OAuth 2.0 Application

OAuth 2.0 Application

OAuth 2.0 protocol connection is developed based on OAuth 2.0 framework (http://tools.ietf.org/html/rfc6749) which is used for both authentication and authorization. It supports Implicit and Code flow and can be used as an OpenID connection. The configuration settings offered by this Protocol Connection type are:

  • Client ID: Unique ID of a client - required.
  • Client secret: Secret code - required.
  • Redirect URIs: A set of URIs that Identify allows users to be redirected to after successful authentication - required.
  • Application name: Name of the application - required.
  • Application logo URL: URL to a logo file of the application - optional.
  • Set the audience field of tokens which are issued for the application: URL to identify the recipient that the JWT is intended for - required.
  • Allow implicit flow: Enable if allow implicit flow for this connection.
  • Allow code flow: Enable if allow code flow for this connection. Must be checked to use this connection as OpenID Protocol Connection.
  • Allow client credentials flow: Enable if allow client credential flow for this connection.
  • Allow password flow: Enable if allow password flow for this connection.
  • Allow device pairing: Enable if allow device flow for this connection.
  • Allow HTTP redirect: Enable if allow Identify to response to HTTP redirection for this connection.
  • Client's registered jkws which are used for verifying client_assertion (a.k.a jwks): A client's JSON Web Key Set RFC7517 document value, which contains the client's public keys - optional. (The jwks_uri and jwks MUST NOT be used together as clarified on the specification.)
  • A client's uri from which Safewhere Identify can fetch its jkws that are used for verifying client_assertion (a.k.a jwks_uri): URL to reference a client's JSON Web Key (JWK) Set RFC7517 document, which contains the client's public keys - optional. (The jwks_uri and jwks MUST NOT be used together as clarified on the specification.)
  • Token endpoint authentication method: This option specifies a set of Client Authentication methods that are used by Clients to authenticate to the Authorization Server when using the Token Endpoint. Value can be: ClientSecretBasic, ClientSecretPost, PrivateKeyJwt - required.(For the sake of backward compatibility, the value: NotSpecifiedYet is set on the OAuth2.0 connections which were created before version 5.6)
  • Sector identifier uri: URL using the HTTPS scheme to be used in calculating Pseudonymous Identifiers by the OP. It references a file with a single JSON array of redirect_uri values - optional.
  • Subject Type: This defines the subject_type requested for responses to the Client. Values can be: Public, Pairwise - optional.(Default value is Public. You can visit our topic here to see how it wokrs)
  • Subject identifier hash salt: A string which is used in the salting of hashes for returning specific sub claims when subject type is pairwise - optional. (For the sake of backward compatibility, the random salting hash value is applied on the OAuth2.0 connections which were created before version 5.6 when you open its connection and save it.)
  • Use as OpenID Connect: Enable to user this connection as OpenID. When this option is enabled, user can see the claim sets on the consent page.
  • JWS algorithm: The algorithm used for JWT access tokens. Values can be: RSASigning, HMACSymmetric.
  • Symmetric signing key: Hex-encoded key used to sign JWT when HMAC JWS is chosen.

Encryption Certificate settings:

  • Find value: The value of the attribute that is used to Safewhere*Identify the certificate, e.g. its subject or thumbprint.
  • Find type: Specifies which certificate attribute that will be used to Safewhere*Identify the certificate. A common way to locate a certificate is to search for its subject’s distinguished name or its thumbprint. The authentication connection will use the first certificate that matches the specified search criteria.Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, FindBySubjectKeyIdentifier.
  • Get certificates button: Allow users to select a new cert.
  • Store location: The location of the certificate store to use.Possible values are: CurrentUser, LocalMachine.
  • Store name: Specifies which certificate store the certificate is placed in.Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My.

Other settings for this connection:

  • Token security mode: Currently only support signing.
  • Token life time (minutes): How many minutes before the token is expired.
  • Allow refresh token: Whether access tokens will be issued with refresh tokens.
  • Refresh token life time (minutes): How many minutes before the refesh token is expired.
  • OpenID Connect logout redirect URL: Redirect URL after successful SLO - required.
  • Open auto-generated HMAC button: Used to generate the HMAC Symmetric signing key, key can be 32-byte, 48-byte or 64-byte. User then can either copy the key and pasted to configuration or check the approriated checkbox and click Select key to apply it.

oauth

  • User claims placement: This option specifies if user claims are returned along with Access token or ID token. More details can be found at User claims placement setting

Additional related settings on system setup:

  • Allowed CORS Origins Domains:
    From version 5.4, Identify OAuth 2.0 already supported CORS feature which allows to handle requests coming from a cross-domain site. That means a SPA application is now able to negotiate token from Identify OAuth 2.0 using implicit flow. More details about this setting can be read on system setup page.

Identify also supplies the use of a "Discovery document," a JSON document found at a well-known location containing key-value pairs which provide details about the OpenID Connect provider's configuration. The Discovery document for the OpenID Connect service may be retrieved from: https://identifydomain/runtime/oauth2/.well-known/openid-configuration or you can get the link at the help page:

oauth-discovery-endpoint