1. Developing Applications with Oracle Visual Builder in Oracle Integration 3
  2. Use Cases & Troubleshooting
  3. Troubleshooting & FAQs
  4. Troubleshooting Service Connections
  5. How Do I Resolve a "Cannot Process Service Scope" Error?

How Do I Resolve a "Cannot Process Service Scope" Error?

If you see a Cannot process service scope error when you're trying to connect to an external service using identity propagation authentication, you probably haven't associated the service and the Visual Builder application in Oracle Identity Cloud Service (IDCS), or the service isn't represented in IDCS as a Resource application.

Using identity propagation authentication mechanisms, such as Oracle Cloud Account, Delegate Authentication, or OAuth 2.0 User Assertion, to call a REST service requires the service endpoint to be hosted in the IDCS Identity Domain URL. In the following example, a HTTP 400 error occurs because the https://servicename-cloudaccount.integration.ocp.oraclecloud.com endpoint isn't associated with the IDCS Identity Domain: 
{
"type":"HTTP://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
"status": 400,
"title": "Bad Request",
"detail": "{\"type\":\"abcs://proxy_problem/jwt/uri\",\"title\":\"InvalidURI\",\"detail\":\"Cannot process
\\\"https://servicename-cloudaccount.integration.ocp.oraclecloud.com/XxAdfRESTAppTest4-RESTWebService-context-root/resources/lookups\\\"\",\"status\":400,\
"o:errorDetails\":[{\"type\":\"abcs://proxy_problem/auth/scope/update\",
\"title\":\"Invalid service scope\",\"detail\":\"Cannot process service scope
\\\"https://servicename-cloudaccount.integration.ocp.oraclecloud.com/\\\" in IDCS, for URI
\\\"https://servicename-cloudaccount.integration.ocp.oraclecloud.com/XxAdfRESTAppTest4-RESTWebService-context-root/resources/lookups\\\"\",\"status\":400}]}
"
}
Because Delegate Authentication assumes co-location of resources or default established trust relations, follow these steps to create the necessary association:
  1. Configure the OAuth layer for the endpoint (https://servicename-cloudaccount.integration.ocp.oraclecloud.com) to accept the IDCS Identity Domain URL (https://idcs-xxxxxxxxxxx.identity.oraclecloud.com) as a Trust issuer. See Manage Oracle Identity Cloud Service Identity Providers.
  2. From the IDCS Admin console, create a "Resource" application that exposes the primary audience (https://servicename-cloudaccount.integration.ocp.oraclecloud.com) and scope (/).