In API gateway, the content security check (SqlAttackProtection) rejects the following request as SQL injection attempt.

https://<HOSTNAME>/oauth2/auth?response_type=code&scope=<scope>&client_id=<CLEINT_ID>&state=<STATE>&redirect_uri=<Redirect_uri>

The assertion is configured with all options checked. What would be a good, reasonable, setting of the assertion to let such requests in, without lowering security too much?

A base64-encoded character in the state parameter in the above-mentioned URL caused this issue. The base64-encoded string had -- which is comment in oracle.

The Invasive SQL Attack Protection option in the assertion checks for this kind of characters. Disable this option (unselect) if you want to pass through this character.