Use OAuth 2.0 in Oracle Integration

When using Oracle Integration, many applications to which you need to connect require the use of OAuth. OAuth provides you with secure access to data in an application without having to directly share login credentials.

Where Can You Use OAuth in Oracle Integration?

You can use OAuth when making inbound calls to Oracle Integration, when making outbound calls from Oracle Integration, or when using the Oracle Integration Developer APIs. OAuth is required to call the Oracle Integration Developer APIs.

The Oracle Integration Developer APIs are: REST API for Oracle Integration 3, REST API for File Server in Oracle Integration 3, OCI Process Automation REST API.


An external application or user uses OAuth for inbound calls into Oracle Integration through integration endpoints. Outbound calls from Oracle Integration are done through invoke connections in integrations. You must use OAuth to connect to the Oracle Integration Developer APIs.

OAuth with Inbound Calls to Oracle Integration

You can use OAuth to make inbound calls to Oracle Integration and trigger integrations.

For inbound calls to Oracle Integration, you use a trigger connection in an integration and the REST Adapter, SOAP Adapter, Fusion Application adapters (Oracle ERP Cloud Adapter, Oracle CX Sales and B2B Service Adapter, Oracle HCM Cloud Adapter), and any other adapters that support trigger connections and OAuth.

For configuration details, see Use OAuth with Inbound Calls to Oracle Integration.

OAuth with Outbound Calls from Oracle Integration

You can also use OAuth to connect to external systems and call external applications.

For these outbound calls, you use an invoke connection in an integration. Whether OAuth is required or not depends on the external application requirements. You can use any adapters that support invoke connections and OAuth including the REST Adapter, SOAP Adapter, Fusion Application adapters (Oracle ERP Cloud Adapter, Oracle CX Sales and B2B Service Adapter, Oracle HCM Cloud Adapter),

For configuration details, see Use OAuth with Outbound Calls from Oracle Integration.

OAuth with the Oracle Integration Developer APIs

You can also use OAuth with an invoke connection in an integration to call the Oracle Integration Developer APIs.

OAuth is required to call the Oracle Integration Developer APIs.

For details, see You Must Use OAuth with the Oracle Integration Developer APIs.

Use OAuth with Inbound Calls to Oracle Integration

You make inbound calls to Oracle Integration through a trigger connection in an integration. When you use a trigger connection in an integration, you are exposing the endpoint. You can use OAuth to protect the exposed endpoints in an integration.

Topics

Protect an Integration's REST Endpoint with OAuth

Here's a summary of what you need to configure to use OAuth with REST trigger connections in an integration.

When you use OAuth with a trigger connection, you protect the exposed endpoint. You create a confidential client application in Oracle Cloud Infrastructure Identity and Access Management (IAM) with the required roles and scopes. The external application or user requests access from the OCI IAM authorization server. Once access is received, the external application or user authenticates and accesses the integration's endpoint to trigger the integration.


An external application or user requests access from the OCI IAM authorization server. Once access is received, the external application or user authenticates and accesses the integration's endpoint to trigger the integration.

Configuration Summary

Is OAuth required? Supported grant types Required role for confidential client application

No. you can protect integration's endpoint with Basic Authorization or OAuth. See About Requests to Invoke Integrations for details.

  • JWT User Assertion
  • Authorization code
  • Client credentials
  • Resource Owner Password Credentials (not recommended)

See About OAuth 2.0 Grants for more details on each authentication type and which one to use.

Assign the confidential client application the ServiceInvoker role.

For detailed information on each role, see What Users Can Do in the Integrations Design Section by Role.

Configuration Steps

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

Steps to use OAuth with the REST Adapter:

  1. Create the confidential client application, assign scopes and roles, and activate it:
    1. Access the Identity Domain.
    2. Configure prerequisites for your grant type:
  2. Create a REST Adapter Connection.
  3. Configure the REST Adapter to Expose an Integration as a REST API.

Protect an Integration's SOAP Endpoint with OAuth

Here's a summary of what you need to configure to use OAuth with SOAP trigger connections in an integration.

When you use OAuth with a trigger connection, you protect the exposed endpoint. You create a confidential client application in Oracle Cloud Infrastructure Identity and Access Management (IAM) with the required roles and scopes. The external application or user requests access from the OCI IAM authorization server. Once access is received, the external application or user authenticates and accesses the integration's endpoint to trigger the integration.


An external application or user requests access from the OCI IAM authorization server. Once access is received, the external application or user authenticates and accesses the integration's endpoint to trigger the integration.

Configuration Summary

Is OAuth required? Supported grant types Required role for confidential client application

No. you can protect integration's endpoint with Basic Authorization or OAuth. See About Requests to Invoke Integrations for details.

  • JWT User Assertion
  • Authorization code
  • Client credentials
  • Resource Owner Password Credentials (not recommended)

See About OAuth 2.0 Grants for more details on each grant type and which one to use.

Assign the confidential client application the ServiceInvoker role.

For detailed information on each role, see What Users Can Do in the Integrations Design Section by Role.

Configuration Steps

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

Steps to use OAuth with the SOAP Adapter:

  1. Create the confidential client application, assign scopes and roles, and activate it:
    1. Access the Identity Domain.
    2. Configure prerequisites for your grant type:
  2. Create a SOAP Adapter connection.
  3. Add the SOAP Adapter connection to an integration.
  4. The steps to expose an integration as a SOAP API are similar to that of the REST Adapter. Follow the steps in Configure the REST Adapter to Expose an Integration as a REST API.

Protect Application-Specific Endpoints with OAuth

You can use OAuth to protect the exposed endpoint of any application that supports trigger connections and OAuth.

Take a look at the adapter documentation for your specific application to find out how OAuth is supported. See Configure Connection Security for links to security configuration prerequisites and steps for each adapter.

Use OAuth with Outbound Calls from Oracle Integration

You make outbound calls from Oracle Integration through an invoke connection in an integration. You can use OAuth to securely invoke the API of an external application.

Invoke an Application's REST Endpoint with OAuth

When you configure an invoke connection in an integration, you can use OAuth to securely invoke the REST API of an external application. Here's a summary of what you need to configure to use OAuth with REST invoke connections in an integration.

When an integration invokes the endpoint of an external application, Oracle Integration requests access from the authorization server for the external application. Once access is granted, Oracle Integration accesses the REST endpoint, authenticates with the external authorization server, and invokes the application.

When an integration invokes the REST endpoint of an external application, Oracle Integration requests access from the authorization server for the external application. Once access is granted, Oracle Integration accesses the REST endpoint, authenticates with the external authorization server, and invokes the application.

Configuration Summary

Is OAuth required? Supported grant types Required roles

No. You can use other authentication types supported by the external application.

For supported grant types for REST Adapter invoke connections, see Authentication Types.

The role required depends on the endpoint that you are calling. If you are calling an Oracle Integration endpoint, such as an Oracle Integration Developer API or the endpoint within an integration, you will need to assign Oracle Integration roles to the client application such as ServiceInvoker, ServiceUser, or ServiceDeveloper,

  • ServiceUser is the minimum role required to call the Developer APIs. This user has access to the Oracle Integration Console as well as the APIs. Assign the ServiceUser role in most cases.
  • ServiceDeveloper is required if you're invoking the Developer APIs from within an integration or you're using the APIs to perform create operations such as creating lookups or importing an integration.
  • Use ServiceInvoker if you only need to invoke an integration's endpoints and will not be making any calls to the Oracle Integration Developer APIs.

For detailed information on each role, see What Users Can Do in the Integrations Design Section by Role.

If you want to use the same confidential application for calling the Oracle Integration Developer APIs and integration endpoints, use the ServiceUser or ServiceDeveloper role.

If you are calling an external endpoint, the role you assign depends on the external application requirements.

Configuration Steps

Steps to use OAuth with the REST Adapter and invoke connections:

  1. If you are invoking Oracle Integration Developer APIs or the endpoint of an integration, complete this step. Otherwise, skip this step and go to step 2.
    1. Create the confidential client application, assign scopes and roles, and activate it:
      1. Access the Identity Domain.
      2. Configure prerequisites for your grant type:
  2. Create a REST Adapter connection.
  3. Add the REST Adapter as an invoke connection to an integration.

Invoke an Application's SOAP Endpoint with OAuth

When you configure an invoke connection in an integration, you can use OAuth to securely invoke the SOAP API of an external application. Here's a summary of what you need to configure to use OAuth with SOAP invoke connections in an integration.

When an integration invokes the endpoint of an external application, Oracle Integration requests access from the authorization server for the external application. Once access is granted, Oracle Integration accesses the SOAP endpoint, authenticates with the external authorization server, and invokes the application.


When an integration invokes the SOAP endpoint of an external application, Oracle Integration requests access from the authorization server for the external application. Once access is granted, Oracle Integration accesses the SOAP endpoint, authenticates with the external authorization server, and invokes the application.

Configuration Summary

Is OAuth required? Supported grant types Required roles

No. You can use other authentication types supported by the external application.

Supported OAuth grant types for invoke SOAP Adapter connections:

  • JWT User Assertion
  • Authorization code
  • Client credentials
  • Resource Owner Password Credentials (not recommended)

See About OAuth 2.0 Grants for more details.

If you are calling an external endpoint, the role you assign depends on the external application requirements.

Configuration Steps

  1. Create a SOAP Adapter Connection.
  2. Add the SOAP Adapter Connection to an Integration.

Invoke Oracle Fusion Application Endpoints with OAuth

You can use OAuth to establish connections to Oracle Fusion Applications from Oracle Integration and invoke Oracle Fusion Applications endpoints. To invoke Oracle Fusion Applications, you use the corresponding adapter for the application, such as Oracle ERP Cloud Adapter, Oracle CX Sales and B2B Service Adapter, or Oracle HCM Cloud Adapter.

OAuth works similarly for the different Oracle Fusion Applications.
  1. You create a resource application to represent the Oracle Fusion Applications resource. You can create the resource application in the Oracle Fusion Applications identity domain, or in a non-Oracle Fusion Applications identity domain such as the Oracle Integration identity domain.
  2. The Oracle Fusion Applications takes the token from the specific application Oracle Integration adapter and validates it against OCI IAM.

Confidential Application Resource Server Configuration within the Fusion Applications Identity Domain


The Fusion Application adapter, such as Oracle ERP Cloud Adapter, requests access with OCI IAM, then invokes the specific Oracle Fusion Application API, and authenticates with OCI IAM to invoke the specific Oracle Fusion Application endpoint.

Confidential Application Resource Server Configuration in a non-Fusion Application Identity Domain


The Fusion Application adapter, such as Oracle ERP Cloud, requests access with OCI IAM, then invokes the specific Oracle Fusion Application API, and authenticates with OCI IAM to invoke the specific Oracle Fusion Application endpoint.

Configuration Summary

Is OAuth required? Supported security policies Required roles

No, OAuth is not required for Fusion Application connections.
Oracle ERP Cloud Adapter:
Oracle CX Sales and B2B Service Adapter:
Oracle HCM Cloud Adapter
Oracle ERP Cloud Adapter:
Oracle CX Sales and B2B Service Adapter:
Oracle HCM Cloud Adapter

Configuration Steps

Oracle ERP Cloud Adapter:

Oracle CX Sales and B2B Service Adapter:

Oracle HCM Cloud Adapter:

Invoke Application-Specific Endpoints with OAuth

You can use OAuth to invoke applications that support invoke connections and OAuth.

Take a look at the adapter documentation for your specific application to find out how OAuth is supported. See Configure Connection Security for links to security configuration prerequisites and steps for each adapter.

You Must Use OAuth with the Oracle Integration Developer APIs

OAuth is required to use the Oracle Integration Developer APIs.

What are the Oracle Integration Developer APIs

OAuth is required to use the Oracle Integration Developer APIs.

The Oracle Integration Developer APIs are the default APIs available for Integrations, File Server, and Oracle Cloud Infrastructure Process Automation:

Do You Use the Runtime or Design-time URL?

Which URL you use when calling APIs in Oracle Integration depends on your use case. You can find both the Runtime URL and Design-time URL in the Oracle Cloud Infrastructure Console.

When to Use the Runtime and Design-time URL

  • Use the Runtime URL if your client is going to call both integration endpoints and Oracle Integration Developer APIs.

  • Use the Design-time URL if your client is going to call only the Oracle Integration Developer APIs.

Get the Runtime and Design-time URL

You must be the OCI tenant and domain administrator to access the Oracle Cloud Infrastructure Console.

  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. Open the navigation menu and click Developer Services. Under Application Integration, click Integration.
  3. Click a specific instance name. The Details page is displayed. You'll see the Design-time and Runtime URLs.Oracle Integration instance page with Design-time and Runtime URL highlighted.

Get the Design-time URL from the Service Console URL

You can also find out the Design-time URL from the Service Console URL that you use to access the user interface.
  1. Copy the Service Console URL into a browser window.

    When the login page of the integration instance displays, the URL changes starting with the word design. For example:

    Example: 
    https://design.integration.region.ocp.oraclecloud.com/?integrationInstance=NameOfServiceInstance

The first part of the URL https://design.integration.region.ocp.oraclecloud.com is your Design-time URL and the rest of the URL integrationInstance=NameOfServiceInstance contains the name of the service instance.

Get the Runtime URL from the Service Console URL

You can also get the Runtime URL from the Service Console URL. Replace design with the service instance name and you have the Runtime URL. For example: https://NameOfServiceInstance.integration.region.ocp.oraclecloud.com

Invoke Oracle Integration Developer APIs from an External Client

OAuth is required to use the Oracle Integration Developer APIs. An external application or user requests access from IAM, then authenticates with IAM, and invokes the Oracle Integration Developer API.

An external application or user requests access with IAM, then authenticates with IAM, and invokes the Oracle Integration Developer API.

Configuration Summary

Is OAuth required? Supported grant types Required roles
Yes. OAuth is required for all Oracle Integration Developer APIs.

The grant types you can use are the same as that for the REST Adapter:

  • JWT User Assertion
  • Authorization code
  • Client credentials
  • Resource Owner Password Credentials (not recommended)

See About OAuth 2.0 Grants for more details on each grant type and which one to use.

The role you assign your confidential client application depends on which APIs you'll be using. Assign the highest role required for your specific use case.

If you're creating lookups for example, you'll need the ServiceDeveloper role. For detailed information on each role, see What Users Can Do in the Integrations Design Section by Role.

  • ServiceUser is the minimum role required to call the Developer APIs. This user has access to the Oracle Integration Console as well as the APIs. Assign the ServiceUser role in most cases.
  • ServiceDeveloper is required if you're invoking the Developer APIs from within an integration or you're using the APIs to perform create operations such as creating lookups or importing an integration.
  • Use ServiceInvoker if you only need to invoke an integration's endpoint and will not be making any calls to the Oracle Integration Developer APIs.

Configuration Steps

Note:

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

Create the confidential client application, assign scopes and roles, and activate it:

  1. Access the Identity Domain.
  2. Configure prerequisites for your grant type:
  3. Call the Developer APIs using a client such as Postman or cURL:

Invoke the Oracle Integration Developer APIs from within an Integration

OAuth is required to use the Oracle Integration Developer APIs. Calling the Oracle Integration Developer APIs from within an integration is common.

For example, you use the scheduling Developer API to run a scheduled integration or the lookups Developer API to view lookups from within your integration.

To call the Oracle Integration Developer APIs from within an integration, you must also configure the OAuth policy in the REST Adapter invoke connection.

An external application or user requests access with IAM, then authenticates with IAM, and invokes the Oracle Integration API.

Configuration Summary

Is OAuth required? Supported authentication types Required roles
Yes. OAuth is required to invoke the Oracle Integration Developer APIs. For supported authentication types for REST Adapter invoke connections, see Authentication Types

The role you assign your confidential client application depends on which APIs you'll be using. If you're creating lookups for example, you'll need the ServiceDeveloper role. For detailed information on each role, see What Users Can Do in the Integrations Design Section by Role.

  • ServiceUser is the minimum role required to call the Developer APIs. This user has access to the Oracle Integration Console as well as the APIs. Assign the ServiceUser role in most cases. This user can also trigger an integration's endpoint.
  • ServiceDeveloper is required if you're invoking the Developer APIs from within an integration or you're using the APIs to perform create operations such as creating lookups or importing an integration.

Configuration Steps

  1. Create a REST Adapter connection
  2. Add the REST Adapter as an Invoke Connection to an Integration
  3. Configure OAuth settings for the invoke connection within the integration.
  4. Use the Design-time URL.
  5. Change the invoke request parameters and add the parameter integrationInstance.
  6. Pass the integrationInstance value in the mapping.
  7. Trigger the integration to invoke the APIs.

Call the Developer APIs with Client Credentials

Prerequisites to Complete

Before you can call the Oracle Integration Developer APIs with Client credentials, you must create a confidential client application and perform other prerequisites.

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

For instructions, see:
  1. Access the Identity Domain.
  2. Configure prerequisites for your grant type:

Information You Need

The following is information you need to send requests through a client.
Information You Need Where to Find It
Design-time URL or Runtime URL, depending on your use case See Do You Use the Design-time or Runtime URL?.

Example Design-time URL:

https://design-integration-region.ocp.oraclecloud.com/

Example Runtime URL:

https://myInstance-integration-region.ocp.oraclecloud.com/

Domain Host

You can get the identity domain host from the Domain URL field of the domain you are in. For instructions on accessing your domain, see Access the Identity Domain.

Domain Details page, accessed by selecting Identity, Domains, with the Domain URL field highlighted

Client ID

Client Secret

Add the client ID for the confidential application that you configured.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

Scope

Add the same scope that you added to your confidential application. You can find the scope you added to the confidential application in your confidential application details under Token Issuance Policy.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs: 

https://415C303.integration.ocp.oraclecloud.com:443/ic/api/

Integration Instance

Name of the integration instance.

Configure Postman for Client Credentials

Postman Configuration page, with Authorization tab selected, fields from top to bottom are Grant Type, Access Token URL, Client ID, Client Secret, Scope, Client Authentication. There is also a Get New Access Token button
  1. Use the Design-time URL or Runtime URL depending on your use case. See Do You Use the Design-time or Runtime URL?.

    Example Design-time URL with a call to the Oracle Integration Developer API for connections: 

    https://design-integration-region.ocp.oraclecloud.com/ic/api/integration/v1/connections

    Example Runtime URL:

    https://myInstance-integration-region.ocp.oraclecloud.com/ic/api/integration/v1/connections

    Note:

    If you use the Runtime URL, you'll need to configure Postman to Follow Authorization Header in the request settings. This is because if you call the Oracle Integration Developer APIs with the Runtime URL, Oracle Integration redirects to the Design-time URL for the Developer APIs and the call will fail if the authorization header is missing from the request header.

    In cURL, use the -l option to forward the authorization header during the redirection.

    To configure Postman to forward the authorization header when using the Runtime URL:
    1. In the request, click Settings and enable Follow authorization header. Postman Settings tab selected with Follow authorization header highlighted to be set to ON.
  2. Fill in the required fields.
    Field What to enter

    Authorization type

    		 OAuth 2.0

    Grant Type

    		 Client credentials

    Access Token URL

    		 Use the identity domain host you identified from your Domain URL.

    Example: https://<identity_domain_host>/oauth2/v1/token

    Client ID

    Add the client ID for the confidential application that you configured.

    Client Secret

    Add the client secret for the confidential application that you configured.

    Scope

    Add the same scope that you added to your confidential application.

    Client Authentication

    		 You can choose anything here, does not apply.
  3. Click Get New Access Token.
  4. Click Use Token.

    Your token is attached to your request in the Header section.

  5. Click Send to make the call to the API. You should get a list of connections.

cURL command for Client Credentials

  1. Get the access token to be able to make requests with the client credentials. For example:
    
curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>/oauth2/v1/token -d 'grant_type=client_credentials&scope=https://<Resource APP Audience>urn:opc:resource:consumer::all'

    Syntax:

    
curl -i -H 'Authorization: Basic <base64Encoded clientid:secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=client_credentials&scope=<app scope>'

    where:

    • <identity_domain_host> is the host name in the Domain URL field of the domain you are in.
    • <base64-clientid-secret> - Base 64 encode clientId:ClientSecret
    • <app scope> - Add the same scope that you added to your confidential application.
  2. Capture the access_token from the response.
    {
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600
}
  3. Use the access_token in the authorization header to invoke the Oracle Integration Developer APIs. 
    curl --location --request GET 'https://<OIC_host>/ic/api/integration/v1/connections' \
--header 'Authorization: Bearer eyJ4NXQjG...dfsdfsFgets2ed'

    • Where <oic_host> is the Design-time URL host name or Runtime URL host name. See Do You Use the Design-time or Runtime URL?.

      Note:

      If you use the Runtime URL host name, you'll need to use the -l option to forward the authorization header because you are automatically redirected to the Design-time host.

Call the Developer APIs with Authorization Code

Prerequisites to Complete

Before you can call the Oracle Integration Developer APIs with Authorization code, you must create a confidential client application and perform other prerequisites.

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

For instructions, see:
  1. Access the Identity Domain.
  2. Configure prerequisites for your grant type:

Information You Need

The following is information you need to send requests through a client.
Information You Need Where to Find It
Design-time URL or Runtime URL, depending on your use case See Do You Use the Design-time or Runtime URL?.

Example Design-time URL:

https://design-integration-region.ocp.oraclecloud.com/

Example Runtime URL:

https://myInstance-integration-region.ocp.oraclecloud.com/

Domain Host

You can get the identity domain host from the Domain URL field of the domain you are in. For instructions on accessing your domain, see Access the Identity Domain..

Default Domain page, accessed by selecting Identity, Domains, Default Domain, with the Domain URL field highlighted

Client ID

Client Secret

Add the client ID for the confidential application that you configured.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

Scope

Add the same scope that you added to your confidential application. You can find the scope you added to the confidential application in your confidential application details under Token Issuance Policy.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs: 

https://415C303.integration.ocp.oraclecloud.com:443/ic/api/

Integration Instance

Name of the integration instance.

Redirect URL

You can find the redirect URL in the Authorization area of the confidential client.

Configure Postman for Authorization Code

Postman Configuration page, with Authorization tab selected, fields from top to bottom are Grant Type, Callback URL, Auth URL, Access Token URL, Client ID, Client Secret, Scope
  1. Use the Design-time URL or Runtime URL depending on your use case. See Do You Use the Design-time or Runtime URL?.

    Example Design-time URL with a call to the Oracle Integration Developer API for connections: 

    https://design-integration-region.oraclecloud.com/ic/api/integration/v1/connections

    Example Runtime URL:

    https://myInstance-integration-region.oraclecloud.com/ic/api/integration/v1/connections

    Note:

    If you use the Runtime URL, you'll need to configure Postman to Follow Authorization Header in the request settings. This is because if you call the Oracle Integration Developer APIs with the Runtime URL, Oracle Integration redirects to the Design-time URL for the Developer APIs and the call will fail if the authorization header is missing from the request header.

    In cURL, use the -l option to forward the authorization header during the redirection.

    To configure Postman to forward the authorization header when using the Runtime URL:
    1. In the request, click Settings and enable Follow authorization header. Postman Settings tab selected with Follow authorization header highlighted to be set to ON.
  2. Fill in the required fields.
    Field What to enter

    Authorization type

    		 OAuth 2.0

    Grant Type

    		 Authorization Code
    Callback URL This is the Redirect URL you configured in the confidential client application. You can find the Redirect URL in the confidential client application under the Authorization section.
    Auth URL Use the identity domain host you identified from your domain URL to create the Auth URL. For example: https://<identity_domain_host>/oauth2/v1/authorize

    Access Token URL

    		 Use the identity domain host you identified from your Domain URL.

    For example: https://<identity_domain_host>/oauth2/v1/token

    Client ID

    Add the client ID for the confidential application that you configured.

    Client Secret

    Add the client secret for the confidential application that you configured.

    Scope

    Add the same scope that you added to your confidential application.

    Client Authentication

    		 You can choose anything here, does not apply.
  3. Click Get New Access Token.
  4. Click Use Token.

    Your token is attached to your request in the Header section.

  5. Click Send to make the call to the API. You should get a list of connections.

cURL command for Authorization Code

  1. From your browser, request an authorization code. For example:
    GET
      https://<identity_domain_host>/oauth2/v1/authorize?client_id=<clientID>&response_type=code&redirect_uri=https://app.getpostman.com/oauth2/callback&scope=https://<Resource_APP_Audience>urn:opc:resource:consumer::all%20offline_access&nonce=121&state=12345544

    Syntax:

    GET
      https://<identity_domain_host>.identity.oraclecloud.com/oauth2/v1/authorize?client_id=<client-id>&response_type=code&redirect_uri=<client-redirect-uri>&scope=<app_scope>%20offline_access&nonce=<nonce-value>&state=<unique_value>
    where:
    • <identity_domain_host> is the host name in the Domain URL field of the domain you are in.Default Domain page, accessed by selecting Identity, Domains, Default Domain, with the Domain URL field highlighted
    • <client-id> - ID of Client application generated

    • <client-redirect-uri> - Redirect URI, in client application. The Redirect URL needs to be accessed when you click on provide consent on the connection. This is the redirect URL of the Oracle Integration host. Format: https://<Service Console URL>/icsapis/agent/oauth/callback. This is the standard callback URL for the Oracle Integration instance.

    • <app scope> - Add the same scope that you added to your confidential application.

      This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

      https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

      This scope allows users to only access the Oracle Integration Developer APIs: 

      https://415C303.integration.ocp.oraclecloud.com:443/ic/api/
    • nonce - Optional, unique value to mitigate replay attacks
    • state - Recommended, Opaque to IAM. Value used to maintain state between the request and the callback
  2. If the user is not already logged in, you are challenged to authenticate your user credentials.
    After authentication is successful, the client URL is redirected with the authorization code and state added to the URL.
    ##Response URL
https://<redirect_URL>?code=<code_value>=&state=<state_value>
 
###Client should validate state received is same as one sent in request.
  3. Capture the code value from the above response and make the request to get the access token. For example:
    curl -i -H 'Authorization: Basic MDMx..NGY1' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>/oauth2/v1/token -d 'grant_type=authorization_code&code=AQAg...3jKM4Gc=&redirect_uri=https://app.getpostman.com/oauth2/callback
    Syntax:
    curl -i -H 'Authorization: Basic <base64-clientid-secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>
    where:
    • <base64-clientid-secret> - BAse 64 encode clientId:ClientSecret
    • <authz-code> - code value received as response on redirect.
    • <client-redirect-uri> - Redirect URI, in client application.
  4. Capture the access_token and refresh_token from the response.
    {
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "AQAgY2MzNjVlOTVhOTRh...vM5S0MkrFSpzc="
}
  5. Use the access_token in the authorization header to invoke the Oracle IntegrationDeveloper API.
    curl --location --request GET 'https://<OIC_host>/ic/api/integration/v1/connections' \
--header 'Authorization: Bearer eyJ4NXQjG...dfsdfsFgets2ed'

    • Where <oic_host> is the Design-time URL host name or Runtime URL host name. See Do You Use the Design-time or Runtime URL?.

      Note:

      If you use the Runtime URL host name, you'll need to use the -l option to forward the authorization header because you are automatically redirected to the Design-time host.

Update the Access Token

To update the access token, use the refresh token and make the request.
  1. Capture the access_token and refresh_token from a response for further use. For example:
    
curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Host>.identity.oraclecloud.com/oauth2/v1/token  -d 'grant_type=refresh_token&refresh_token=AQAgY2MzNjVlOTVhOTRh...vM5S0MkrFSpzc='

    Syntax:

    curl -i -H 'Authorization: Basic <base64-clientid-secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Host>.identity.oraclecloud.com/oauth2/v1/token  -d 'grant_type=refresh_token&refresh_token=<refresh_token>'

Call the Developer APIs with JWT User Assertion

Prerequisites to Complete

Before you can call the Oracle Integration Developer APIs with JWT User Assertion, you must create a confidential client application and perform other prerequisites.

You must be the OCI tenant and domain administrator to configure the confidential client application and assign roles.

For instructions, see:
  1. Access the Identity Domain.
  2. Configure prerequisites for your grant type:

Information You Need

The following is information you need to send requests through a client.
Information You Need Where to Find It
Design-time URL or Runtime URL, depending on your use case See Do You Use the Design-time or Runtime URL?.

Example Design-time URL:

https://design-integration-region.ocp.oraclecloud.com/

Example Runtime URL:

https://myInstance-integration-region.ocp.oraclecloud.com/

Domain Host

You can get the identity domain host from the Domain URL field of the domain you are in. For instructions on accessing your domain, see Access the Identity Domain.

Domain Details page, accessed by selecting Identity, Domains, with the Domain URL field highlighted

Client ID

Client Secret

Add the client ID for the confidential application that you configured.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

Scope

Add the same scope that you added to your confidential application. You can find the scope you added to the confidential application in your confidential application details under Token Issuance Policy.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs: 

https://415C303.integration.ocp.oraclecloud.com:443/ic/api/

Integration Instance

Name of the integration instance.

Configure Postman for JWT User Assertion

JWT User Assertion is not directly supported with Postman. You need to define scripts to generate the assertion. Read the blog Demystifying OAuth Using the JWT User Assertion in OIC for more details and sample scripts.

cURL command for JWT User Assertion

  1. Once you generate the JWT user assertion, generate the access token.

    Syntax:

    curl -i -H 'Authorization: Basic <base64Encoded clientid:secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user assertion>&scope=<app_scope>'
    Where:
    • grant_type - urn:ietf:params:oauth:grant-type:jwt-bearer
    • <base64-clientid-secret> - Base 64 encode clientId:ClientSecret
    • <user assertion> - User assertion generated
    • <app scope> - Scope added while creating application in client configuration section (Ends with urn:opc:resource:consumer::all)
  2. Capture the access_token from the response.
    {
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600
}
  3. Use an access_token in the authorization header to invoke the Oracle Integration Developer APIs.
    curl --location --request GET 'https://OIC host/ic/api/integration/v1/connections' \
--header 'Authorization: Bearer eyJ4NXQjG...dfsdfsFgets2ed'

  • Where <oic_host> is the Design-time URL host name or Runtime URL host name. See Do You Use the Design-time or Runtime URL?.

    Note:

    If you use the Runtime URL host name, you'll need to use the -l option to forward the authorization header because you are automatically redirected to the Design-time host.

Call the Developer APIs with Resource Owner Password Credentials

Prerequisites to Complete

Before you can call the Oracle Integration Developer APIs with Resource Owner Password Credentials, you must create a confidential client application and perform other prerequisites. For instructions, see:
  1. Access the Identity Domain.
  2. Configure prerequisites for your grant type: Prerequisites for Client Credentials and Resource Owner Password Credentials.

Information You Need

The following is information you need to send requests through a client.
Information You Need Where to Find It
Design-time URL or Runtime URL, depending on your use case See Do You Use the Design-time or Runtime URL?.

Example Design-time URL:

https://design-integration-region.ocp.oraclecloud.com/

Example Runtime URL:

https://myInstance-integration-region.ocp.oraclecloud.com/

Domain Host

You can get the identity domain host from the Domain URL field of the domain you are in. For instructions on accessing your domain, see Access the Identity Domain.

Domain Details page, accessed by selecting Identity, Domains, with the Domain URL field highlighted

Client ID

Client Secret

Add the client ID for the confidential application that you configured.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

Scope

Add the same scope that you added to your confidential application. You can find the scope you added to the confidential application in your confidential application details under Token Issuance Policy.

To find your confidential application, access the identity domain, select Integrated Applications, select your application, and look for OAuth Configuration, then Client ID and Client Secret. For instructions, see Access the Identity Domain.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

https://69415C303.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs: 

https://415C303.integration.ocp.oraclecloud.com:443/ic/api/

Integration Instance

Name of the integration instance.

Configure Postman for Resource Owner Password Credentials

Postman Configuration page, with Authorization tab selected, fields required to complete from top to bottom are Grant Type Password Credentials, Access Token URL, Client ID, Client Secret, User name, Password, Scope, Client Authentication. There is also a Get New Access Token button
  1. Use the Design-time URL or Runtime URL depending on your use case. See Do You Use the Design-time or Runtime URL?.

    Example Design-time URL with a call to the Oracle Integration Developer API for connections: 

    https://design-integration-region.oraclecloud.com/ic/api/integration/v1/connections

    Example Runtime URL:

    https://myInstance-integration-region.oraclecloud.com/ic/api/integration/v1/connections

    Note:

    If you use the Runtime URL, you'll need to configure Postman to Follow Authorization Header in the request settings. This is because if you call the Oracle Integration Developer APIs with the Runtime URL, Oracle Integration redirects to the Design-time URL for the Developer APIs and the call will fail if the authorization header is missing from the request header.

    In cURL, use the -l option to forward the authorization header during the redirection.

    To configure Postman to forward the authorization header when using the Runtime URL:
    1. In the request, click Settings and enable Follow authorization header. Postman Settings tab selected with Follow authorization header highlighted to be set to ON.
  2. In the Authorization tab, fill in the required fields.
    Field What to enter

    Authorization type

    		 OAuth 2.0

    Grant Type

    		 Password credentials

    Access Token URL

    		 Use the identity domain host you identified from your Domain URL.

    Example: https://<identity_domain_host>/oauth2/v1/token

    Client ID

    Add the client ID for the confidential application that you configured.

    Client Secret

    Add the client secret for the confidential application that you configured.

    User Name and Password Provide a valid user name and password. This will generate the token with the resource owner password credentials.

    Scope

    Add the same scope that you added to your confidential application.

    Client Authentication

    		 You can choose anything here, does not apply.
  3. Click Get New Access Token.
  4. You are prompted to enter a user name and password.

    This user must have been created in the IAM domain. You cannot use a single sign-on user name and password as this is a different authentication method. If you have single sign-on for your instance, you will need to copy the same users in IDCS and maintain a separate password for local IAM access.

  5. Click Use Token.

    Your token is attached to your request in the Header section.

  6. Click Send to make the call to the API. You should get a list of connections.

cURL command for Resource Owner Password Credentials

  1. To fetch the access client, make a request with the user name and password in the payload. For example:
    curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<identity_domain_host>/oauth2/v1/token -d 'grant_type=password&username=sampleUser&password=SamplePassword&scope=https://<Resource_APP_Audience>urn:opc:resource:consumer::all%20offline_access'
    Syntax:
    
curl -i -H 'Authorization: Basic <base64Encoded_clientid:secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<App_Scope>%20offline_access'
    Where:
    • <base64-clientid-secret> - Base 64 encode clientId:ClientSecret
    • <username> - user for token needs to be issued (must be in serviceinvoker role).
    • <password>- password for above user
    • <app_scope> - Scope added while creating application in client configuration section (Ends with urn:opc:resource:consumer::all)
  2. Capture the access_token and refresh_token from the response.
    {
    "access_token": "eyJ4NXQjG...dfsdfsFgets2ed",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "AQAgY2MzNjVlOTVhOTRh...vM5S0MkrFSpzc="
}
  3. Use the access_token in the authorization header to invoke the Oracle Integration trigger endpoint.
    curl --location --request GET 'https://OIC host/OIC endpoint' \
--header 'Authorization: Bearer eyJ4NXQjG...dfsdfsFgets2ed'
  4. To update the access token, use the refresh token and make a request.
  5. Capture the access_token and refresh_token from the response for further use. For example:
    curl -i -H 'Authorization: Basic OGQyM...ZDA0Mjcz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token  -d 'grant_type=refresh_token&refresh_token=AQAgY2MzNjVlOTVhOTRh...vM5S0MkrFSpzc='
    Syntax:
    curl -i -H 'Authorization: Basic <base64-clientid-secret>' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<Identity_Domain_Service_Instance>.identity.oraclecloud.com/oauth2/v1/token  -d 'grant_type=refresh_token&refresh_token=<refresh_token>'

FAQs for the Confidential Client Application

A prerequisite to use OAuth with trigger connections and the Oracle Integration Developer APIs is that you create a confidential client application in Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), configure the authorization grant, assign scopes, assign roles, and activate the confidential client application. You must be the OCI tenant and domain administrator to configure the confidential application.

When do you need a confidential client application?

You need to configure a confidential client application when you use OAuth with a trigger connection, or when you use the Oracle Integration Developer APIs. The confidential client application acts as the configuration to enable OAuth on associated integration applications.

What are the steps to configure the confidential client application and use OAuth in Oracle Integration?

The steps that you need to follow depend on your use case. To know more about where you can use OAuth in Oracle Integration and a summary of configuration steps for each use case, see:

You must be the OCI tenant and domain administrator to configure the confidential application

You must be the OCI tenant and domain administrator to configure the confidential application, assign scopes and roles, and activate it.

How many confidential client applications do I need?

How many confidential applications you configure depends on your use case.

  • In general, you need one confidential application per Oracle Integration instance. You can configure one confidential client application to handle one or more OAuth authorization grant types.

  • If you want to isolate the configuration users use, configure different confidential client applications per OAuth authorization grant type.

  • If you have multiple identity domains, you need to configure one confidential client application per domain, because you can only access the confidential client application within a domain.

Which OAuth authorization grant type do I use?

In general, these are the supported grant types:

  • JWT User Assertion
  • Client credentials
  • Authorization code
  • Resource Owner Password Credentials (not recommended)

Which one you configure in your confidential application depends on which ones your client supports.

  • If the client is programmatic or SDK-based, use Client credentials or JWT User Assertion.
  • If the client is browser-based and requires user interaction, use Authorization code.

For additional information on OAuth authorization grant types, see About OAuth 2.0 Grants

What are the scopes and which ones are required?

Scopes limit what have access to in the Oracle Integration instance.

There are two Oracle Integration instance scopes that you add to the confidential application:

It's recommended to assign both scopes to the confidential application.

This scope allows users to access both integration endpoints and Oracle Integration Developer APIs: 

https://<id>.host.oraclecloud.com:443urn:opc:resource:consumer::all

This scope allows users to only access the Oracle Integration Developer APIs: 

https://<id>.host.oraclecloud.com:443/ic/api/

Troubleshoot OAuth

Go through the following troubleshooting. You can resolve most issues by checking your configuration in these areas.

Token Refresh Error: How do I Check the Configuration?

Check your configuration in the Oracle Cloud Infrastructure under Oracle Cloud Services and Integrated Applications. Both configurations are required for OAuth to work.

Step 1: Identify Your Oracle Integration Instance Information

Step 2: Check Token Refresh Settings in Domains

Step 3: Check Token Refresh and Scope Settings in Integrated Applications

Step 1: Identify Your Oracle Integration Instance Information

Identify information about your Oracle Integration such as service name and domain to help you in troubleshooting.

  1. Log into Oracle Integration console.
  2. In the upper-right corner, click the avatar for your name, and then select About. You'll see information about your instance.


    The About dialog shows the following fields: Version, Service instance, Instance ID, Identity domain, Service type, Outbound IPD, Inbound IP, Bring your own license, Number of message packs.

  3. Copy your Service instance name, Instance id, and Identity domain values to a text file so that you can compare with what you have in your configuration.
Go to the next step Step 2: Check Token Refresh Settings in Domains
Step 2: Check Token Refresh Settings in Domains

How does token refresh work?

You have an access token and a refresh token. Both tokens have an expiry time.

In order for access tokens to be automatically refreshed, you need to enable Allow token refresh for your service instance in Oracle Cloud Services. When Allow token refresh is enabled, whenever an integration is running and the access token expires, the refresh token is used to automatically get a new access token. If an integration runs before the access token expires, the access token and refresh token are automatically refreshed. The token expiry time starts again at the maximum amount every time the tokens are refreshed.

If an integration does not run for a while, it's possible for the access token and refresh token to both expire. If that happens, you'll need to manually get a new access token.

Check Token Refresh Settings

  1. Log in to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials and select Identity & Security, then Domains.
  2. Select your compartment, then your identity domain.
  3. In the navigation bar, select Oracle Cloud Services.
  4. Find and select your integration instance.

    Tip:

    Make sure the name is the same as the Service instance name you got from the Oracle Integration console.

    The Oracle Cloud Services page shows navigation links at the top Identity, Domains, Domain Name, Oracle Cloud Services. On the left hand side are the navigation menus: Overview, Users, Groups, Dynamic groups, Integrated applications, Oracle Cloud Services, Jobs, Reports, Security, Settings, Notification, Branding. On the main page, there is a search box with ua as the value and below that the corresponding Oracle Integration instance ua-oic35.

  5. In your Oracle Integration instance details, select OAuth Configuration, and make sure Allow token refresh: allowed.

    Oracle Cloud Services page for a specific Oracle Integration instance with the fields Access token expiration, Allow token refresh, Refresh token expiration highlighted.

    If you don't see Allow token refresh: allowed, select Edit OAuth configuration and make sure the setting is checked.

  6. Configure token refresh expiry (optional).

    Select Edit OAuth Configuration. You can configure access token and refresh token expiry times for your Oracle Integration instance.

    You might want to have different refresh expiry settings for development and production instances.

    To determine how to set the duration of your refresh expiry time:

    • Development environments: Determine what is the longest amount of time that you will not be running integrations. For example, do you run tests every two months? If that's the case, set your refresh token expiry time to 90 days.
    • Production environments: Determine what is the longest time interval that you think something is not going to run. For example, if you have a scheduled integration that runs every two weeks, then set your refresh token expiry to be one month.
Go to the next step Step 3: Check Token Refresh and Scope Settings in Integrated Applications
Step 3: Check Token Refresh and Scope Settings in Integrated Applications

Check that Refresh token is enabled in your confidential application and that the scopes assigned to your confidential application match your Oracle Integration instance.

  1. Log in to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials and select Identity & Security, then Domains.
  2. Select your compartment, then your identity domain.
  3. Select Integrated Applications.
  4. Find and select the confidential application you created.
  5. Select OAuth Configuration.

    Integrated Applications tab selection

  6. In the Authorization section of your confidential application details, make sure Refresh token is set to Enabled.

    On the left hand side there are the menus Identity selected with the submenus Overview, Domains(selected), Network Sources, Policies, Compartments, Federation, My profile. to the right, on the main page, there are navigation tabs: Details, OAuth Configuration (selected), Web Tier Policy, Consent Information, Users, Groups, Tags. On the main page, there is an Authorization section with the field Refresh token with the value Enabled highlighted.

    If Refresh token isn't enabled, under OAuth Configuration, select Edit OAuth configuration and make sure Refresh token is checked.


    Edit OAuth Configuration dialog. In this dialog, there are three sections: Resource server configuration, Client Configuration, and Authorization. Under Resource server configuration, the option No resource server configuration is selected. Under client configuration, the option configure this application as a client now is selected. In the Authorization section, Refresh token is selected and highlighted.

  7. Select Save Changes.

Check Scopes Match Primary Audience in Your Oracle Integration Instance

Make sure the scopes assigned to your confidential application match the primary audience value in your Oracle Integration instance. This makes sure your confidential application is associated with the correct Oracle Integration instance.

  1. Log in to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials and select Identity & Security, then Domains.
  2. Select your compartment, then your identity domain.
  3. Select Integrated Applications.
  4. Find and select the confidential application you created.
  5. Select OAuth Configuration.

    The Details, OAuth configuration, Web tier policy, Consent information, Users, Groups, Tags are displayed.

  6. Under Resources, check the scopes assigned to your confidential application match your Oracle Integration instance.

    Scopes in your confidential application:


    Under Resources, there is a table with the columns Resource, Protected, Scope, two table rows visible with values. The value under the Resource column is highlighted as well as the value after https:// in the Scope column.

    • Check the Resource column in your confidential application matches your instance name in Identity & Security, then Domains, then Oracle Cloud Services .

    • Check that the Scope column in your confidential application including the value immediately after the https:// matches the value in the Primary audience for your instance in Identity & Security, then Domains, then Oracle Cloud Services, Configure application APIs that need to be OAuth protected .

    Scopes in your Oracle Integration instance:
    The Integrated Applications page for a specific applications shows navigation links at the top Identity, Domains, Domain Name, Integrated Applications. On the left hand side are the navigation menus: OAuth Configuration, Web Tier Policy, Consent Information, Users, Groups. On the main page, there is the Configure application APIs that need to be OAuth protected section with the field Primary audience highlighted.

Unauthorized Errors: Check Roles Assigned to Your Confidential Application

Make sure your confidential application has the correct roles assigned.

If you are making inbound calls to Oracle Integration to trigger an integration:

  • Assign the confidential client application the ServiceInvoker role.

If you are calling the Oracle Integration Developer APIs:

  • The role you assign your confidential client application depends on which APIs you'll be using. If you're creating lookups for example, you'll need the ServiceDeveloper role.

    • ServiceUser is the minimum role required to call the Developer APIs. This user has access to the Oracle Integration Console as well as the APIs. Assign the ServiceUser role in most cases. This user can also trigger an integration's endpoint.
    • ServiceDeveloper is required if you're invoking the Developer APIs from within an integration, and if you're using the APIs to perform create operations such as creating lookups or importing an integration.

For detailed information on each role, see What Users Can Do in the Integrations Design Section by Role.

  1. Make sure your client application has the appropriate role. See Validate the Oracle Integration application and user roles.