Registering OAuth Client Applications

Perform the following steps to register a client application:

  1. Log in to the Identity Server, click the drop-down menu in the upper right corner.

  2. Click Administer OAuth Apps > Register New Clients > Client Configuration.

  3. Specify the following details:

    Field

    Description

    Client Name

    Specify the name of the client.

    Client Type

    Select whether this is a web-based or a desktop client.

    For web-based applications specify the client type in this format: https://client.example.org/callback

    For native/desktop applications, specify the client type in any one of the following formats:

    https://www.namacme.in/

    or

    x-com.acme.sample://www.namacme.in/

    Redirect URIs

    Specify the URIs that the Identity Server uses to send the authorization code and implicit requests.

    NOTE:The redirect URI, urn:ietf:wg:oauth:2.0:oob is not supported for the implicit and the hybrid flows.

    Grants Required

    Select the grant types required for this client. Available grant types include Authorization Code (default), Implicit, Resource Owner Credentials, SAML 2 Assertion and Client Credentials.

    Token Types

    Select the token type that the authorization server will return to this client. Supported tokens include Code, ID Token, Refresh Token, and Access Token.

    Refresh Token

    Select Always Issue New Token to issue a new refresh token on every refresh token request.

  4. (Conditional) If you have selected ID Token in Token Types under Client Configuration, then click OpenID Connect Configuration and configure the following settings:

    Field

    Description

    JSON Web Key Set URI

    Specify the URI of the JSON file containing the json web keys.

    ID Token Signed Response Algorithm

    Specify the ID Token Signed Response Algorithm.

    This is a mandatory field for issuing ID token.

    NOTE:ID tokens are not signed by default. If you select the None option, the ID token is sent as an unsigned token. Ensure that you select the None option only if you can trust the integrity of an unsigned ID token.

    ID Token Encrypted Response Algorithm

    Specify the algorithm that is used to encrypt the key.

    ID Token Encrypted Response Enc

    Specify the algorithm that is used to encrypt the content.

  5. Click Token Configuration.

    You can use this option to specify the required token format for access and refresh tokens. Also, you can use this option if you want to choose a specific timeout duration for a specific client application instead of using the duration mentioned in the global settings.

    To specify the required token configuration, use the following settings:

    • Authorization Code Timeout: Specify the duration after which the authorization code will expire.

    • Access Token and ID Token Timeout: Specify the duration after which the access and the ID token will expire.

    • Refresh Token Timeout: Specify the duration after which the refresh token will expire.

    • Access Token and Refresh Token Format: It is recommended to select JWT token, but you can select any of the following options based on your requirement:

      • Default: Select this option if you want to use the format that the Access Manager administrator has set globally for a specific Identity Server (Authorization server). If the administrator changes the format globally, you will receive the tokens in the changed format.

        For example, if you select this option and if the administrator has set the format as binary, you will receive the tokens in the binary format. Now, if the administrator changes the format to JWT, you will receive the tokens in JWT format.

      • Binary: Select this option if you require the tokens in binary format. When you select this option, the token format will always be binary even when the administrator changes the format in the global settings of Identity Server (authorization server).

        The Binary option is recommended only if you have an existing client application that cannot use JWT because of the browser restrictions for the length of the parameter values.

        Binary tokens are always encrypted using Access Manager keys. Hence, to validate the token you must use the UserInfo and the TokenInfo endpoints.

        If the tokens are in binary format, the following features are unavailable:

        • Providing option for resource Server to decrypt the access token

        • Revoking a refresh token

      • JWT: Select this option if you require the client application to use tokens in JWT format. When you select this option, the token format will always be JWT even when the administrator changes the format in the global settings of Identity Server (authorization server).

  6. Click Consent Screen Configuration.

    Specify the following details:

    Field

    Description

    Client Logo URL

    Specify the Logo URL that you want to include in the consent page.

    Privacy Policy URL

    You can define your own privacy policy. Specify the URL of the privacy policy you want to include in the consent page.

    Terms of Service URL

    Specify the URL of the terms of service.

    Contact

    Specify email addresses of people who are related to this client.

  7. Click Authorized JavaScript origins (CORS) and add Domains. The domains configured here can access restricted resources available on the client application. This is an optional step.

  8. Click Register Client.

For trademark and copyright information, see Legal Notice.