Skip to Main Content
Forums

Identity & Platform

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

401 Unauthorized when attempting to access Fusion Applications HCM REST API with OAuth.

John Brown Doe3 days ago

Sorry if I get some of the terminology/labeling wrong.

When trying to access the hcmRestApi to perform some basic user tasks I am getting 401 unauthorized and not sure what I'm missing. It's an OCI Identity Domain environment where end users authenticate to the Fusion Applications with SSO. The premise I've been trying to follow is using OAuth configuration.

I had some idea of what to do going in but admittedly used Copilot to help "parse" the sea of Oracle documentation a bit more quickly?

When I initially began to perform this work I believe I mistakenly created a Confidential Application in the Domain itself (not the Fusion Application "Oracle Cloud Services" for the ERP deployment). I used the client secret/ID from this created confidential app, with the scope set inside it as well, and wasn't getting anywhere. I did also set the App Roles by assigning the Confidential Application to the Application Roles for the application I want to access (presumably Oracle HCM).

The fact that the "Oracle cloud services" title had OIC(or OCI??) in it should've been a clue that I wasn't in the right spot...right?

Finally, after many hours of getting lost in the OCI UI and back and forth with Copilot and eventually Claude I finally stumbled upon the actual area for the Fusion Applications "Oracle Cloud Services". It had mostly all of the same configuration tabs as the Identity Domains, along with the Integrated Applications and Oracle Cloud Services. Once I found the OCS listing for the Fusion Application I thought, this is it, I'm in the right spot. I created my confidential app, configured the OAuth, assigned it the scope of the Fusion Application, and then in the Fusion Application assigned the confidential app to the FA_GSI_Administrator role, which resulted in the "App Roles" section of my OAuth app showing that role as being listed.

Plugged in my client ID/secret, the IDSC provider URL from THAT Cloud Application endpoint (not the actual Identity Domain), and the scope provided in the confidential app, and still a 401.

Anyone have any clues? I'm pretty sure I don't need to do any config in the Identity Domain itself, right? It should be the Fusion Application itself? I can share more config if needed. For what it's worth, I am getting an access token, but when I try to do a user lookup is where the 401 happens.
Comments
Post Details
Added 3 days ago
0 comments
23 views