Applications > New Application > OAuth Application > Advanced Settings
By default, Single Sign-on enables all of the OAuth grant types. The OAuth Advanced Settings allow you to use specific OAuth grant types and define scopes and claims for your OAuth application.
Applications > New Application > OAuth Application > Advanced Settings > Grant Types
By default, Single Sign-on enables all of the OAuth grant types. If you enable any of the advanced settings for grant types disables all grant types and the default settings for those grant types.
To change the default grant types:
While creating the OAuth application, select Advanced Settings.
Select the appropriate Grant Types for your organization:
Enable this option to allow the OAuth application to support the Oauth authorization code grant type. When you enable this option, specify an Authorization Code Timeout in seconds.
Enable this option to allow the OAuth application to support the OAuth authorization implicit grant type.
Enable this option to allow the OAuth application to support OAuth client credentials grant type.
Enable this option to allow the OAuth application to support OAuth authorization resource owner credentials grant type. This option is disabled by default.
IMPORTANT:When you enable this grant type, Single Sign-on disables Support Authorization Code and Support Implicit grant types because this grant type only allows non-browser authorizations. For example, this option enables APIs to request authorizations.
Use the following information to define the options for the different grant types:
Enable this option to allow Single Sign-on to implement OpenID Connect, which is a single sign-on protocol, on top of the OAuth authorization process. It allows client applications to verify the identity of a user based on the authentication performed by Single Sign-on. It also allows client applications to obtain a user’s basic profile information.
Enable this option to allow Single Sign-on to authorize public OAuth clients without requiring a token. By default, Single Sign-on always enables Proof Key for Code Exchange (PKCE) for all public clients. If you enable to Require PKCE for confidential clients, the public and confidential clients use PKCE.
NOTE:If you enable Public Client, Single Sign-on removes the client secret. Public clients to not have a client secret.
By default, Single Sign-on enables Proof Key for Code Exchange (PKCE) for all clients. You can disable PKCE for the confidential clients, but Single Sign-on keeps it enabled for the public clients.
Enable this option to allow Single Sign-on to accept all OpenID Connect claims that have a specific token ID.
Enable this option to allow clients to notify the authorization server that they no longer need a previously obtained refresh or access token. This option allows the authorization server to clean up security credentials. A revocation request invalidates the actual token and, if applicable, other tokens based on the same authorization grant.
Enable this option to allow Single Sign-on to support OAuth clients that share a token.
Enable this option to allow Single Sign-on to enable session token revocation. When you enable this option, specify a Session Token Revocation Timeout in seconds. The default value is 30 seconds.
Enable this option if you do not want to use JSON Web Tokens (JWT). RFC 9068 defines the JWT profile for OAuth tokens.
Enable this option if you want to allow users to apply the one-time password (OTP) multiple times during authentication. This option is applicable for Email OTP, SMS OTP, and Voice OTP methods.
OTP is an authentication method you configure to use in chains.
Enable this option to refresh the access token on behalf of the user without requiring interaction from the user.
Set the appropriate global timeout values for the grant types you selected:
Specify the length of time in seconds after which the access token expires. The access token includes the specific scopes and this option allows you to specify the duration of the granted access. The default value is 30 seconds.
Specify the length of time in seconds after which the refresh token expires. The default value is 30 seconds.
Specify the length of time in seconds after which the public refresh token expires. The default value is 30 seconds.
(Optional) Select Scopes or Claims to continue configuring the OAuth Advanced Settings.
(Optional) Select Done to leave the Advanced Settings, then select Save to save the changes.
Applications > New Application > OAuth Application > Advanced Settings > Scopes
The OAuth 2.0 RFC defines scope as scope request parameters defined in the OAuth client and the authorization service to limit the scope of the access token issued. Scopes allow you to limit the authorizations the OAuth application provides
OpenID Connect requires one scope and provides additional optional scopes that you can use. If you enable OpenID Connect as an option for the grant types, Single Sign-on displays all of the OpenID Connect scopes.
NOTE:You cannot edit or delete the OpenID Connect scopes. You can view the claims defined in the scopes.
The OpenID Connect scopes are:
OpenID - mandatory
Profile
Address
Phone
When you select an OpenID Connect scope Single Sign-on displays the attributes defined for the scope.
To view scopes or create a custom scope:
To view the details of a scope, select the name of the scope.
To create a custom scope, select the plus sign.
Use the following information to create the custom scope:
Specify a name for the scope. The scope names appear at the top of this page.
Specify the title of the screen the users see when presented with messages about the authorization process. For example, if you enabled the Client Credentials grant type, Single Sign-on presents a message asking the user if they want to use their email account for authorization.
Specify a detailed description of the scope so that any other administration can understand what it does.
Select this option if you want to present the user with a dialog box that requires them to select Yes or No to proceed with the authorization process.
Select this option if you
Add the attribute mappings to match the attributes in the local identity repository with the client identity repository.
Select Done.
NOTE:Single Sign-on does not display the Claims tab when you create a custom scope.
(Optional) Select Done to leave the Advanced Settings, then select Save to save the changes.
After you create the scope and make OAuth calls through the OAuth client, Single Sign-on only sends the selected attributes in the OAuth tokens.
Applications > New Application > OAuth Application > Advanced Settings > Claims
A claim is part of the OpenID Connect (OIDC) specification. A claim is a piece of information that OIDC asserts about an entity. A claim contains name/value pairs that contain information about entities (users, APIs, and so forth) that are part of the OIDC authentication process. Claims are attributes.
Single Sign-on provides a list of default attribute mappings. If you can delete any of the attributes that you do not need. As soon as you make a change to the attributes, Single Sign-on removes the default list and your changes overwrite the list with your changes.
Make the appropriate changes to the attribute mappings. Single Sign-on shows the attributes from your local identity repository and maps the attributes to the attributes in the OAuth service. You creating the attribute mappings so that the OAuth service and Single Sign-on can communicate. Select a local attribute to see additional attributes that are available to select.
(Optional) Change the current attribute mappings to create a new claim:
Select an attribute from your local identity repository to change the current attribute mapping.
Specify an attribute name from the OAuth service.
Select whether to include the attribute in the OAuth Access Token.
Repeat for each required attribute mapping.
(Optional) Select Grant Types or Scopes to review your changes.
(Optional) Select Done to leave the Advanced Settings, then select Save to save the changes.
After you modify or create a claim and make OAuth calls through the OAuth client, Single Sign-on only sends the selected attributes in the OAuth tokens.