Defining Global Settings

The Global Settings enable you to specify the default OAuth and OpenID Connect settings for the authorization server, such as issuer URL, token types, and grants.

  1. Click Devices > Identity Server > Edit > OAuth & OpenID Connect > Global Settings.

  2. The following options are available:

    Field

    Description

    Issuer

    Specify the name of the authorization server. This name is part of the ID token.

    Authorization Grant LDAP Attribute

    Specify a binary or a stream (for eDirectory) attribute that exists in the user store. For example, nidsOAuthGrant.

    The super administrator must have the write access to the specified Authorization Grant LDAP Attribute. This attribute stores user consent and the refresh token information. This attribute gets updated when Identity Server performs the following actions:

    • Issues a refresh token

    • Revokes the issued refresh token

    • Include user consent information

    For information about creating the attribute in the user store, see Extending a User Store for OAuth 2.0 Authorization Grant Information.

    NOTE:This is a mandatory field. This attribute stores the refresh token information. This information can be used later for a JWT token to check for revocation. Ensure that no other application uses this attribute.

    CORS Domains

    Select any one of the following options based on the requirement:

    • None: To deny access for requests from all domains other than the domain of the resource. The resource referred here are resources such as Javascript on the client application.

    • Allow All: To allow access for requests from any domains.

    • Limit to: To allow access for requests from only selected domains. Specify the domain with the port number. Do not specify the port if you are using port 80 or 443.

    Examples: beem://www.test.com:port, fb://app.local.url:port, https://namapp.com:port

    NOTE:Access Manager provides an access token even when the request does not include the listed domain. But, the token is validated on the following endpoints:

    • UserInfo

    • TokenInfo

    • Revocation

    • Token Introspect

    This invalidates the access token if the request comes from a different domain.

    Access-Control-Allow-Credentials Header

    Select this option to allow the Access Manager CORS filter to send the Access-Control-Allow-Credentials header with the response.

    Grant Type(s)

    Select the types of grants that the authorization server will support. Based on the grant type you select, the system selects corresponding token type by default.

    For more information about grant types, see OAuth Authorization Grant.

    Token Type(s)

    Select the types of tokens that the authorization server will support.

    • ID Token: A security token that contains claims about the authentication of an end user by an authorization server to the relying party.

    • Access Token: Includes the specific scopes and durations of granted access.

    • Refresh Token: Obtains a new access token when an Access token becomes invalid or expires.

    Require Logout Consent

    Use this option when you have configured OIDC front-channel logout for client applications. Enabling this option displays a consent message to users seeking their permission to log out from all logged-in applications. For more information, see OIDC Front-Channel Logout.

    By default, this option is enabled.

    Enable Token Revocation

    Enable this option to revoke the refresh token.

    If you do not require to revoke the refresh token, you can disable this option. When you disable this option the token information does not get saved in the authorization grant LDAP attribute.

    To revoke a refresh token, the super administrator must have the write access to the specified Authorization Grant LDAP Attribute. If you do not want to use this attribute or do not have the write access to this attribute, you must not select this option.

    NOTE:Revocation of binary tokens is not supported.

    Perform Revocation Check After

    Specify the duration in seconds. After this duration, Access Manager verifies whether the token is revoked.

    Use this option if you have configured a user store as an LDAP load balancer, which has a read-only and write-only replica. The Authorization Server reads the user attributes in LDAP for token verification. However, the token verification fails if any delay occurs in data synchronization across the user store LDAP replicas.

    Using this option, you can delay the token verification for a specific time. During this delay period, the Authorization Server will not read the user attribute in LDAP for token verification. However, it will verify other required checks.

    Logout to revoke tokens

    Select this option to revoke the refresh tokens during logout. By default, this option is disabled.

    Authorization Code Timeout

    Specify the duration in minutes after that the authorization code becomes invalid.

    Access Token and ID Token Timeout

    Specify the duration in minute after how long the Access token and ID token become invalid.

    Refresh Token Timeout

    Specify the duration in minute after how long the Refresh token becomes invalid.

    Signing Certificate

    Select a signing certificate to sign the tokens. By default test-signing certificate is assigned with hashing algorithm details. The signing keys can be retrieved from JSON Web Key Set endpoint.

    You cannot add an external certificate to OAuth because Access Manager Appliance does not have an option to assign the certificates to a keystore. The certificates available in nam-keystore can only be used.

    Contracts for Resource Owner Credentials Authentication

    Select the contracts in Available contracts and move them to Contracts.

    This option allows the administrator to configure the Resource Owner flow to execute specific authentication contract.

    The order of authentication contract execution must be as follows:

    1. The acr_values in request parameter

    2. OAuth Global Setting option

    3. Default contract

    For example, if no acr_values and no global RO authentication contracts are specified, then only the default authentication contract of Identity Server is executed.

    To select a custom contract for authentication, the custom authentication class must override the cbAuthenticate method. For more information, see the Access Manager 5.0 SDK Guide.

    To configure the contract as a second-factor authentication contract, see Configuring Multi-Factor Authentication for Resource Owner Credentials Grant.

  3. Click OK.