    "callId": "1111111111",                 "procedure": "getAccessTokenByScope"
                    "resultData": {                     "token": "...",         "status": "success",
                    "detail": ""     } }