We are integrating Oracle HCM Fusion as web services connector, we are changing the authentication type to OAuth2.0 client credentials grant type.
We are encountring this error :
Exception occurred in Test Connection. Error: Exception occurred while generating access token: Unable to generate access token.
The above exception is generated in Sailpoint for OAuth token call towards Fusion Cloud HCM, even though it’s successful in Postman.
We tried to configure the OAuth authentication as custom authentication but we are still getting errors .
The ISC Test Connection error looks like the generic Web Services connector wrapper around the OAuth token call. The important part is the actual Oracle IDCS/Fusion response, such as invalid_scope, invalid_client, or unauthorized_client.
Capture the exact token response from the connector debug logs first. That will tell you whether this is a scope issue, client credential issue, or client authentication format issue.
Thanks, this 415 error is a useful clue. In HTTP, 415 is “Unsupported Media Type”. It means the server is refusing the request because the content is in a format not supported by that endpoint. Ref: 415 Unsupported Media Type
So I would check that the Custom Authentication operation is actually sending the body as form-urlencoded key/value data, not JSON/raw body with only the Content-Type header changed.
That said, since this is a standard OAuth2 Client Credentials flow, I would prefer using Authentication Type = OAuth 2.0 and Grant Type = Client Credentials in the Web Services source, unless custom authentication is needed for another reason.
SailPoint’s Web Services OAuth2 Client Credentials configuration supports OAuth request parameters and includes the Basic Authorization header by default unless excluded. Ref: SailPoint Web Services - OAuth2 Client Credentials
If OAuth2 mode still fails with “Unable to generate access token,” the connector/debug log should show the real Oracle OAuth error, such as invalid_scope or invalid_client. I would also validate the exact scope value against what is configured in Oracle.
The 415 clue is key. Adding a few more specifics to help narrow it down faster.
The core issue with Custom Auth in Web Services for Oracle IDCS: The Web Services connector’s Custom Authentication operation needs to be configured precisely for Oracle’s token endpoint. Specifically:
If the connector is sending the body as raw/JSON with just the Content-Type header changed, Oracle will still reject it with 415 — the actual payload format must match.
Strongly recommend switching to native OAuth 2.0 mode instead: Go to Web Services source → Authentication → OAuth 2.0 → Client Credentials. This handles the form-urlencoded body and Basic auth header automatically and is far less error-prone than Custom Auth.
If OAuth 2.0 mode still fails with “Unable to generate access token”: Check these in order:
Scope value — Oracle IDCS scopes are case-sensitive and tenant-specific. Validate the exact scope string in your Oracle IDCS application config.
Token URL — Should be https://<your-idcs-tenant>.identity.oraclecloud.com/oauth2/v1/token
Client credentials — Confirm Client ID and Secret are from the IDCS Confidential Application, not Oracle HCM directly.
Enable debug logging on the connector — the raw Oracle OAuth error (invalid_scope, invalid_client, etc.) will appear there and pinpoint the exact failure.
We’ve successfully connected Oracle Fusion HCM via this pattern — once the token endpoint, scope, and content-type are aligned, Test Connection passes cleanly.
