Satish Kumar's Blog
OAuth Setup for Fusion ERP Connections from Oracle Integration Cloud

Photo by Onur Binay on Unsplash

OAuth Setup for Fusion ERP Connections from Oracle Integration Cloud

Satish Kumar's photo
Satish Kumar
·

4 min read

This document details the steps required to setup OAuth Authorization Code Credentials Security Policy for ERP calls from OIC adapters like ERP Adapter, REST adapter.

Oracle Documentation can be found here.

Note: OIC Gen2 SOAP adapter does not support this authentication but Gen3 does.

Get the JWK signing certificates

  1. Log in to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials.

    • In the navigation pane, click Identity & Security.

    • Click Domains.

    • Select your compartment.

    • Click the identity domain and copy the Domain URL

  1. Perform a GET call to retrieve the payloads of the certificates. This URL can be invoked from browser directly.

     https://<Domain URL>/admin/v1/SigningCert/jwk

  2. There are two sections in the payload:

    • Oracle Identity Cloud Service certificate

    • Certificate authority (CA) certificate

Note : If there are any issues accessing this page then check the Identity → Domains → <select the domain> → Settings → Domain settings

Under Access signing certificate, select Configure client access to enable clients to access the tenant signing certificate without logging in to IAM.

  1. Copy both certificate sections into separate files. Note that the headers and footers in the files must be in the following exact format to be successfully uploaded to Oracle Fusion Applications:

     -----BEGIN CERTIFICATE-----
  content_of_certificate
  with 64 chracter chunks per line
 . . .
 . . .
 -----END CERTIFICATE-----

Upload the certificates to the Oracle Fusion Applications

Raise an SR with Oracle Support and share both the IDCS certs with that SR. Request those certs are attached to https://identity.oraclecloud.com/ for your SaaS instance as per Doc ID 2729162.1

Subject : Import the IDCS Certs and Setup Trust on the FA side

Hi Team,

Please upload the FOllowing Certifictes to Fusion Application > Tools > Security Console > API Authentication Provider with name https://identity.oraclecloud.com/ (with trailing /)

Enable Token Type :- JWT/SAML/STS

Reference : 
Doc ID 2925269.1
Doc ID 2729162.1

Service Type : Oracle Fusion Payables Cloud

Service Environment : <actual SaaS environment>

Problem Type : Fusion Application Security

Create a resource application

  1. Go to the Oracle Cloud Infrastructure Console with your identity domain administrator credentials.

    • In the navigation pane, click Identity & Security.

    • Click Domains.

    • Select your compartment.

    • Click the identity domain.

  2. In the navigation pane, click Integrated applications.

  3. Click Add application. Select Confidential Application, then click Launch workflow.

  4. Enter a name and Description eg: <SaaS Instance>_FA_Resource_App

  5. The remaining fields on this page are optional and can be ignored. Click Next.

  6. In Resource Server Configuration select Configure this application as a resource server now

  7. Select Allow Refresh Token.

  8. Set Refresh Token Expiration to 31536000 (or any other higher value. This is very important. If the value is small and within that time interval if we do not use that adapter the handshake will be lost.)

  9. In the Primary Audience field, add the Oracle Fusion Applications URL and port. This is the primary recipient where the token is processed.

     https://FA_URL:443

  10. In the Scopes section, click Add.

    • In the Scope field, enter /

    • In the Description field, enter All.

    • Select Requires Consent.

    • Click Add, then click Next.

  1. On the Web Tier Policy select Skip and do later.

  2. Click Finish to complete resource application creation.

  3. Click Activate to activate your client application. The resource server representing the resource is now active.

Configure the client application

  1. Click Add application. Select Confidential Application, then click Launch workflow.

  2. Enter a name and Description. Eg : <SaaS Instance>_FA_Client_App

  3. The remaining fields on this page are optional and can be ignored. Click Next.

  4. In the Client configuration box, select Configure this application as a client now.

  5. Select Refresh Token and Authorization Code in the Allowed grant types section.

  6. In the Redirect URL field, enter your Oracle Integration instance URL.

    Note : For Gen3 use Service console URL and not Design time URL and no :443 in URL

     https://oic_instance_url/icsapis/agent/oauth/callback

  7. Click the Add Resources check box.

  8. Click Add scope.

  9. Find the Oracle Fusion Applications resource application created i.e <SaaS Instance>_FA_Resource_App

  10. Click Add. The scopes are displayed in the Resources section.

  11. On the Web Tier Policy select Skip and do later.

  12. Click Finish to complete resource application creation.

  13. Click Activate, and then Activate application to activate the client application for use.

  14. In the General Information section, note the client ID and client secret values.

Configuring OIC Adapter with OAuth Authorization Code Credentials

  1. Within the connection select OAuth Authorization Code Credentials

  2. Client Id of client application

  3. Client Secret of client application

  4. Authorization Code URI : https://idcs_url/oauth2/v1/authorize

  5. Access Token URI : https://idcs_url/oauth2/v1/token

  6. Scope : https://FA_URL:443/ offline_access

    Note the space before offline_access

  7. Click on Provide Consent

  8. When prompted enter the OIC Account credentials. There should a user with same username in Fusion SaaS.

  9. Return to the Connections page and click Test.

#oicOracle CloudOracle