The Global Settings enable you to specify the default OAuth and OpenID Connect settings for the authorization server, such as issuer URL, token types, and grants.
Click Devices > Identity Server > Edit > OAuth & OpenID Connect > Global Settings.
The following options are available:
Field |
Description |
---|---|
Issuer |
Specify the name of the authorization server. This name is part of the ID token. |
Authorization Grant LDAP Attribute |
Specify a binary or a stream (for eDirectory) attribute that exists in the user store. For example, nidsOAuthGrant. The super administrator must have the write access to the specified Authorization Grant LDAP Attribute. This attribute stores user consent and the refresh token information. This attribute gets updated when Identity Server performs the following actions:
For information about creating the attribute in the user store, see Extending a User Store for OAuth 2.0 Authorization Grant Information. NOTE:This is a mandatory field. This attribute stores the refresh token information. This information can be used later for a JWT token to check for revocation. Ensure that no other application uses this attribute. |
CORS Domains |
Select any one of the following options based on the requirement:
Examples: beem://www.test.com:port, fb://app.local.url:port, https://namapp.com:port NOTE:Access Manager provides an access token even when the request does not include the listed domain. But, the token is validated on the following endpoints:
This invalidates the access token if the request comes from a different domain. |
Access-Control-Allow-Credentials Header |
Select this option to allow the Access Manager CORS filter to send the Access-Control-Allow-Credentials header with the response. |
Grant Type(s) |
Select the types of grants that the authorization server will support. Based on the grant type you select, the system selects corresponding token type by default. For more information about grant types, see OAuth Authorization Grant. |
Token Type(s) |
Select the types of tokens that the authorization server will support.
|
Require Logout Consent |
Use this option when you have configured OIDC front-channel logout for client applications. Enabling this option displays a consent message to users seeking their permission to log out from all logged-in applications. For more information, see OIDC Front-Channel Logout. By default, this option is enabled. |
Enable Token Revocation |
Enable this option to revoke the refresh token. If you do not require to revoke the refresh token, you can disable this option. When you disable this option the token information does not get saved in the authorization grant LDAP attribute. To revoke a refresh token, the super administrator must have the write access to the specified Authorization Grant LDAP Attribute. If you do not want to use this attribute or do not have the write access to this attribute, you must not select this option. NOTE:Revocation of binary tokens is not supported. |
Perform Revocation Check After |
Specify the duration in seconds. After this duration, Access Manager verifies whether the token is revoked. Use this option if you have configured a user store as an LDAP load balancer, which has a read-only and write-only replica. The Authorization Server reads the user attributes in LDAP for token verification. However, the token verification fails if any delay occurs in data synchronization across the user store LDAP replicas. Using this option, you can delay the token verification for a specific time. During this delay period, the Authorization Server will not read the user attribute in LDAP for token verification. However, it will verify other required checks. |
Logout to revoke tokens |
Select this option to revoke the refresh tokens during logout. By default, this option is disabled. |
Authorization Code Timeout |
Specify the duration in minutes after that the authorization code becomes invalid. |
Access Token and ID Token Timeout |
Specify the duration in minute after how long the Access token and ID token become invalid. |
Refresh Token Timeout |
Specify the duration in minute after how long the Refresh token becomes invalid. |
Signing Certificate |
Select a signing certificate to sign the tokens. By default test-signing certificate is assigned with hashing algorithm details. The signing keys can be retrieved from JSON Web Key Set endpoint. You cannot add an external certificate to OAuth because Access Manager Appliance does not have an option to assign the certificates to a keystore. The certificates available in nam-keystore can only be used. |
Contracts for Resource Owner Credentials Authentication |
Select the contracts in Available contracts and move them to Contracts. This option allows the administrator to configure the Resource Owner flow to execute specific authentication contract. The order of authentication contract execution must be as follows:
For example, if no acr_values and no global RO authentication contracts are specified, then only the default authentication contract of Identity Server is executed. To select a custom contract for authentication, the custom authentication class must override the cbAuthenticate method. For more information, see the Access Manager 5.0 SDK Guide. To configure the contract as a second-factor authentication contract, see Configuring Multi-Factor Authentication for Resource Owner Credentials Grant. |
Click OK.