Configuring OAuth 2.0 bearer credentials

Open authorization (OAuth) 2.0 is an open-standard authorization protocol that shares authorization tokens between services or applications to prove the identity of a user. You can configure the following types of OAuth 2.0 authentication flows in the Open Authorization Configuration dialog:

• Client Credentials Grant – The client uses its client credentials, such as client ID and client secret, when requesting access to the protected resources.

• Password Credentials Grant – The client obtains the resource owner's credentials, such as username and password, usually by way of an interactive form.

If you configure OAuth 2.0 authentication, then OpenText DAST will use the retrieved token for the entire scan. The token will be refreshed if it expires.

To configure OAuth 2.0 authentication in the Open Authorization Configuration dialog:

1. In the OAuth flows list, select a flow. Options are Client Credentials Grant and Password Credentials Grant.

2. In the Access Token URL box, type the URL that is used to generate tokens, such as https://<yourDomain>/oauth2/token.

3. Optionally, if your service supports different scopes (or permissions) for the OAuth flow, double-click the value box for the scope parameter and specify the scope to use.

   Tip: If a parameter is unneeded, you can leave the value empty or select the parameter row and press the delete key to remove it.

4. Provide information that will be included in the authorization request header according to the following table.

   To configure...	Then...
   A Client Credentials Grant flow	Double-click the value box for the client_id parameter and enter the application (client) ID. Double-click the value box for the client_secret parameter and enter the client secret that you generated for your application in the OAuth provider's registration portal.
   A Password Credentials Grant flow	Double-click the value box for the username parameter and enter the username. Double-click the value box for the password parameter and enter the password.

   Tip: Optionally, you can double-click an empty row and add custom parameter names and values. However, be aware of the following restrictions:

   • The grant_type and scope parameter names are reserved and cannot be used in a custom parameter.

   • If the OAuth Flow Type is Client Credentials Grant, then client_credentials, client_id, and client_secret cannot be used in a custom parameter.

   • If the OAuth Flow Type is Password Credentials Grant, then username and password cannot be used in a custom parameter.

5. By default, OpenText DAST uses Status Code 403 for the logout signature. Optionally, if you use a custom status code, in the Logout Signature box, enter the status code or a regular expression to indicate the logout signature. Use the following syntax:

   [STATUSCODE]<Number>

6. Optionally, click Test to test access to the server and receipt of a bearer token.

   Note: To view the bearer token or to see any errors, click Show Details in the Test Results dialog. The Expires In value shown in the details indicates how long the token is valid. The token will be refreshed after it has expired.

7. Click OK.