Set Up the OAuth Authorization Code Credentials Security Policy with a Non-Oracle Fusion Applications Identity Domain

You must set up trust between Oracle Fusion Applications and an identity domain and create a client application for Oracle Integration to use the OAuth Authorization Code Credentials security policy. Once these tasks are completed, you can successfully configure a connection on the Connections page. Use this option when you are integrating with a non-Oracle Fusion Applications identity domain, such as the Oracle Integration identity domain.

Set Up Trust Between Oracle Fusion Applications and an Identity Domain

Get the JWK signing certificates from the identity domain of Oracle Integration.
1. Get the REST API of the identity domain endpoint that gives you the signing certificate endpoint. For example:
```
/admin/v1/SigningCert/jwk
```
  See All REST Endpoints in REST API for Oracle Identity Cloud Service.
2. Copy the endpoint.
3. Get the identity domain URL from the Oracle Cloud Infrastructure Console or from the Oracle Integration About menu.
4. Add that URL to the front of the signing certificate and use a tool (for example, postman) to invoke the REST APIs. For example:
```
https://identity_domain_URL.identity.oraclecloud.com/admin/v1/SigningCert/jwk
```
5. Perform a GET call to retrieve the payloads of the certificates. There are two sections in the payload:
  - Identity domain certificate
  - Certificate authority (CA) certificate
  Examples of the type of response you receive are provided. See Retrieve the Tenant's Signing Certificate in JWK Format.
6. Copy both certificate sections into separate files. Note that the headers and footers in the files must be in the following exact format to be successfully uploaded to Oracle Fusion Applications:
```
-----BEGIN CERTIFICATE-----
 content_of_certificate
. . .
. . .
-----END CERTIFICATE-----
```
  You can validate the certificate. For example:
```
openssl x509 -in IDCS.cert -noout -text
```
File a service request (SR) with Oracle Fusion Applications Support that includes the following details:
- SR Summary: Set Up Trust Between Oracle Fusion Applications and OCI Identity Domain
- Category: Login, Logout and SSO
Attach your certificates for upload. You cannot upload the certificates yourself.
Create a resource application in an Oracle Integration identity domain to represent the Oracle Fusion Applications resource.
1. Log in to the identity domain as the domain administrator.
2. In the navigation pane, click Identity & Security.
3. Click Domains.
4. Select your compartment.
5. Click the identity domain.
6. In the navigation pane, click Integrated applications.
7. Click Add application.
8. Select Confidential Application, then click Launch workflow.
9. On the Details page, provide a name (for example, FA Resource), and click Next.
10. On the Client page, click Next without making changes.
11. On the Resources page, click Configure this application as a resource server now.
12. Optionally update the value in the Access Token Expiration field.
13. Select Is Refresh Token Allowed.
14. In the Primary Audience field, add the Oracle Fusion Applications URL and port. This is the primary recipient where the token is processed.
```
https://FA_URL:443
```
15. In the Scopes section, click Add.
16. In the Scope field, enter /.
17. In the Description field, enter All.
18. Select Requires Consent.
19. Click Add, then click Next.
20. On the Web Tier Policy and Authorization pages, click Next without making any changes.
21. Click Finish to complete resource application creation.
22. Click Activate to activate your client application. The resource server representing the resource is now active.

(Optional) Create a Local User

Note:

The following step is required if the Oracle Fusion Applications user is not federated with an identity domain or whichever identity provider you are using.

Create an identity domain local user. Carefully review the following table to see if you already have a local user.

Scenario	Do I Need to Create a Local User?
You have an Oracle Fusion Applications user federated with the identity domain that is protecting Oracle Integration.	No. You do not need to create the local identity domain Oracle Fusion Applications user. This is because identity domain already has Oracle Fusion Applications users in its repository.
You do not have federation between Oracle Fusion Applications and the identity domain that is protecting Oracle Integration.	Yes. You must create the local identity domain Oracle Fusion Applications user that you plan to use with the OAuth setup in Oracle Integration.

The identity domain administrator must create a nonfederated local username in the identity domain that matches the user in Oracle Fusion Applications. If you have already used and invoked Oracle Fusion Applications REST endpoints, you likely already created a user with the necessary roles and accesses to invoke the REST endpoints of Oracle Fusion Applications. This user must be created in the identity domain and have a local user password.

Create the Confidential Client Application for Oracle Integration

Sign in as the identity domain administrator to the Oracle Cloud Infrastructure Console.
In the navigation pane, click Identity & Security.
Click Domains.
Select your compartment.
Click the identity domain.
In the navigation pane, click Integrated applications.
Click Add application.
Select Confidential Application, then click Launch workflow.
Enter a name. The remaining fields on this page are optional and can be ignored.
Click Next.
In the Client configuration box, select Configure this application as a client now.
For authorization code, select Refresh token and Authorization code in the Allowed grant types section.

In the Redirect URL field, enter the redirect URL of the client application. After user login, this URL is redirected to with the authorization code. You can specify multiple redirect URLs. This is useful for development environments in which you have multiple instances, but only one client application due to licensing issues. For example:

Note:

If you don't know the following information, check with your administrator:

If your instance is new or upgraded from Oracle Integration Generation 2 to Oracle Integration 3.
The complete instance URL with the region included (required for new instances).

For Connections… Include the Region as Part of the Redirect URL? Example of Redirect URL to Specify…

For Connections…	Include the Region as Part of the Redirect URL?	Example of Redirect URL to Specify…
Created on new Oracle Integration 3 instances	Yes.	`https://OIC_instance_URL.region.ocp.oraclecloud.com/icsapis/agent/oauth/callback`
Created on instances upgraded from Oracle Integration Generation 2 to Oracle Integration 3	No. This applies to both: New connections created after the upgrade Existing connections that were part of the upgrade	`https://OIC_instance_URL.ocp.oraclecloud.com/icsapis/agent/oauth/callback`

Created on new Oracle Integration 3 instances

Yes.

https://OIC_instance_URL.region.ocp.oraclecloud.com/icsapis/agent/oauth/callback

Created on instances upgraded from Oracle Integration Generation 2 to Oracle Integration 3

No.

This applies to both:

New connections created after the upgrade
Existing connections that were part of the upgrade

https://OIC_instance_URL.ocp.oraclecloud.com/icsapis/agent/oauth/callback

For the OAuth authorization code to work, the redirect URI must be set properly.

Under Resources, click Add Scope to add appropriate scopes.
If the Oracle Fusion Applications instance is federated with the identity domain, the Oracle Integration cloud service application is listed among the resources for selection. This enables the client application to access Oracle Integration.
Search for the Oracle Fusion Applications resource application created in Set Up Trust Between Oracle Fusion Applications and an Identity Domain.
Select the resource and click >.
Select the scope, then click Add.
Click Next without making changes on the Resource and Web Tier Policy pages.
On the Authorization page, click Finish.
The Application Added dialog shows the client ID and client secret values.

Copy and save these values. You need this information when creating a connection for the OAuth Authorization Code Credentials security policy on the Connections page.

Note the following details for successfully authenticating your account on the Connections page.

If The...	Then...
Identity domain safeguarding Oracle Integration and the Oracle Fusion Applications resource application are the same.	Log in to Oracle Integration using the local Oracle Fusion Applications user created earlier. You must create a connection and click Provide Consent on the Connections page for authentication to succeed.
Identity domain safeguarding Oracle Integration and the Oracle Fusion Applications resource application are different.	Log in to Oracle Integration using a general Oracle Integration developer account, create a connection, and click Provide Consent on the Connections page. You need to log in to the Oracle Fusion Applications resource identity domain application using the local Oracle Fusion Applications user account created earlier.

Activate the application.

Avoid Potential Errors When Testing Your Connection with a Nonfederated User Account

After you configure the OAuth Authorization Code Credentials security policy on the Connections page, you must test your connection.

If you are logged in to Oracle Integration with an Oracle Integration user account and click Provide Consent to test the OAuth flow, consent is successful. However, when you test the connection, it fails with an Unauthorized 401 error.

This error occurs because the Oracle Integration user account with which you logged in is not part of Oracle Fusion Applications.

Log out of Oracle Integration and log back in with a user account that exists in Oracle Fusion Applications.
Return to the Connections page and retest the connection.
The connection is successful this time.