Authorization Server Configuration

Configure the OAuth2 Provider Service to expose the OAuth 2.0 Endpoints and OAuth 2.0 Administration and Supporting REST Endpoints.

  1. In the AM Admin UI, go to Realms > Realm Name > Services, and click Add a Service.

  2. From the drop-down list, select the OAuth2 Provider service, leave the remaining fields empty, and click Create.

  3. On the OAuth 2.0 provider page, select the Advanced tab.

  4. Configure the Grant Types that clients will be able to use to request access, refresh, and ID tokens.

    Grant Types Reference
    Implicit
    SAML2
    Refresh Token
    Resource Owner Password Credentials
    Client Credentials
    Device Code
    Authorization Code
    Back Channel Request
    UMA
    JWT Bearer
    Token Exchange

    Related information:

  5. Configure Persistent Claims

    Persistence lets you retain custom claims when you refresh an access token.

    In the Persistent Claims field, enter the claims that must be persisted between tokens. When an access token is refreshed, any claims that are listed here will be on the new token.

    • These claims are added before the access token modification script, allowing you to manipulate them in the modification script. For example, if a token has a claim called hostname that you want to be persisted when the token is refreshed, you could add that claim to the Persistent Claims list. You could then modify the script to persist that hostname in the new token, if it exists, or to add a hostname to the new token, if it does not exist.

    • Only custom, non-standard claims can be persisted. Standard claims such as scope (defined in the OAuth2 specification) and auditTrackingId (defined by default in AM) cannot be persisted.

  6. For other configuration options, see [oauth2-configuration-options]. == Additional Configuration

The OAuth 2.0 provider is highly configurable:

  • To configure the OAuth 2.0 provider in the AM Admin UI, go to Realms > Realm Name > Services, and select OAuth2 Provider.

  • To adjust global OAuth 2.0 provider defaults, go to Configure > Global Services, and click OAuth2 Provider.

See the OAuth2 Provider reference section for details on each of the fields in the provider.

OAuth 2.0 Provider Configuration Options
Task Resources

Configure the authorization server to issue refresh tokens

Learn why refresh tokens are useful in your environment, how to configure AM to issue them, and how to request them.

Adjust the lifetimes of tokens and codes

If necessary, adjust the lifetimes for authorization codes (a lifetime of 10 minutes or less is recommended in RFC 6749), access tokens, and refresh tokens.

Configure them on the Core tab of the provider.

N/A

Configure the OAuth 2.0 service to provide scopes dynamically

The OAuth 2.0 provider can leverage the AM Authorization service to grant or deny scopes dynamically.

Decide how scopes appear in the consent pages

To change how scopes appear, configure the Client Registration Scope Whitelist field on the Advanced tab of the OAuth 2.0 provider.

Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description. For example: read|en|Permission to view email messages in your account.

Decide how to manage consent

You can:

  • Allow users to save consent so the OAuth 2.0 provider remembers their consented scopes.

  • Allow clients to skip consent so no consent page is displayed to the resource owners.

  • Allow clients to revoke consent.

Configure a remote consent server

This is useful, for example, when your environment must hand off the consent-gathering part of the OAuth 2.0 flows to a separate service.

Configure the attribute AM uses to retrieve the user profile

This is useful, for example, in cases where the resource owner should log in with their email address instead of with a username.

Configure client-based tokens

Configure client-based tokens so that resource servers can directly introspect the tokens without making a call to AM.

Configure OpenID-Connect specific options

UMA providers also use these options.

Change the Attribute Used to Retrieve the User Profile

If you use an external identity repository where resource owners log in not with their user ID, but instead with their mail address or some other profile attribute, you must configure AM authentication to allow it.

For example, to configure AM so OAuth 2.0 resource owners can log in using their email address, stored on the LDAP profile attribute, mail, perform the following steps:

  1. On the OAuth2 provider Advanced tab, add the LDAP profile attribute to the User Profile Attribute(s) the Resource Owner is Authenticated On list, and save your changes.

  2. Navigate to Realms > Realm Name > Identity Stores > Identity Store Name > Authentication Configuration.

  3. Set the value of the Authentication Naming Attribute field to the LDAP attribute required.

    For example, mail.

  4. Create an LDAP decision node to use with the identity repository.

    Configure the following fields:

    • In the Attribute Used to Retrieve User Profile field, set the attribute to mail.

    • In the Attributes Used to Search for a User to be Authenticated list, add the mail attribute.

    • Save your changes.

  5. Ensure the resource owners use the authentication mechanism you configured.

    Specify the tree by using one or more of the methods below. AM checks for the configured value in the following order, using the first value found:

    1. For a specific access token REST request.

      Set the auth_chain parameter.

    2. Individually for a realm, overriding the realm-level setting below.

      Navigate to Realms > Realm Name > Services > OAuth2 Provider > Advanced, and set the Password Grant Authentication Service property.

    3. Individually for a realm.

      Navigate to Realms > Realm Name > Authentication > Settings > Core, and set the Organization Authentication Configuration property.

    4. Globally, for all realms.

      Navigate to Configure > Authentication > Core Attributes > Core, and set the Organization Authentication Configuration property.

For more information, see Configuring AM for Authentication.