OAuth Setup for Fusion ERP Connections from Oracle Integration Cloud

This document details the steps required to setup OAuth Authorization Code Credentials Security Policy for ERP calls from OIC adapters like ERP Adapter, REST adapter.

Oracle Documentation can be found here.

Note: OIC Gen2 SOAP adapter does not support this authentication but Gen3 does.

EDIT (July 2025) : Note that If you plan to utilise Oracle Fusion SaaS Identity Domain for creating the Confidential Apps then Establishing Trust by uploading certificates is not required.

Fusion SaaS Identity Domain : Create Resource App, Create Client APP

OIC’s Identity Domain : Get the JWK, Upload to SaaS using SR, Create Resource App, Create Client APP

Get the JWK signing certificates

Note that this step is required only when you plan to utilise OIC’s Identity Domain for creating the Confidential App.

Log in to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials.
- In the navigation pane, click Identity & Security.
- Click Domains.
- Select your compartment.
- Click the identity domain and copy the Domain URL

Perform a GET call to retrieve the payloads of the certificates. This URL can be invoked from browser directly.
```
 https://<Domain URL>/admin/v1/SigningCert/jwk
```
There are two sections in the payload:
- Oracle Identity Cloud Service certificate
- Certificate authority (CA) certificate

Note : If there are any issues accessing this page then check the Identity → Domains → <select the domain> → Settings → Domain settings

Under Access signing certificate, select Configure client access to enable clients to access the tenant signing certificate without logging in to IAM.

Copy both certificate sections into separate files. Note that the headers and footers in the files must be in the following exact format to be successfully uploaded to Oracle Fusion Applications:
```
 -----BEGIN CERTIFICATE-----
  content_of_certificate
  with 64 chracter chunks per line
 . . .
 . . .
 -----END CERTIFICATE-----
```

Upload the certificates to the Oracle Fusion Applications

Note that this step is required only when you plan to utilise OIC’s Identity Domain for creating the Confidential App.

Raise an SR with Oracle Support and share both the IDCS certs with that SR. Request those certs are attached to https://identity.oraclecloud.com/ for your SaaS instance as per Doc ID 2729162.1

Subject : Import the IDCS Certs and Setup Trust on the FA side

Hi Team,

Please upload the FOllowing Certifictes to Fusion Application > Tools > Security Console > API Authentication Provider with name https://identity.oraclecloud.com/ (with trailing /)

Enable Token Type :- JWT/SAML/STS

Reference : 
Doc ID 2925269.1
Doc ID 2729162.1

Service Type : Oracle Fusion Payables Cloud

Service Environment : <actual SaaS environment>

Problem Type : Fusion Application Security

Create a resource application

Go to the Oracle Cloud Infrastructure Console or SaaS Identity Domain with your identity domain administrator credentials.
- In the navigation pane, click Identity & Security.
- Click Domains.
- Select your compartment.
- Click the identity domain.
In the navigation pane, click Integrated applications.
Click Add application. Select Confidential Application, then click Launch workflow.
Enter a name and Description eg: <SaaS Instance>_FA_Resource_App
The remaining fields on this page are optional and can be ignored. Click Next.
In Resource Server Configuration select Configure this application as a resource server now
Select Allow Refresh Token.
Set Refresh Token Expiration to 31536000 (or any other higher value. This is very important. If the value is small and within that time interval if we do not use that adapter the handshake will be lost.)
In the Primary Audience field, add the Oracle Fusion Applications URL and port. This is the primary recipient where the token is processed.
```
 https://FA_URL:443
```
In the Scopes section, click Add.
- In the Scope field, enter /
- In the Description field, enter All.
- Select Requires Consent.
- Click Add, then click Next.

On the Web Tier Policy select Skip and do later.
Click Finish to complete resource application creation.
Click Activate to activate your client application. The resource server representing the resource is now active.

Configure the client application

Click Add application. Select Confidential Application, then click Launch workflow.
Enter a name and Description. Eg : <SaaS Instance>_FA_Client_App
The remaining fields on this page are optional and can be ignored. Click Next.
In the Client configuration box, select Configure this application as a client now.
Select Refresh Token and Authorization Code in the Allowed grant types section.
In the Redirect URL field, enter your Oracle Integration instance URL.

Note : For Gen3 use Service console URL and not Design time URL and no :443 in URL
```
 https://oic_instance_url/icsapis/agent/oauth/callback
```
Click the Add Resources check box.
Click Add scope.
Find the Oracle Fusion Applications resource application created i.e <SaaS Instance>_FA_Resource_App
Click Add. The scopes are displayed in the Resources section.
On the Web Tier Policy select Skip and do later.
Click Finish to complete resource application creation.
Click Activate, and then Activate application to activate the client application for use.
In the General Information section, note the client ID and client secret values.

Configuring OIC Adapter with OAuth Authorization Code Credentials

Within the connection select OAuth Authorization Code Credentials
Client Id of client application
Client Secret of client application
Authorization Code URI : https://idcs_url/oauth2/v1/authorize
Access Token URI : https://idcs_url/oauth2/v1/token
Scope : https://FA_URL:443/ offline_access

Note the space before offline_access

Note idcs_url would change based on if OIC or SaaS Identity Domain was used to create the Confidential App.
Click on Provide Consent
When prompted enter the Account credentials. There should a user with same username in Fusion SaaS.
Return to the Connections page and click Test.