All posts · OIC Integrations

Setting Up OAuth 2.0 in OIC Integrations

A step-by-step guide to configuring OAuth 2.0 authentication for REST connections in OIC — covering client credentials flow, token refresh, and common pitfalls.

Anurag Jangra · February 1, 2026 · 6 min read · ... views

OAuth 2.0 is the authentication standard for most modern REST APIs — including Oracle Fusion’s own REST services. Configuring it correctly in OIC is not difficult, but there are enough edge cases to make it worth documenting carefully.

The flows you’ll use

Client Credentials — machine-to-machine. The integration authenticates using a client ID and secret, gets a token, and uses it for API calls. This is the most common flow for OIC integrations. No user interaction involved.

Authorization Code — user-delegated access. The integration acts on behalf of a user who has authenticated. Less common for backend integrations, but used when the integration needs to impersonate a specific Fusion user context.

Configuring Client Credentials in an OIC REST connection

  1. In OIC Connections, create a new REST connection
  2. Set Security Policy to OAuth 2.0 Client Credentials
  3. Enter:
    • Token URL (e.g. https://your-identity-domain.identity.oraclecloud.com/oauth2/v1/token)
    • Client ID and Client Secret (from IDCS or OCI IAM app registration)
    • Scope (the API scope you need access to)
  4. Test the connection — OIC will attempt to fetch a token and validate it

Token management

OIC handles token refresh automatically for Client Credentials connections. The token is cached and refreshed before expiry. You don’t need to manage token lifecycle in your integration logic.

Common pitfalls

Wrong scope — the most frequent cause of 401 errors. The scope must exactly match what the resource server expects. For Fusion REST APIs, the scope is typically urn:opc:resource:consumer::all or service-specific.

Clock skew — OAuth tokens have expiry times. If your OIC instance clock is significantly out of sync with the identity provider, token validation fails. This is rare but worth checking if you see intermittent 401s.

IDCS vs OCI IAM — newer Oracle tenancies use OCI IAM; older ones use IDCS. The token endpoint URLs differ. Confirm which identity system your Fusion instance uses before configuring.

Testing without hitting production

Register a test application in your development IDCS/IAM, use a non-production Fusion environment, and validate the full OAuth flow before connecting to production credentials. OIC’s connection test makes this straightforward.

Think Beyond the Implementation

Questions worth sitting with after reading this

01

Why is this architecture appropriate for this specific context — and where would it be the wrong choice?

02

What assumptions did we make that aren't stated explicitly? What happens if those assumptions are wrong?

03

What would break first if the requirements changed — volume doubled, a third system was added, or the deadline halved?

04

What alternatives did we reject, and why? Was the decision made on evidence — or habit?

AJ
Anurag Jangra
Oracle Cloud PaaS Consultant · OIC & VBCS Specialist

4.5+ years delivering enterprise Oracle Cloud integrations and VBCS applications across manufacturing, IT services, and financial sectors. OCI Certified — writes about real-world OIC, VBCS, SQL, and BI Publisher patterns from production experience.

Chat on WhatsApp