Oracle Cloud Infrastructure Documentation

Setting up Authentication for Agentic Support

OAuth is the only supported authentication type and you must have an application in your identity domain in advance to generate an auth token. Then information of this domain and its application is used to setup authentication configuration during Application creation.

Learn aboutIAM with Identity Domains. Here are example steps for you to get an overview of the process.

Step 1. Create an Identity Domain (Optional)

Each OCI tenancy has a default identity domain. You can use the default domain or any existing domain as long as its domain type isn't Light weight. To create a domain, see Creating an Identity Domain. Example steps:

  1. Sign in to the OCI Console.
  2. Open the navigation menu  and select Identity & Security.
  3. Under Identity, select Domains.
  4. Select Create domain.
  5. Provide the required information, such as the domain administrator.
  6. Select Create and wait for the domain to become active.

Step 2. Create an Application in the Identity Domain

Example steps:

  1. Open the Identity Domain that you created.
  2. Select the Integrated applications tab.
  3. Select Add application.
  4. Select Confidential Application, then select Launch workflow.
  5. Provide a Name and Description, leave the remaining fields as default, and select Submit.

Step 3. Configure OAuth Settings

Example steps:

  1. Open the application that you created.
  2. Select OAuth configuration, then select Edit OAuth configuration.
  3. Enable Configure this application as a resource server now.

    Provide a Primary audience, for example: https://your_application.com/. Audience means which API is allowed to accept and validate the auth token generated by identity server. In this specific case, you might input a data plane API URL such as https://application.generativeai.ap-osaka-1.oci.oraclecloud.com/20251112/hostedApplications/. The goal is to set the identity of the recipient who verifies the OAuth token. You can use any word, for example my_agent_application.

    Select Add scopes and define a scope name (for example, read, write, invoke). Scope means what permissions the auth token grants. You can define several scopes in the identity domain integrated application, and have the hosted application use one of them to authenticate.

  4. Enable Configure this application as a client now

    Select Client credentials as the grant type.

  5. Select Submit.
  6. From the Actions menu (three dots), select Activate to activate the application.

After activation, return to the application detail page and select OAuth Configuration. You can see the following values:

  • Client ID
  • Client secret
  • Primary audience
  • Scope

In the Identity Domain's main page, you see the Domain URL. Record these values securely. You use them later to generate an access token for accessing the hosted application.