1. AI Guide
  2. Creating Confidential Application in Fusion IDCS

Creating Confidential Application in Fusion IDCS

A confidential application in Identity Cloud Service (IDCS) represents the AI Agent Studio and acts as the OAuth 2.0 client. This allows the agent to programmatically obtain access tokens required to call OTM REST APIs securely.

An example of creating the confidential application in Fusion’s IDCS is shown below.

  1. Sign in to the Fusion IDCS Console as a valid admin user.
  2. On the Welcome page, select Take me there to go to the Identity Domain.
  3. Navigate to Identity > Domains.
  4. On the Domain page, select Integrated applications. This page is where you'll add an OAuth2 confidential client application.
  5. Select Add application.

    This is a screen shot of the IDCS for Fusion's domains page with the Integrated applications tab selected and highlighted with a red box. On the Integrated applications tab, the Add application button highlight with a red box.

  6. On the next page, select Confidential Application and select Launch workflow.
  7. On the Add Confidential Application page, provide a unique application Name and a Description.
    Remember: In the Prerequisites, write down the IDCS of Fusion confidential app Name. You will need it later.

    This image is a screen shot of the Add Confidential Application screen with the Name field and the Submit button highlighted by a red box

  8. Select Submit.

    A new confidential application is created. On the new application page, you'll configure OAuth.

  9. Select the OAuth configuration tab.
  10. Select Edit OAuth configuration.

    This image shows the IDCS of Fusion confidential app that you just created above. On the OAuth configuration tab, the Edit OAuth configuration button is highlighted by a red box.

    Next, enable Client Configuration for this OAuth application.

  11. Scroll down to the Client Configuration section and select the Configure this application as a client now option.
  12. Select the allowed grant types: Resource owner, Client credentials, and JWT assertion.

    This image is a screen shot that shows the Client configuration section of the Edit OAuth configuration screen with the Configure this application as a client now option selected and the following Allowed grant types selected in the Authorization section: Resource owner, Client credentials, and JWT assertion.

    Scroll down and import the certificate generated previously.

  13. Select Import certificate.

    This image is a screen shot showing the Certificate section of the Edit OAuth configuration screen. The Import certificate button is highlighted by a red box.

  14. Add a certificate Alias. For example, OTM_GTM.
    Remember: In the Prerequisites, write down the IDCS of Fusion certificate Alias. You will need it later.
  15. Use the Drop a file or select one field to upload the certificate. Upload the file jwt-signing.crt that was created earlier.
    Remember: Import the certificate that you created earlier. Generating Public/Private Keys with a Certificate
  16. Once the certificate is uploaded, select Import.

    This is an image of the Import certificate drawer that was opened above by the Import certificate button. The uploaded certificate of jwt-signing.crt is shown in the File uploaded section.

  17. Select the On behalf of checkbox.
  18. Select the Bypass consent checkbox.

    This image is a screen shot of the Edit OAuth configuration screen with the On behalf of option selected and highlighted with a red box. The Bypass content option is also selected and is highlighted with a red box.

  19. Scroll down and turn on Add resources.

    This image is a screen shot shows the Edit OAuth configuration page specifically the Resources section. The Add resources option is shown as selected and is highlighted in a red box. You select the Add resources option to add resources if you want your application to access the APIs of other applications.

  20. Scroll down and select the Add scope button.

    This image is a screen shot showing the Add scope button highlighted by a red box.

    Next, add the AI Agent Studio scope to the confidential application.

  21. Under Add scope, select the AI Agent Studio scope with a Name of Oracle Fusion Al Cloud (Spectra).

    This image shows a screen shot of the Add scope pop-up with the Oracle Fusion AI Cloud (Spectra) Name selected and the fusion-ai scope available for selection.

    Attention: The Oracle Fusion Al Cloud (Spectra) scope is created automatically if you have a Fusion instance. If you do not see this scope, then contact your Fusion contact or Fusion Support.
    Remember: Use the value that you wrote down for the IDCS of Fusion confidential app Scope in Prerequisites.
  22. Confirm the Scope similar to urn:opc:resource:fusion:<fusionservername>:fusionai/.

    This image is a screen shot of the Resources section with the Or(Spectra) and the scope of urn:opc:resource:fusion:<fusionservername>:fusionai/. The Scope and Submit button are highlighted with a red box.

  23. Select the Submit button.
    Remember: In the Prerequisites, write down the IDCS of OTM confidential app Client ID. You will need it later.
  24. Select Actions menu and select Activate.
  25. On the Activate application message, select Activate application.