Custom OAuth2 Client
This topic covers how to add the custom OAuth2 Client application to the Identity Administration portal and describes the available configuration fields and options.
PKCE with custom OAuth2 Client applications
The OAuth2 custom application template supports the Proof Key for Code Exchange (PKCE) when configuring public applications, such as mobile apps or single-page apps, where the client secret is not secure. The PKCE OAuth2 flow for public applications requires that you do not use a client secret when configuring the application template. The steps for configuring the PKCE authorization code flow are similar to the regular authentication flow except for the use of
code_challenge parameters instead of the client secret in the authorization request. The following details the authorization flow for PKCE configurations:
The client application sends an authorization request with the
code_challengeto the authorization server.
The authorization server acknowledges receiving the
code_challengeand sends a code to the client application.
The client application sends a token request along with the code and the
The authorization server validates the
code_challengeit already received and then issues the access token so the user can log in to the application.
To configure the custom OAuth2 template for a PKCE flow, you need to configure the Client ID type in the Identity Administration portal > Apps > Web App > General Usage page for List (instead of Confidential).
For more information on PKCE, see https://tools.ietf.org/html/rfc7636.
To add and configure a custom OAuth 2.0 client
On the Custom tab, next to the OAuth2 Client application, click Add.
In the Add Web App screen, click Yes to add the application.
The Identity Administration portal adds the application.
Click Close to exit the Application Catalog.
The application that you just added opens to the Settings page.
On the Settings page, complete the following fields:
On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:
On the Tokens page, complete the following fields:
On the Scope page, add any desired scopes and select from the following options:
Scope Description User must confirm authorization request
Select this option if you want to the user to confirm the authorization request before receiving a token.
Allow scope selection
Select this to give users the option of choosing from the scopes that you added.
The scopes are categorized into the following two types:
Used to define the scopes to access APIs.
Custom claims scope
Used to define the scopes to retrieve custom claims which are part of ID Token.
You can use a regular expression (regex) to define scopes. To add a scope for all APIs, enter .* as the REST Regex value. For example, use
/UserMgmt/.*to match the User Management APIs only.
On the User Access page, select the role(s) that the user must be in, in order to authorize against the server.
(Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.