3.3.1 Use Oracle IAM as Identity Provider

You can use Oracle IAM as identity provider to manage access to your application.

1. In the Oracle Cloud Infrastructure console, add your application as a confidential application. For information to add a confidential application and configure application details and the display settings, see Adding a Confidential Application in Oracle Cloud Infrastructure documentation.
2. While adding a confidential application, perform the following tasks:
   1. On the Configure OAuth pane, under Resource server configuration, select No resource server configuration.
   2. On the Configure OAuth pane, under Client configuration, select Configure this application as a client now.
   3. Select the following options as the allowed grant types under Authorization.
      • Resource owner
      • Client credentials
      • JWT assertion
      • Refresh token
      • Authorization code
      • Implicit
      • Allow non-HTTPS URLs
   4. Enter HTTP URLs for the redirect URL, logout URL, or post logout redirect URL fields in the following format.
      • Redirect URL: http://<console-app-ip>/oidc/redirect.
      • Post-logout redirect URL: http://<console-app-ip>/consoleui/index.html
      • Logout URL: http://<console-app-ip>/oidc/logout
   5. Select Client type as Confidential.

   After completing the configuration, click Submit.

3. Under General Information, note down the values for Client ID and Client secret. You will provide these values later to generate token and to deploy the application.
4. Create users and groups in the User Management tab of the selected identity domain, and then add users to groups. See Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.
5. Add users and groups to the confidential application that you have created. See Assigning Users to Custom Applications and Assigning Groups to Custom Applications,
6. Run the following command to configure a custom claim in the Oracle IAM Identity Domain so that user group information is automatically included in OAuth or OIDC tokens.

   curl -sS -X POST "https://idcs-77c....identity.oraclecloud.com:443/admin/v1/CustomClaims" \
     -H "Authorization: Bearer $ACCESS_TOKEN" \
     -H "Content-Type: application/json" \
     --data-binary '{
       "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim"],
       "name": "group_roles",
       "value": "$user.groups.*.display",
       "expression": true,
       "mode": "always",
       "tokenType": "AT",
       "allScopes": true
     }'

   Typically, you need to perform this operation only once to configure the identity domain. After configuration, every issued token for authorized users contains the user's group information. This command also displays the names of the groups based on the configuration details. Note down the names of the groups as you will provide this later in the values.yaml file as the names of roles for MicroTx Workflows.

7. Run the following command to generate an access token for any user of the confidential application that you have created.

   curl -i 
        -H "Authorization:Basic <base64 of client_id:client_secret>" 
        -H "Content-Type: application/x-www-form-urlencoded;  charset=UTF-8"
        --request POST https://idcs-77c1....identity.oraclecloud.com:443/oauth2/v1/token
        -d "grant_type=password&scope=urn:opc:idm:__myscopes__&username=qauser_conductor_admin&password=<some_value>"