Registering OAuth Client Applications

Perform the following steps to register a client application:

  1. Log in to Identity Server and click the drop-down menu in the upper right corner.

  2. Click Administer OAuth Apps > Register New Client > Client Configuration.

  3. Specify the following details:

    Field

    Description

    Client Name

    Specify the name of the client.

    Client Type

    Select whether this is a web-based or a desktop client.

    For web-based applications specify the client type in this format: https://client.example.org/callback

    For native/desktop applications, specify the client type in any one of the following formats:

    https://www.namacme.in/

    or

    x-com.acme.sample://www.namacme.in/

    Login Redirect URIs

    Specify the URIs that the Identity Server uses to send the authorization code and implicit requests.

    NOTE:The redirect URI, urn:ietf:wg:oauth:2.0:oob is not supported for the implicit and the hybrid flows.

    Grants Required

    Select the grant types required for this client. Available grant types include Authorization Code (default), Implicit, Resource Owner Credentials, SAML 2.0 Assertion, and Client Credentials.

    Token Types

    Select the token type that the authorization server will return to this client. Supported tokens include Code, ID Token, Refresh Token, and Access Token.

    Refresh Token

    Select Always Issue New Token to issue a new refresh token on every refresh token request.

  4. (Conditional) If you have selected ID Token in Token Types under Client Configuration, then click OpenID Connect Configuration and configure the following settings:

    Field

    Description

    JSON Web Key Set URI

    Specify the URI of the JSON file containing the json web keys.

    ID Token Signed Response Algorithm

    Specify the ID Token Signed Response Algorithm.

    This is a mandatory field for issuing ID token.

    NOTE:ID tokens are not signed by default. If you select the None option, the ID token is sent as an unsigned token. Ensure that you select the None option only if you can trust the integrity of an unsigned ID token.

    ID Token Encrypted Response Algorithm

    Specify the algorithm that is used to encrypt the key.

    ID Token Encrypted Response Enc

    Specify the algorithm that is used to encrypt the content.

  5. Click Token Configuration.

    You can use this option to specify the required token format for access and refresh tokens. Also, you can use this option if you want to choose a specific timeout duration for a specific client application instead of using the duration mentioned in the global settings.

    To specify the required token configuration, use the following settings:

    • Authorization Code Timeout: Specify the duration after which the authorization code will expire.

    • Access Token and ID Token Timeout: Specify the duration after which the access and the ID token will expire.

    • Refresh Token Timeout: Specify the duration after which the refresh token will expire.

    • Access Token and Refresh Token Format: It is recommended to select the JWT token, but you can select any of the following options based on your requirement:

      • Default: Select this option if you want to use the format that the Access Manager administrator has set globally for a specific Identity Server (Authorization server). If the administrator changes the format globally, you will receive the tokens in the changed format.

        For example, if you select this option and if the administrator has set the format as binary, you will receive the tokens in the binary format. Now, if the administrator changes the format to JWT, you will receive the tokens in JWT format.

      • Binary: Select this option if you require the tokens in binary format. When you select this option, the token format will always be binary even when the administrator changes the format in the global settings of Identity Server (authorization server).

        The Binary option is recommended only if you have an existing client application that cannot use JWT because of the browser restrictions for the length of the parameter values.

        Binary tokens are always encrypted using Access Manager keys. Hence, to validate the token you must use the UserInfo and the TokenInfo endpoints.

        If the tokens are in binary format, the following features are unavailable:

        • Providing option for resource Server to decrypt the access token

        • Revoking a refresh token

      • JWT: Select this option if you require the client application to use tokens in JWT format. When you select this option, the token format will always be JWT even when the administrator changes the format in the global settings of Identity Server (authorization server).

  6. Click Logout Configuration.

    Specify the following options:

    • Front Channel Logout URI: Specify the client application logout URL that Identity Server will use to trigger logout at the client application.

    • Enable Session Token: When you enable this option, Identity Server includes the session ID and issuer query parameters in the client application’s logout URL.

      This session ID is a co-relation ID that the client application uses to identify the unique user sessions established at Identity Server. It is not the Identity Server user session ID.

    • Logout Redirect URIs: (Applicable only for the Relying Party initiated logout request) Specify the URL to which the user will be redirected after logout. For example, https://client.example.org/logout.

      NOTE:The logout request (end_session) must include the id_token_hint and post_logout_redirect_uri request parameters. If these parameters are not available in the logout request, Identity Server does not redirect the user to the post-logout page.

  7. Click Consent Screen Configuration.

    Specify the following details:

    Field

    Description

    Client Logo URL

    Specify the Logo URL that you want to include on the consent page.

    Privacy Policy URL

    You can define your own privacy policy. Specify the URL of the privacy policy you want to include on the consent page.

    Terms of Service URL

    Specify the URL of the terms of service.

    Contacts

    Specify the email addresses of people who are related to this client.

  8. Click Authorized JavaScript origins (CORS) and add Domains. The domains configured here can access restricted resources available on the client application. This is an optional step.

  9. Click Authentication Contract to configure authentication contracts for the client application. This configuration is available in Access Manager 5.0 Service Pack 1 and later.

    When you configure authentication contracts for a client application here, this server-side configuration takes precedence. After this configuration, the ACR value in the request is ignored, and contracts are used for authentication.

    In Available Contract, select contracts that you want to be used for authentication and move these to Satisfy Contract. By default, the first contract in the list is used. For the Resource Owner Credentials flow, if the identity provider does not support that contract, then the next contract in the list is used for authentication.

  10. Click Scope Configuration and select the required scopes for the client application.

    Field

    Description

    Scopes

    Select scopes that the client application can use.The client application can use only the scopes specified here. If the client application sends a non-configured scope, it will not be considered.

  11. Click Register Client.