Authorization server configuration
Configure the OAuth 2.0 provider service to expose the OAuth 2.0 endpoints and OAuth 2.0 administration REST endpoints.
-
In the AM admin UI, go to Realms > Realm Name > Services, and click Add a Service.
-
From the drop-down list, select the OAuth2 Provider service, leave the remaining fields empty, and click Create.
-
On the OAuth 2.0 provider page, select the Advanced tab.
-
Configure the Grant Types that clients will be able to use to request access, refresh, and ID tokens.
Grant types reference
Implicit SAML2 Refresh Token Resource Owner Password Credentials Client Credentials Device Code Authorization Code Back Channel Request UMA JWT Bearer Token Exchange
Related information:
-
Configure Persistent Claims
Persistence lets you retain custom claims when you refresh an access token.
In the Persistent Claims field, enter the claims that must be persisted between tokens. When an access token is refreshed, any claims that are listed here will be on the new token.
-
These claims are added before the access token modification script, allowing you to manipulate them in the modification script. For example, if a token has a claim called
hostname
that you want to be persisted when the token is refreshed, you could add that claim to the Persistent Claims list. You could then modify the script to persist thathostname
in the new token, if it exists, or to add a hostname to the new token, if it does not exist. -
Only custom, non-standard claims can be persisted. Standard claims such as
scope
(defined in the OAuth2 specification) andauditTrackingId
(defined by default in AM) cannot be persisted.
-
-
For other configuration options, see Additional configuration.
Additional configuration
The OAuth 2.0 provider is highly configurable:
-
To configure the OAuth 2.0 provider in the AM admin UI, go to Realms > Realm Name > Services, and select OAuth2 Provider.
-
To adjust global OAuth 2.0 provider defaults, go to Configure > Global Services, and click OAuth2 Provider.
See the OAuth2 Provider reference section for details on each of the fields in the provider.
Task | Resources |
---|---|
Configure the authorization server to issue refresh tokens Learn why refresh tokens are useful in your environment, how to configure AM to issue them, and how to request them. |
|
Adjust the lifetimes of tokens and codes If necessary, adjust the lifetimes for authorization codes (a lifetime of 10 minutes or less is recommended in RFC 6749), access tokens, and refresh tokens. Configure them on the Core tab of the provider. |
N/A |
Configure the OAuth 2.0 service to provide scopes dynamically The OAuth 2.0 provider can leverage the AM Authorization service to grant or deny scopes dynamically. |
|
Decide how scopes appear in the consent pages To change how scopes appear, configure the Client Registration Scope Allowlist field on the Advanced tab of the OAuth 2.0 provider. Scopes may be entered as simple strings or pipe-separated strings
representing the internal scope name, locale, and localized description.
For example: |
|
Decide how to manage consent You can:
|
|
Configure a remote consent server This is useful, for example, when your environment must hand off the consent-gathering part of the OAuth 2.0 flows to a separate service. |
|
Configure client-side tokens Configure client-side tokens so that resource servers can directly introspect the tokens without making a call to AM. |
|
Configure OpenID-Connect specific options UMA providers also use these options. |