We are currently using OAuth2 (Client Credentials) to authenticate external systems accessing Oracle Integration Cloud (OIC) APIs. While generating a token with the urn:opc:resource:consumer::all scope works and allows us to invoke any integration deployed in OIC, we want to limit access to only a specific set of APIs.
We tried using custom scopes (e.g., /ic/api or other defined scopes), and while the token gets generated successfully, the actual API call fails with a 401 Unauthorized error.
Our goals:
- Use OAuth2 with Client Credentials flow.
- Restrict access so that only specific integrations/APIs are accessible.
- Prevent external systems from invoking all integrations using the same OAuth credentials.
Is it possible to achieve fine-grained access control in OIC using custom scopes or another method? If so, how can we configure the scopes and client app to make this work?
Any guidance or best practices would be highly appreciated!