3.2 Manage the OAuth Clients

Select Store > New > Manage OAuth Clients

You select which OAuth client that you want to use when you create the API group to allow the API authorizations to work. After you select the proper OAuth client you must register the OAuth client with the Access Manager Identity Server. When you create the API group, you can register, edit, view, or delete any of the selected OAuth clients.

You manage the OAuth clients for the API group in the Store.

3.2.1 Register an OAuth Client

Select Store > New > Manage OAuth Clients > Register New Client

You must register the OAuth client that you selected when creating the API group with the Identity Server in Access Manager. Registering the OAuth client allows the Identity Server to authorize access to the APIs if the calls to the APIs have the proper information about the OAuth client in them.

To register an OAuth client:

  1. (Conditional) If you are creating a new API group, click New.

  2. (Conditional) If you want to register a new client to an existing API group, in the upper right corner of the API group, click Actions, then click Edit.

  3. Click Manage OAuth Clients.

  4. Click Register New Client.

  5. Under Client Configuration, use the following information to configure the OAuth client:

    Enable Client

    Select Enable Client to allow this OAuth client to authorize requests to the APIs assigned to the group.

    Client Name

    Specify the name of the OAuth client that appears in the list of available OAuth clients when you create the API group.

    Client Type

    Select Web Based for the client type. Secure API Manager supports only web-based OAuth client applications.

    Login Redirect URIs

    Specify the URI for the client type that the Identity Server uses to send the authorization code and implicit requests. The format for the web-based OAuth client application is:

    https://client.example.org/callback
    Grants Required

    You must select certain options for Secure API Manager to work. You can select more of the available grant types if you need them for your environment. Available grant types are:

    • Authorization Code - mandatory

    • Implicit

    • Resource Owner Credentials - mandatory

    • Client Credentials - mandatory

    • SAML 2.0 Assertion

    Token Types

    You must select certain tokens that the authorization server uses to send to this client application. The token types are:

    • Code - mandatory

    • ID Token

    • Refresh Token

    • Access Token - mandatory

    Refresh Token

    Select Always Issue New Token if you want to issue a new refresh token for each refresh token request.

  6. (Conditional) If you selected ID Token in Token Types under Client Configuration, click OpenID Connect Configuration, then configure the following settings:

    JSON Web Key Set URI

    To encrypt the ID token using the public key of the client application, you must specify the JSON public key URI for the client. The Identity Server requires the public key to retrieve the encryption key for the JSON public key URI. For example:

    https://client.example.org/my_public_keys.jwks
    ID Token Signed Response Algorithm

    Select RS256. This is the algorithm that the Identity Server uses.

    WARNING:If you select None, the Identity Server sends the ID token as an unsigned token. Ensure that you select None only if you can trust the integrity of an unsigned ID token.

    ID Token Encrypted Response Algorithm

    Select RSA1_5. Ensure that you select the same algorithm that you defined in the specified JSON Web Key Set URI so that the client application can use the private key to decrypt the token.

    ID Token Encrypted Response Enc

    This field gets automatically populated based on the algorithm selected in ID Token Encrypted Response Algorithm. It should be A128CBC-HS256 for the RSA1_5 algorithm.

  7. (Optional) Click Token Configuration, then configure the settings for the token using the following information:

    NOTE:These settings override the global settings for the Identity Server that the Access Manager administrator has defined.

    Authorization Code Timeout

    Specify the duration after which the authorization code expires.

    Access Token and ID Token Timeouts

    Use the default values for the Secure API Manager configuration.

    Refresh Token Timeout

    Use the default values for the Secure API Manager configuration.

    Access Token and Refresh Token Format

    Select the JWT token format. This is required for Secure API Manager to work.

  8. (Optional) Click Logout Configuration to configure logout options and behaviors for the OAuth client using the following information:

    Logout URI

    Specify the URL that Identity Server uses to log out a user.

    Enable Session Token

    Select this option to send session ID and issue query parameters to the iframe HTML element. OpenID provider monitors the login status of a client application through the iframe HTML element.

    Logout Redirect URIs

    Specify the URL where the Identity Server redirects the user after logout. For example, https://client.example.org/logout.

  9. (Optional) Click Consent Screen Configuration to configure any consent information that you want to present to that users.

    Client Logo URL

    Specify the URL of the logo that you want to include on the consent page.

    Privacy Policy

    Specify the URL of the privacy policy you want to include on the consent page. You can define your privacy policy.

    Terms of Service URL

    Specify the URL of the terms of service.

    Contacts

    Specify the email addresses of the people related to this client application.

  10. (Optional) Click Authorized JavaScript origins (CORS) and add Domains. Domains configured here can access restricted resources available on the client application. Do not specify the port if you are using port 80 or 443. For example:

    beem://www.test.com:port, fb://app.local.url:port, https://namapp.com:port
  11. Click OK to register the client with the Identity Server.

3.2.2 Edit a Registered OAuth Client

You can change the information in the OAuth client at any time for any reason. You access the registered OAuth clients in the API group.

To edit a registered OAuth client:

  1. In the API group that contains the OAuth client, click the menu in the upper right corner, then click Edit.

  2. Click Manage OAuth Client.

  3. On the right side of the registered OAuth client, click Edit.

  4. Make any of the appropriate changes for the OAuth client. The fields are the same ones that you see when you register an OAuth client.

  5. Click OK to save your changes.

3.2.3 View an OAuth Client that Contains the Client ID and Client Secret

You need to access the client ID and client secret of a registered OAuth client to add the calls for the APIs to ensure that the calls can be authorized by the OAuth client through the Identity Server.

To view the details of a registered OAuth client:

  1. In the API group that contains the OAuth client, click the menu in the upper right corner, then click Edit.

  2. Click Manage OAuth Client.

  3. On the right side of the registered OAuth client, click View.

  4. In the top section, you see the Client ID and an option to click to view the Client Secret.

  5. Click OK to close the window.

3.2.4 Delete a Registered OAuth Client

You can delete any registered OAuth clients from the configuration of any API group.

To delete a registered OAuth client:

  1. In the API group that contains the OAuth client you want to view, click the menu in the upper right corner, then click Edit.

  2. Click Manage OAuth Client.

  3. On the right side of the registered OAuth client, click Delete.

  4. Confirm the deletion.

  5. Click OK to close the window.