Call the Developer APIs with JWT User Assertion

Prerequisites to Complete

Before you can call the Oracle Integration Developer APIs with JWT User Assertion, you must create a confidential client application and perform other prerequisites.

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

For instructions, see:

Access the Identity Domain.
Configure prerequisites for your grant type:
- Prerequisites for JWT User Assertion

Information You Need

The following is information you need to send requests through a client.

Information You Need	Where to Find It
Design-time URL or Runtime URL, depending on your use case	See Do You Use the Design-time or Runtime URL?. Example Design-time URL: `https://design-integration-region.ocp.oraclecloud.com/` Example Runtime URL: `https://myInstance-integration-region.ocp.oraclecloud.com/`
Domain Host	You can get the identity domain host from the Domain URL field of the domain you are in. For instructions on accessing your domain, see Access the Identity Domain.
Client ID Client Secret	Add the client ID for the confidential application that you configured. To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.
Scope	Add the same scope that you added to your confidential application. You can find the scope you added to the confidential application in your confidential application details under Token Issuance Policy. To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain. This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: `https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all` This scope allows users to only access the Oracle Integration Developer APIs: `https://415C303.integration.ocp.oraclecloud.com:443/ic/api/`
Integration Instance	Name of the integration instance.

Configure Postman for JWT User Assertion

JWT User Assertion is not directly supported with Postman. You need to define scripts to generate the assertion. Read the blog Demystifying OAuth Using the JWT User Assertion in OIC for more details and sample scripts.

cURL command for JWT User Assertion

Once you generate the JWT user assertion, generate the access token.
Syntax:
```
curl -i -H 'Authorization: Basic <base64Encoded clientid:secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user assertion>&scope=<app_scope>'
  
```
Where:
- grant_type - urn:ietf:params:oauth:grant-type:jwt-bearer
- <base64-clientid-secret> - Base 64 encode clientId:ClientSecret
- <user assertion> - User assertion generated
- <app scope> - Scope added while creating application in client configuration section (Ends with urn:opc:resource:consumer::all)

Capture the access_token from the response.

{
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600
}

Use an access_token in the authorization header to invoke the Oracle Integration Developer APIs.

curl --location --request GET 'https://OIC host/ic/api/integration/v1/connections' \
--header 'Authorization: Bearer eyJ4NXQjG...dfsdfsFgets2ed'

Where <oic_host> is the Design-time URL host name or Runtime URL host name. See Do You Use the Design-time or Runtime URL?.

Note:
If you use the Runtime URL host name, you'll need to use the -l option to forward the authorization header because you are automatically redirected to the Design-time host.