This guide explains how to set up Oracle Identity Cloud Service (IDCS) authentication using OAuth 2.0 Client Credentials Grant (Two-Legged OAuth) for accessing Oracle Fusion APIs.

What we need

[] Client ID [] Client Secret [] API Token [] IDCS-domain [] Fusion instance

Setup in Oracle Identity Cloud Service (IDCS)

1. Log in to your Oracle IDCS console

   • Sign in with an Identity Domain Administrator account.

2. Create a new application

   • Navigate to Applications → Add Application → Confidential Application.

3. Configure OAuth settings

   • On the OAuth configuration page:
     • Enable Client Credentials grant type only.
     • Add the scopes or resources this client can access.
     • Submit and activate the application.

4. Retrieve credentials

   • After activation, you’ll be presented with a Client ID and Client Secret.
   • Store these credentials securely as they will be used to authenticate API requests.

Obtaining an Access Token

To authenticate with Oracle APIs, you need to obtain an access token using your Client ID and Client Secret:

curl -u "<client_id>:<client_secret>" \
  -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
  -X POST https://<idcs-domain>/oauth2/v1/token \
  -d "grant_type=client_credentials&scope=<your-scope>"

The response will include an access_token that is typically valid for up to 3600 seconds (1 hour).

Example response:

{
  "access_token": "eyJ4NXQjUzI1NiI6Ik...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Using the Access Token with Oracle Fusion APIs

Once you have obtained an access token, you can use it to authenticate your requests to Oracle Fusion Cloud APIs:

GET https://<fusion-instance>/.../resources/...
Authorization: Bearer <access_token>

Important Notes:

• Ensure you use the correct media-type headers for the specific REST API you’re calling (e.g., application/vnd.oracle.adf.resourcecollection+json).
• Access tokens expire after the time specified in the expires_in field of the token response (typically 1 hour).
• Store your Client ID and Client Secret securely and never expose them in client-side code.
• Consider implementing token caching and refresh logic in your application to avoid unnecessary token requests.

Granting access to Oracle Audit Logs (HCM)

• The documentation for granting access to audit logs: https://docs.oracle.com/en/cloud/saas/human-resources/24d/ochus/options-for-enabling-access-to-hcm-audit-data.html#Create-a-Data-Role

Create a Data Role

You can create an HCM data role that includes the Internal Auditor job role with security profiles to identify the data that the role accesses. For example, to access audit data for person records, the HCM data role must include an appropriate person security profile. Use the predefined View All Workers security profile to enable access to audit data for all worker records.