5.14.2 OAuth Keywords and Their Usage in Access Manager




Authorization Server

Access Manager Identity Server is the OAuth authorization server.

Identity Server issues OAuth tokens.

JSON Web Token (JWT)

The JWT token is signed as per JWS (JSON Web Signature) standard and encrypted as per JWE (JSON Web Encryption) standard by default.

Access token, refresh token, and ID tokens are in the JWT format.

Access Token

The token contains the attributes, such as scope, claims and duration specified in Access Manager for a resource server.

The access token can be consumed by resource server to validate the token by itself or by sending it to Access Manager. For more information, see Encrypting Access Token.

A client application can request for an access token by using API calls. For details about API requests and response, see NetIQ Access Manager 5.0 Administration API Guide.

Refresh Token

The client applications use this token to obtain a new Access token when the current Access token expires or is no longer valid.

This token can be revoked, which in turn invalidates Access token.

ID Token

This token contains a user’s claims such as identity, email address, and other profile information. This token is signed based on the algorithm that you specify during a client application configuration in Identity Server. It also specifies the issuing authority.

The client application can request for ID token to verify the identity of the user.

Client Key and Secret

The authorization server assigns a key and a secret to a client application while registering it.

The client applications can use the client key and secret to identify itself to the authorization server for retrieving the access tokens.

Resource Server

You can add a resource server in Identity Server to define the type of token that Identity Server can send for an OAuth request. For example, if you add a resource server in Identity Server with the details for encrypting the token using resource server keys, then based on the defined settings, Identity Server generates the token.

The client application can request for any scope defined in any of the Identity Server resource servers irrespective of the resource server name mentioned in the request. Identity Server will send the scopes in the token after the user authorizes it (for user attributes).


Scopes decide what resources client applications can access and what actions they can perform on the resources. It can include any user attribute from the user store or any custom claim.

Access Manager can issue only the defined scopes to the client application.

The required attributes or custom claims can be added to access token.

A user can authorize the client application to use the defined scopes.

Authorization Grants

Access Manager supports the following grants:

  • Authorization Code Grant

  • Implicit Grant

  • Resource Owner Credential Grant

  • Client Credential Grant

  • Security Assertion Markup Language (SAML) 2.0 Bearer Grant

The client application can use any of the available grants to request authorization.