This image shows an architecture and process flow for an extension of Oracle Fusion Applications Cloud Service built using a cloud-native approach.

Oracle Visual Builder, an Oracle Cloud PaaS application, uses Oracle Identity Cloud Service, which is federated with User and Role Sync with with the Oracle Access Manager component within Oracle Fusion Applications Cloud Service. Oracle Cloud Infrastructure components enable the integration.

A region of the image depicts Oracle Cloud Infrastructure, within which are shown three components: API Gateway, an Oracle Fusion Applications Cloud Client Function, and an Oracle Cloud Infrastructure Vault component. Within the Function are a Business Logic component and an Identity Cloud OAuth Assertion Library component.

The following flow is depicted:

Oracle Visual Builder connects to the API Gateway via an Identity Cloud App Authentication (Function Resource Client) application within Oracle Identity Cloud Service. An authentication token with the header "Authorization: Bearer; <Token1>" is included.
API gateway connects back to Oracle Identity Cloud Service, connecting to the Identity Cloud /admin/v1/SigningCert/jwk component to validate the token.
API Gateway connects to the Identity Cloud OAuth Assertion Library function, with the original token with the same header as the token for step 1.
The Identity Cloud OAuth Assertion Library function connects to Oracle Cloud Infrastructure Vault, to look up stored, secure credentials for the next step.
The Function connects back to Oracle Identity Cloud Service, to fetch a new token from the Identity Cloud App (Function Resource Owner) (Fusion Applications Resource Client) application. This token is valid for a user that exists in both Oracle Cloud PaaS and Oracle Fusion Applications.
The Business Logic component within Oracle Fusion Applications Cloud Client Function connects to a Fusion Applications Cloud Instance, using a new authentication token (Token from Assertion) with the header "Authorization: Bearer; <Token2>"