Before You Begin: Key Prerequisites for Configuration

Oracle Access Governance REST API leverages OAuth 2.0 protocol as its authorization framework. Authentication and Authorization in Oracle Access Governance APIs is managed by OCI IAM Authorization REST APIs. Before generating an access token, you need to configure an OAuth Application in your OCI IAM for generating an Authorization token and assign an application role.

Step 1: Configure a Network Perimeter

Network perimeters enhance security by defining IP address boundaries and blocking suspicious IP addresses to prevent unauthorized access. This is an optional configuration but highly recommended to restrict login attempts to specific IPs or ranges, and ensure trusted access for users.

Navigate to OCI Domain
  1. Open your web browser and navigate to https://cloud.oracle.com.
  2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
  3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
  4. Complete the multi-factor authentication (MFA) verification for your cloud account.
  5. Navigate to Identity & Security, and click Domains.
  6. Choose a compartment where your Oracle Access Governance service instance is located, and then select the domain.
Create a Network Perimeter
  1. On the Identity domain page, select SecurityNetwork Perimeters.
  2. Select Create network perimeter.
  3. Enter meaningful name. For example, Allowed IP List for AG REST API.
  4. In the IP addresses field, specify the range using CIDR notation or comma-separated list. For example
    192.168.1.1-192.168.1.50, 10.0.0.1-10.0.0.100,
          172.16.5.10-172.16.5.20
  5. Click Create.

    Figure - Configuring Network Perimeter

    Configure Network Perimeter in OCI Identity Domain

Step 2: Add Confidential Type Application for Authorization in OCI Identity Domain

To create a new confidential application in your Identity Domain:

  1. Navigate to Identity & Security, and click Domains.
  2. Choose a compartment where your Oracle Access Governance service instance is located, and then select the domain.
  3. In the Identity domain page, and click Integrated applications.
  4. Click Add application.
  5. Select Confidential Application option and then click on Launch workflow.
  6. In the Add Confidential Application wizard’s details page, enter the following:
    1. In the Add application details page, enter name and description for the confidential application.

      For example: access-governance-rest-api-oauth

    2. Click Next and go to Configure OAuth.
  7. In the Client configuration panel, select Configure this application as a client now. The details panel expands.
    1. In the Authorization section, select the Client credentials and Resource owner check box.

      Note:

      Most APIs use Client Credentials flow, where you provide client_id and client_secret to generate an access token. However, a few APIs - particularly those that require specific application roles (such as creating an access bundle, updating an access bundle) need password credentials (username and password) for generating an access token. For this, you need to select Resource owner.
    2. In the Client type, select Confidential.
    3. In the Client IP address field, select Restrict by network perimeter, and then select the network perimeter created in Step 1.
    4. In the Token issuance policy section, select Specific and select the Add resources check box.
  8. In the Resources section, click Add scope. A list of available application, including Oracle Access Governance service instances and the scope are displayed.
  9. Select application and scope, and then click Add.

    Figure - Configuring OAuth Application by setting Resource Application and Scope

    Setting Resource Application and Scope for an OAuth Application
  10. Click Next and then click Finish.

Step 3: Activate the Application

Click the Actions icon and then select Activate. The status should change from Inactive to Active.

Step 4: Assign Application Role to the OAuth Confidential Application

You must assign the Oracle Access Governance application role to the OAuth application. The application role you require depends on the REST API operation you want to perform and is the same as the application role required to perform the same operation on the Console. Refer Application Roles and Responsibilities Reference
  1. In your cloud account, go to Identity & SecurityDomains.
  2. Choose a compartment where your Oracle Access Governance service instance is located, and then select the domain.
  3. From the left pane, select the Oracle Cloud Services tab.
  4. Select the Oracle Access Governance cloud service.
  5. On the left pane, in the Resources section, select Application roles.
  6. Expand the relevant application role. For Assigned applications, select Manage.
  7. Select the +Show available applications. Select the application created in Step 2.
  8. Click Assign.
    Result: The application role and scope are displayed under the Resources section of the OAuth application created in Step 2.

    Figure - Verify Application Role Assignment in the OAuth Application

    Verify Application Role and Scope is set on the OAuth Application

Note:

Refer to Authenticate and Authorize to generate OAuth access token using the client ID and client secret of this application.