ORACLE OIC - OAuth - Client with Multiple Audience from Different Resources

As we migrate from on premise to cloud ,  one of the critical requirement from customer to use user propagation capability to propagate the user credentials to ERP or Other target applications. 

This will allow the business users to track the changes and validate the records against a user making calls or updates to cloud. 

Its expected that OIC will propagate the user credentials to SaaS or other down stream application .  But this capability is not present in OIC. 

As a work around , you can configure an OIC service to receive the Authentication details in custom header and propagate to target. 

Client or users are expected to send two different authentication tokens or a single token with multiple scope or audiences.  That is the same token will be authorized in IDCS based on the audience value in the token. 

Following diagram will illustrate some of the security requirements. 

We can have an individual IDCS for each application or we can use same IDCS for multiple application.  

Users and Roles will be synced between IDCS and Cloud applications.  A sync job will be configured in IDCS to sync the users and roles. 

Above diagram illustrate the security setup and clients accessing each application using a specific token. 

Following are the some of the requirements.

1. Client1 is configured to invoke OIC using OIC token.
2. Client2 is configured to invoke OIC and SaaS using Single token
3. Client2 can invoke SaaS directly using SaaS token.
4. Client2 can invoke OIC is using OIC token. 
5. Client3 is configured to invoke HCM using HCM token.