Hi all,
We are using IFS Cloud 25R2 and have an external web API that is called from an IFS workflow.
When using the standard IFS authentication setup, the workflow can call the external API successfully. The workflow uses OAuth 2.0 client credentials, retrieves a token, and passes the request to the external API without issue. This has been tested successfully both in Postman and from within IFS.
However, when switching the environment to use Entra as the identity provider, the workflow fails when trying to retrieve the OAuth token. The error returned is:
I have tried setting the IAM client / service account so that it does not use the external IDP, with the intention of reverting to the previous/basic authentication behaviour, but I still receive the same error.
I have also started looking at whether this is related to the OAuth scope. As part of that, I have attempted to register the external API in Entra and use the Application ID URI with /.default as the scope, but this has not resolved the issue so far. It is possible that I have not set this up correctly.
My question is:
Has anyone successfully created an IFS workflow that calls an external API using OAuth 2.0 client credentials when the IFS environment is using Entra as the identity provider?
If so, is there a guide or example configuration available?
Specifically, I am trying to confirm:
- Whether the OAuth token endpoint should still be the IFS IAM endpoint or the Entra token endpoint.
- How the scope should be configured when Entra is enabled.
- Whether anything needs to be configured differently on the IAM client/service account.
- Whether the workflow REST task requires any additional token endpoint parameters.
- Whether there are any known issues or limitations with OAuth 2.0 client credentials from workflows when Entra is used as the IDP.
Any guidance or examples would be appreciated.
Thanks.
