OAuth 2.0 is the authentication standard for most modern REST APIs — including Oracle Fusion’s own REST services. Configuring it correctly in OIC is not difficult, but there are enough edge cases to make it worth documenting carefully.
The flows you’ll use
Client Credentials — machine-to-machine. The integration authenticates using a client ID and secret, gets a token, and uses it for API calls. This is the most common flow for OIC integrations. No user interaction involved.
Authorization Code — user-delegated access. The integration acts on behalf of a user who has authenticated. Less common for backend integrations, but used when the integration needs to impersonate a specific Fusion user context.
Configuring Client Credentials in an OIC REST connection
- In OIC Connections, create a new REST connection
- Set Security Policy to OAuth 2.0 Client Credentials
- Enter:
- Token URL (e.g.
https://your-identity-domain.identity.oraclecloud.com/oauth2/v1/token) - Client ID and Client Secret (from IDCS or OCI IAM app registration)
- Scope (the API scope you need access to)
- Token URL (e.g.
- Test the connection — OIC will attempt to fetch a token and validate it
Token management
OIC handles token refresh automatically for Client Credentials connections. The token is cached and refreshed before expiry. You don’t need to manage token lifecycle in your integration logic.
Common pitfalls
Wrong scope — the most frequent cause of 401 errors. The scope must exactly match what the resource server expects. For Fusion REST APIs, the scope is typically urn:opc:resource:consumer::all or service-specific.
Clock skew — OAuth tokens have expiry times. If your OIC instance clock is significantly out of sync with the identity provider, token validation fails. This is rare but worth checking if you see intermittent 401s.
IDCS vs OCI IAM — newer Oracle tenancies use OCI IAM; older ones use IDCS. The token endpoint URLs differ. Confirm which identity system your Fusion instance uses before configuring.
Testing without hitting production
Register a test application in your development IDCS/IAM, use a non-production Fusion environment, and validate the full OAuth flow before connecting to production credentials. OIC’s connection test makes this straightforward.