Register the Application in OCI IAM

8.2 Register the Application in OCI IAM

This application registration serves two roles:

Resource server: Exposes a scope that end users authenticate against. When a user signs in, OCI IAM issues an end-user token scoped to this application.
Client: Uses its client credentials to obtain a database-access token and allows users to obtain access tokens scoped to a resource it exposes. The application authenticates to Oracle AI Database with this database-access token and attaches the end-user token to the connection as part of the end-user security context payload.

Create a confidential application.
1. In the same identity domain, click the Integrated applications tab.
2. Click Add application, select Confidential Application, and click Launch workflow.
3. Enter a name for the application (for example, HCM APP).
4. Click Submit.
Configure the application as a resource server.
This step exposes a scope so that end users can obtain access tokens scoped to the application.
1. On the application’s page, click the OAuth configuration tab.
2. In the Edit OAuth configuration section, under Resource server configuration, select Configure this application as a resource server now.
3. Under Configure application APIs that need to be OAuth protected, set the Access token expiration (seconds) as appropriate (for example, 3600).
4. Under Primary audience, enter a value that identifies the application (for example, OracleConfidentialClient).
5. Toggle Add scopes on. Click Add and create a scope:
  - Scope: Enter a scope name (for example, APP_ACCESS_SCOPE).
  - Display name: Enter a display name (for example, APP_ACCESS_SCOPE).
Configure the application as a client.
This step allows the application to obtain database-access tokens and to receive end-user sign-ins through the authorization code flow.
1. Under Client configuration, select Configure this application as a client now.
2. Under Authorization, in Allowed grant types, select the grant types your application requires. For most deployments, select the following:
  - Authorization code: Allows end users to sign in through a browser and receive an end-user token scoped to this application.
  - Client credentials: Allows the application to obtain a database-access token, which it uses to authenticate its connection to the database.
3. If you selected Authorization code, enter the URL under Redirect URL (for example, https://hcm.example.com/oauth2/callback). Click Add redirect URL.
Grant the application access to the database resource and its own scope.
The application needs two scopes: the database scope (so it can obtain database-access tokens) and its own scope (so end-user tokens include the claims required for database authentication).
1. Under Client configuration, toggle Add resources on.
2. Click Add scope.
3. In the Add scope dialog, expand the database application (for example, OracleDB) and select the scope (for example, OracleDBDB_ACCESS_SCOPE).
4. Expand this application (for example, HCM APP) and select its own scope (for example, OracleConfidentialClientAPP_ACCESS_SCOPE).
5. Click Submit to save.
Activate the application.
Click Actions in the top-right corner, and select Activate.
Record the following values for application configuration.
1. On the application page, click the Details tab, and copy the Application ID.
2. Click the OAuth configuration tab, scroll to General Information, and copy the Client ID and Client secret.

You have now registered the application in OCI IAM as both a resource server (so end users can obtain end-user tokens scoped to this application) and a client (so the application can obtain a database-access token through client credentials).