Resource Principal Session Token Support

The REST Adapter supports the Resource Principal Session Token (RPST). RPST enables an Oracle Integration instance (the resource) to authenticate itself with and consume other Oracle Cloud Infrastructure services, such as Oracle Cloud Infrastructure Functions, Oracle Cloud Infrastructure Object Storage, Oracle Cloud Infrastructure Vision, and more.

To use RPST, you create a dynamic group and specify a policy in the Oracle Cloud Infrastructure Console to enable access to Oracle Cloud Infrastructure services. Once these prerequisites are completed, you simply select the OIC Service Invocation security policy when configuring the REST Adapter as an invoke connection on the Connections page. No additional user configuration is required.

See RPST and OCI Service Invocation Security Policy Use.

The RPST authentication process works as follows:

1. You create a policy to grant the Oracle Integration instance access to a specific Oracle Cloud Infrastructure service or to all Oracle Cloud Infrastructure services in a specific compartment.
2. The OAuth client credentials flow obtains an Oracle Identity Cloud Service bearer token that represents the Oracle Integration instance.
3. The Oracle Identity Cloud Service bearer token calls a region-specific token exchange API to exchange the bearer token for an RPST token. The RPST token is only valid for resources to which the dynamic group has been granted access by the policy. The token is valid for one hour.
4. The RPST token is used to sign the request to the Oracle Cloud Infrastructure services specified in the policy (keyId=rpst_token).

A high-level overview of an integration that calls an Oracle Cloud Infrastructure service is provided. See Access Oracle Cloud Infrastructure Service Resources Using RPST.