Custom OAuth2 Client

This topic covers how to add the custom OAuth2 Client application to the Identity Administration portal and describes the available configuration fields and options.

PKCE with custom OAuth2 Client applications

The OAuth2 custom application template supports the Proof Key for Code Exchange (PKCE) when configuring public applications, such as mobile apps or single-page apps, where the client secret is not secure. The PKCE OAuth2 flow for public applications requires that you do not use a client secret when configuring the application template. The steps for configuring the PKCE authorization code flow are similar to the regular authentication flow except for the use of code_verifier and code_challenge parameters instead of the client secret in the authorization request. The following details the authorization flow for PKCE configurations:

  • The client application sends an authorization request with the code_challenge to the authorization server.

  • The authorization server acknowledges receiving the code_challenge and sends a code to the client application.

  • The client application sends a token request along with the code and the code_verifier.

  • The authorization server validates the code_verifier with the code_challenge it already received and then issues the access token so the user can log in to the application.

To configure the custom OAuth2 template for a PKCE flow, you need to configure the Client ID type in the Identity Administration portal > Apps > Web App > General Usage page for List (instead of Confidential).

For more information on PKCE, see https://tools.ietf.org/html/rfc7636.

To add and configure a custom OAuth 2.0 client

  1. On the Custom tab, next to the OAuth2 Client application, click Add.

  2. In the Add Web App screen, click Yes to add the application.

    The Identity Administration portal adds the application.

  3. Click Close to exit the Application Catalog.

    The application that you just added opens to the Settings page.

  4. On the Settings page, complete the following fields:

  5. On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:

  6. On the Tokens page, complete the following fields:

  7. On the Scope page, add any desired scopes and select from the following options:

    Scope Description
    User must confirm authorization request

    Select this option if you want to the user to confirm the authorization request before receiving a token.

    Allow scope selection

    Select this to give users the option of choosing from the scopes that you added.

    The scopes are categorized into the following two types:

    Scope Description

    API scope

    Used to define the scopes to access APIs.

    Custom claims scope

    Used to define the scopes to retrieve custom claims which are part of ID Token.

    You can use a regular expression (regex) to define scopes. To add a scope for all APIs, enter .* as the REST Regex value. For example, use /UserMgmt/.* to match the User Management APIs only.

  8. On the User Access page, select the role(s) that the user must be in, in order to authorize against the server.

  9. (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

  10. Click Save.