Custom OAuth2 Client
This topic covers how to add the custom OAuth2 Client application to the Identity Administration portal and describes the available configuration fields and options.
PKCE with custom OAuth2 Client applications
The OAuth2 custom application template supports the Proof Key for Code Exchange (PKCE) when configuring public applications, such as mobile apps or single-page apps, where the client secret is not secure. The PKCE OAuth2 flow for public applications requires that you do not use a client secret when configuring the application template. The steps for configuring the PKCE authorization code flow are similar to the regular authentication flow except for the use of code_verifier
and code_challenge
parameters instead of the client secret in the authorization request. The following details the authorization flow for PKCE configurations:
-
The client application sends an authorization request with the
code_challenge
to the authorization server. -
The authorization server acknowledges receiving the
code_challenge
and sends a code to the client application. -
The client application sends a token request along with the code and the
code_verifier.
-
The authorization server validates the
code_verifier
with thecode_challenge
it already received and then issues the access token so the user can log in to the application.
To configure the custom OAuth2 template for a PKCE flow, you need to configure the Client ID type in the Identity Administration portal > Apps > Web App > General Usage page for List (instead of Confidential).
For more information on PKCE, see https://tools.ietf.org/html/rfc7636.
To add and configure a custom OAuth 2.0 client
-
On the Custom tab, next to the OAuth2 Client application, click Add.
-
In the Add Web App screen, click Yes to add the application.
The Identity Administration portal adds the application.
-
Click Close to exit the Application Catalog.
The application that you just added opens to the Settings page.
-
On the Settings page, complete the following fields:
Field Description Application ID
A unique key used to build the OAuth2 endpoint URL (URL format is either
tenant.my.idaptive.app/oauth2/introspect/appID
ortenant.id.cyberark.cloud/oauth2/introspect/appID
).Customize Name and Description for each language
Not relevant, as this is not an app that will appear in a user's User Portal.
Application Name
A descriptive name for the application (not seen by users).
Application Description
A description for the application (not seen by users).
Category
Not relevant, as this is not an app that will appear in a user's User Portal.
Logo
You can optionally provide a logo to identify your app.
-
On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:
-
On the Tokens page, complete the following fields:
Field Description Token Type
Specifies the type of token to issue (JwtRS256 or opaque).
JwtRS256 is a JSON Web Token (JWT) composed of Base64 encoded user and claim information. An opaque token contains no information about the user. To obtain user and claim information for an opaque token an introspection URL must be used by passing the token. The format of the introspection URL is either
tenant.my.idaptive.app/oauth2/introspect/appID
ortenant.id.cyberark.cloud/oauth2/introspect/appID
.Auth Methods
Specifies the authentication flow(s) for which the specified token type should be issued.
Token Lifespan
Specifies the token’s lifespan.
Set Token Lifespan to more than 10 minutes. If the Token Lifespan is less than or equal to 10 minutes, some APIs might not work as desired.Issue refresh tokens
When enabled, allows clients to request a refresh token that can be exchanged for a new access token. Not applicable for the Resource Owner or Client Credentials flows.
-
On the Scope page, add any desired scopes and select from the following options:
Scope Description User must confirm authorization request Select this option if you want to the user to confirm the authorization request before receiving a token.
Allow scope selection Select this to give users the option of choosing from the scopes that you added.
The scopes are categorized into the following two types:
Scope Description API scope
Used to define the scopes to access APIs.
Custom claims scope
Used to define the scopes to retrieve custom claims which are part of ID Token.
You can use a regular expression (regex) to define scopes. To add a scope for all APIs, enter .* as the REST Regex value. For example, use
/UserMgmt/.*
to match the User Management APIs only. -
On the Permissions page, select the role(s) that the user must be in, in order to authorize against the server.
-
(Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.
-
Click Save.