Oracle Cloud Infrastructure Documentation

Create an Access Token to Provision an Instance with the CLI, REST API, or SDKs

Before you can provision an Oracle Integration instance as a user with the command line interface (CLI), REST API, or any of the SDKs (Java and non-Java), you must create an application and generate an access token. You specify the access token when provisioning the instance.

For information on how to create an instance with the CLI, REST API, and Java SDKs, see:

Create the Application

Before you can provision an Oracle Integration instance as a user, you must first create an application.

Note

You can skip this section if you have already created the application.
  1. Sign in as the tenant administrator to the Oracle Cloud Infrastructure Console.
  2. Open the Oracle Cloud Infrastructure navigation menu and click Identity & Security. Under Identity, click Federation.
  3. Click the OracleIdentityCloudService link.
  4. Click the link in the Oracle Identity Cloud Service Console field to access the console.
  5. Open the Oracle Cloud Infrastructure navigation menu and click Developer Services. Under Functions, click Applications.
  6. Click Create application.
  7. Click Confidential Application.
    This starts the Add Confidential Application Wizard.
  8. Enter a name (for this example, PSO-AT-Gen-App is provided) and optional description, and click Next.
  9. Select Configure this application as a client now and provide the following details for client authorization:
    • Allowed Grant Types: Resource Owner Client Credentials, JWT Assertion
    • Allowed Operations: Introspect
  10. Under Grant the client access to Identity Cloud Service Admin APIs, click + Add.
    The Add App Role dialog is displayed.
  11. Select Identity Domain Administrator, then click Add.
  12. Click Next to access the next page in the wizard.
  13. Select Configure this application as a resource server now.
  14. Provide the following details, and click Next.
    • Access Token Expiration: 3,600 seconds.
    • Is Refresh Token Allowed: Select the check box.
    • Refresh Token Expiration: 604,800 seconds.
    • Primary Audience: For this example, https://pso-at-gen-app.com/ is provided (the primary recipient where the token is processed).
  15. Under Scopes, click Add.
  16. In the Scope field, enter a value (for this example, psoatgenapp).
  17. In the Display Name field, enter a value.
  18. Leave the Requires Consent check box unselected, then click Add.
  19. Click Next to go to the next page in the wizard.
  20. Select Skip for later, then click Next.
  21. Leave Enforce Grants as Authorization unselected, then click Finish.
    The application is created.
  22. Click Activate, then click to confirm that you want to activate the application.
    The application (named PSO-AT-Gen-App for this example) is created and is ready to use to generate the access token for the users.

Generate the Access Token

Before you can provision an Oracle Integration instance as a user, you must create an access token.

Note

The access token is only valid for one hour.

Generate the Access Token from the Oracle Cloud Infrastructure Console

  1. Sign in as the tenant administrator to the Oracle Cloud Infrastructure Console.
  2. Open the Oracle Cloud Infrastructure navigation menu and click Identity & Security. Under Identity, click Federation.
  3. Click the OracleIdentityCloudService link.
  4. Click the link in the Oracle Identity Cloud Service Console field to access the console.
  5. Open the Oracle Cloud Infrastructure navigation menu and click Developer Services. Under Functions, click Applications.
  6. Scroll down and click the application you created (for this example, named PSO-AT-Gen-App).
  7. Select Customized Scopes.
  8. Select Invokes Identity Cloud Service APIs, then specify Identity Domain Administrator.
  9. Click Download Token and save the file.
    The tokens.tok file contains the access token with the attribute name app_access_token.
    cat tokens.tok
 
{"app_access_token":"eyJ4NXQjUzI. . . . ."}
  10. Provide the part of the access token between the quotes to the user to use for provisioning an instance. Do not provide the part labeled app_access_token.

Generate the Access Token from the CLI or an API

You can also generate the access token from the CLI or an API. For example:
IDCS_AT_PWD=$(curl "${CURL_FLAGS}" -u "$IDCS_CLIENT_ID:$IDCS_CLIENT_SECRET" $IDCS_URL/oauth2/v1/token -d "grant_type=password&scope=urn:opc:idm:__myscopes__&username=${IDCS_USERNAME}&password=${IDCS_PASSWORD}" | jq -r ".access_token")