1. AI Guide
  2. Creating a Confidential Application in OTM IDCS

Creating a Confidential Application in OTM IDCS

The OTM-side confidential application registers OTM as a trusted resource server and validates tokens presented by AI Agent Studio, thus enforcing secure authentication and access.

An example of creating the OTM-side confidential application using OTM’s IDCS is shown below.
  1. Sign in to the OTM IDCS Admin Console.
  2. On the Welcome page, select Take me there to go to the Identity Domain.
  3. Navigate to Identity > Domains.
  4. On the Domain page, select Integrated applications. This page is where you'll add an OAuth2 confidential client application.
  5. Select Add application.

    This is a screen shot of the OracleIdentityCloudService domains page with the Integrated applications tab selected. On the Integrated applications tab, the Add applications button highlight with a red box.

  6. On the next page, select Confidential Application and select Launch workflow.
  7. On the Add Confidential Application page, provide a unique application Name (for example OTM_GTM_CONF_APP) and a Description.

    This image is a screen shot of the Add Confidential Application screen in the IDCS of OTM. The Name and Description fields are completed and highlighted within a red box. The Name is OTM_GTM_CONF_APP and the Description is OTM GTM Confidential application. The rest of the Add Confidential Application screen is shown but is not relevant.

    Remember: In the Prerequisites, write down the OTM IDCS confidential app Name. You will need it later.

  8. Select Submit. A new confidential application is created.

    On the new application screen now configure OAuth as follows:

  9. Select the OAuth configuration tab.
  10. Select Edit OAuth configuration.

    This image shows the OTM_GTM_CONF_APP confidential application page after you submitted it. Since you need to edit the confidential application, on the OAuth configuration tab, the Edit OAuth configuration button is highlighted by a red box.

    The OTM confidential application needs to be configured both as a Resource Server and Client Configuration. First, add a resource server.

  11. In the Resource server Configuration section, select the Configure this application as a resource server now option. The page will change to show more fields.
  12. Enter a Primary audience to protect the OTM APIs. The primary audience should be your OTM instance URL (For example, https://<otm_host_name>).

    This screen shot shows the configuration of the IDCS of OTM confidential app being configured as a resource server. On the Edit OAuth configuration under the Resource configuration server section, the Primary audience field is highlighted with a red box. This field is where you enter the primary recipient where the access token of your application is processed.

    Remember: In the Prerequisites, write down the IDCS of OTM confidential app Primary audience which is the URL of your OTM instance. You will need this later.

    Next, you add a scope.

  13. Scroll down and select the Add scopes option.
  14. Select Add in the Scopes section.

    This screen shot is of the next step in the configuration of the IDCS of OTM confidential application. It shows the Edit OAuth configuration page specifically the Scopes section. The Add scopes option is shown as selected and is highlighted in a red box. You select the Add scopes option to specify which of the application's resources are available to other applications. Also, the Add button is highlighted by a red box.

  15. Add a Scope (for example, OTM_GTM_CONF_APP) and a Description.

    This image is a screen shot of the Add scope drawer of the Scopes section of the Edit OAuth configuration screens. The Scope field has text of OTM_GTM_CONF_APP, the Display name field has no data, and the Description field has the text of OTM_GTM Scope.

    Remember: In the Prerequisites, write down the IDCS of OTM confidential app Scope. You will need this later.
  16. Select Add.

    Next, enable Client Configuration for this OAuth application.

  17. With the new scope added, select the Submit button.

    You need to submit the OAuth configuration and then edit it again to see the scope that you just added.

  18. Select the Edit OAuth configuration button.
  19. Scroll down to the Client Configuration section and check the Configure this application as a client now option.
  20. Select the allowed grant types of Resource owner, Client credentials, and JWT assertion.

    This image is a screen shot showing the Client configuration section of the Edit OAuth configuration screen with the Configure this application as a client now option selected and the following Allowed grant types selected in the Authorization section: Resource owner, Client credentials, and JWT assertion.

  21. Scroll down and select Import certificate.

    This image shows the Certificate section of the Edit OAuth configuration screen. The Import certificate button is highlighted by a red box.

  22. Add an Alias for the certificate. For example, OTM_GTM.
    Remember: In the Prerequisites, write down the IDCS of OTM confidential certificate Alias. You will need this later.
  23. Use the Drop a file or select one field to upload the certificate. Upload the certificate jwt-signing.crt that was created earlier.
    Remember: Import the certificate that you created earlier. Generating Public/Private Keys with a Certificate
  24. Once the certificate is uploaded, select Import.

    This is an image of the Import certificate drawer that was opened above by the Import certificate button. An entry of OTM_GTM is shown in the Alias field and the uploaded certificate of jwt-signing.crt is shown in the File uploaded section.

  25. Scroll down and select Add resources.
  26. Select Add scope.

    This screen shot is of the next step in the configuration of the IDCS of OTM confidential application. It shows the Edit OAuth configuration page specifically the Resources section. The Add resources option is shown as selected and is highlighted in a red box. You select the Add resources option to add resources if you want your application to access the APIs of other applications. Also, the Add scope button is highlighted by a red box.

  27. Under Add scope, select the Scope created previously.
    Remember: Use the value that you wrote down for the IDCS of OTM confidential app Scope in Prerequisites.
  28. Select Add.

    This image shows a screen shot of the Add scope pop-up with OTM_GTM_CONF_APP in the search bar. The Name of OTM_GTM_CONF_APP is selected and the Select scope you created above is selected.

  29. Select the Submit button to complete the OAuth set up.
  30. Select Actions and select Activate.

    This image is a screen shot showing the edited and now complete OTM_GTM_CONF_APP confidential application. Also shown is the Actions menu with the Activate menu item highlighted.

  31. On the Activate application message, select Activate application.
Note: The OTM confidential app is configured to trust tokens signed by the correct certificates issued from the AI Agent.
Note: The setup ensures that only authorized calls from AI Agent Studio can reach OTM REST endpoints.