How Do I Resolve a "Cannot Process Service Scope" Error?
If you see a Cannot process service scope error when you're trying to connect to an external service using identity propagation authentication, you probably haven't associated the service and the Visual Builder application in Oracle Identity Cloud Service (IDCS), or the service isn't represented in IDCS as a Resource application.
Using identity propagation authentication mechanisms, such as Oracle Cloud
Account, Delegate Authentication, or OAuth 2.0 User Assertion, to call a REST service
requires the service endpoint to be hosted in the IDCS Identity Domain URL. In the
following example, a HTTP 400 error occurs because the
https://servicename-cloudaccount.integration.ocp.oraclecloud.com
endpoint isn't
associated with the IDCS Identity Domain:
{ "type":"HTTP://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1", "status": 400, "title": "Bad Request", "detail": "{\"type\":\"abcs://proxy_problem/jwt/uri\",\"title\":\"InvalidURI\",\"detail\":\"Cannot process \\\"https://servicename-cloudaccount.integration.ocp.oraclecloud.com/XxAdfRESTAppTest4-RESTWebService-context-root/resources/lookups\\\"\",\"status\":400,\ "o:errorDetails\":[{\"type\":\"abcs://proxy_problem/auth/scope/update\", \"title\":\"Invalid service scope\",\"detail\":\"Cannot process service scope \\\"https://servicename-cloudaccount.integration.ocp.oraclecloud.com/\\\" in IDCS, for URI \\\"https://servicename-cloudaccount.integration.ocp.oraclecloud.com/XxAdfRESTAppTest4-RESTWebService-context-root/resources/lookups\\\"\",\"status\":400}]} " }
Because Delegate Authentication assumes co-location of resources or default
established trust relations, follow these steps to create the necessary
association:
- Configure the OAuth layer for the endpoint (
https://servicename-cloudaccount.integration.ocp.oraclecloud.com
) to accept the IDCS Identity Domain URL (https://idcs-xxxxxxxxxxx.identity.oraclecloud.com
) as a Trust issuer. See Manage Oracle Identity Cloud Service Identity Providers. - From the IDCS Admin console, create a "Resource" application that exposes the primary audience
(
https://servicename-cloudaccount.integration.ocp.oraclecloud.com
) and scope (/
).