OAuth 2.0 Application

OAuth 2.0 protocol connection is developed based on OAuth 2.0 framework (http://tools.ietf.org/html/rfc6749) which is used for both authentication and authorization. It supports Implicit and Code flow and can be used as an OpenID connection.

The configuration settings offered by this Protocol Connection type are:

  • Client ID: unique ID of a client - required.
  • Client secret: secret code - required.
  • Redirect URL: redirect URL after successful authentication - required.
  • Application name: name of the application - required.
  • Application logo URL:URL to a logo file of the application - optional.
  • Set the audience field of tokens which are issued for the application:.
  • Allow implicit flow: enable if allow implicit flow for this connection.
  • Allow code flow:enable if allow code flow for this connection. Must be checked to use this connection as OpenID Protocol Connection.
  • Allow client credentials flow: enable if allow client credential flow for this connection.
  • Allow password flow: enable if allow password flow for this connection.
  • Allow device pairing: enable if allow device flow for this connection.
  • Allow HTTP redirect: enable if allow Identify to response to HTTP redirection for this connection.
  • Use as OpenID Connect: enable to user this connection as OpenID. When this option is enabled, user can see the claim sets on the consent page.
  • JWS algorithm: the algorithm used for for JWT access tokens. Values can be: RSASigning, HMACSymmetric.
  • Symmetric signing key:Hex-encoded key used to sign JWT when HMAC JWS is chosen.

Encryption Certificate settings:

  • Find value: The value of the attribute that is used to Safewhere*Identify the certificate, e.g. its subject or thumbprint.
  • Find type: Specifies which certificate attribute that will be used to Safewhere*Identify the certificate. A common way to locate a certificate is to search for its subject’s distinguished name or its thumbprint. The authentication connection will use the first certificate that matches the specified search criteria.Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, FindBySubjectKeyIdentifier.
  • Get certificates button: Allow users to select a new cert.
  • Store location: The location of the certificate store to use.Possible values are: CurrentUser, LocalMachine.
  • Store name: Specifies which certificate store the certificate is placed in.Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My.

Other settings for this connection:

  • Token security mode:base on our developer’s research, MS’ JWT handler only supports SigningOnly.
  • Token life time (minutes):how many minutes before the token is expired.
  • Allow refresh token:Whether access tokens will be issued with refresh tokens.
  • Refresh token life time (minutes): how many minutes before the refesh token is expired.
  • OpenID Connect logout redirect URL:redirect URL after successful SLO - required.
  • Open auto-generated HMAC button: used to generate the HMAC Symmetric signing key, key can be 32-byte, 48-byte or 64-byte. User then can either copy the key and pasted to configuration or check the approriated checkbox and click Select key to apply it.


Additional related settings on system setup:

  • Allowed CORS Origins Domains: From version 5.4, Identify OAuth 2.0 already supported CORS feature which allows to handle requests coming from a cross-domain site. That means a SPA application is now able to negotiate token from Identify OAuth 2.0 using implicit flow. More details about this setting can be read on http://docs.safewhere.com/identify-system-setup/.