Select Store > New > Manage OAuth Clients
You select which OAuth client that you want to use when you create the API group to allow the API authorizations to work. After you select the proper OAuth client you must register the OAuth client with the Access Manager Identity Server. When you create the API group, you can register, edit, view, or delete any of the selected OAuth clients.
You manage the OAuth clients for the API group in the Store.
Select Store > New > Manage OAuth Clients > Register New Client
You must register the OAuth client that you selected when creating the API group with the Identity Server in Access Manager. Registering the OAuth client allows the Identity Server to authorize access to the APIs if the calls to the APIs have the proper information about the OAuth client in them.
To register an OAuth client:
(Conditional) If you are creating a new API group, click New.
(Conditional) If you want to register a new client to an existing API group, in the upper right corner of the API group, click Actions, then click Edit.
Click Manage OAuth Clients.
Click Register New Client.
Under Client Configuration, use the following information to configure the OAuth client:
Select Enable Client to allow this OAuth client to authorize requests to the APIs assigned to the group.
Specify the name of the OAuth client that appears in the list of available OAuth clients when you create the API group.
Select Web Based for the client type. Secure API Manager supports only web-based OAuth client applications.
Specify the URI for the client type that the Identity Server uses to send the authorization code and implicit requests. The format for the web-based OAuth client application is:
https://client.example.org/callback
You must select certain options for Secure API Manager to work. You can select more of the available grant types if you need them for your environment. Available grant types are:
Authorization Code - mandatory
Implicit
Resource Owner Credentials - mandatory
Client Credentials - mandatory
SAML 2.0 Assertion
You must select certain tokens that the authorization server uses to send to this client application. The token types are:
Code - mandatory
ID Token
Refresh Token
Access Token - mandatory
Select Always Issue New Token if you want to issue a new refresh token for each refresh token request.
(Conditional) If you selected ID Token in Token Types under Client Configuration, click OpenID Connect Configuration, then configure the following settings:
To encrypt the ID token using the public key of the client application, you must specify the JSON public key URI for the client. The Identity Server requires the public key to retrieve the encryption key for the JSON public key URI. For example:
https://client.example.org/my_public_keys.jwks
Select RS256. This is the algorithm that the Identity Server uses.
WARNING:If you select None, the Identity Server sends the ID token as an unsigned token. Ensure that you select None only if you can trust the integrity of an unsigned ID token.
Select RSA1_5. Ensure that you select the same algorithm that you defined in the specified JSON Web Key Set URI so that the client application can use the private key to decrypt the token.
This field gets automatically populated based on the algorithm selected in ID Token Encrypted Response Algorithm. It should be A128CBC-HS256 for the RSA1_5 algorithm.
(Optional) Click Token Configuration, then configure the settings for the token using the following information:
NOTE:These settings override the global settings for the Identity Server that the Access Manager administrator has defined.
Specify the duration after which the authorization code expires.
Use the default values for the Secure API Manager configuration.
Use the default values for the Secure API Manager configuration.
Select the JWT token format. This is required for Secure API Manager to work.
(Optional) Click Logout Configuration to configure logout options and behaviors for the OAuth client using the following information:
Specify the URL that Identity Server uses to log out a user.
Select this option to send session ID and issue query parameters to the iframe HTML element. OpenID provider monitors the login status of a client application through the iframe HTML element.
Specify the URL where the Identity Server redirects the user after logout. For example, https://client.example.org/logout.
(Optional) Click Consent Screen Configuration to configure any consent information that you want to present to that users.
Specify the URL of the logo that you want to include on the consent page.
Specify the URL of the privacy policy you want to include on the consent page. You can define your privacy policy.
Specify the URL of the terms of service.
Specify the email addresses of the people related to this client application.
(Optional) Click Authorized JavaScript origins (CORS) and add Domains. Domains configured here can access restricted resources available on the client application. Do not specify the port if you are using port 80 or 443. For example:
beem://www.test.com:port, fb://app.local.url:port, https://namapp.com:port
Click OK to register the client with the Identity Server.
You can change the information in the OAuth client at any time for any reason. You access the registered OAuth clients in the API group.
To edit a registered OAuth client:
In the API group that contains the OAuth client, click the menu in the upper right corner, then click Edit.
Click Manage OAuth Client.
On the right side of the registered OAuth client, click Edit.
Make any of the appropriate changes for the OAuth client. The fields are the same ones that you see when you register an OAuth client.
Click OK to save your changes.
You need to access the client ID and client secret of a registered OAuth client to add the calls for the APIs to ensure that the calls can be authorized by the OAuth client through the Identity Server.
To view the details of a registered OAuth client:
In the API group that contains the OAuth client, click the menu in the upper right corner, then click Edit.
Click Manage OAuth Client.
On the right side of the registered OAuth client, click View.
In the top section, you see the Client ID and an option to click to view the Client Secret.
Click OK to close the window.
You can delete any registered OAuth clients from the configuration of any API group.
To delete a registered OAuth client:
In the API group that contains the OAuth client you want to view, click the menu in the upper right corner, then click Edit.
Click Manage OAuth Client.
On the right side of the registered OAuth client, click Delete.
Confirm the deletion.
Click OK to close the window.