Identity Cloud

/realm-config/agents/OAuth2Client

Invoke this AM-specific endpoint to create, list, and delete OAuth 2.0 clients.

Create an OAuth 2.0 client

This example registers a basic OAuth 2.0 client named myClient in the alpha realm. Provide the SSO token of the tenant administrator as a header, and append the name of the client to the URL:

$ curl \
--request PUT \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--header "<session-cookie-name>: AQIC5wM…​3MTYxOA..*" \
--data '{
   "coreOAuth2ClientConfig":{
      "agentgroup":"",
      "status":{
         "inherited":true,
         "value":"string"
      },
      "userpassword":"forgerock",
      "clientType":{
         "inherited":false,
         "value":"Confidential"
      },
      "redirectionUris":{
         "inherited":false,
         "value":[
            "https://www.example.com:443/callback"
         ]
      },
      "scopes":{
         "inherited":false,
         "value":[
            "write",
            "read"
         ]
      },
      "defaultScopes":{
         "inherited":true,
         "value":[
            "write"
         ]
      },
      "clientName":{
         "inherited":true,
         "value":[
            "My Test Client"
         ]
      }
   },
   "advancedOAuth2ClientConfig":{
      "name":{
         "inherited":false,
         "value":[
            null
         ]
      },
      "grantTypes":{
         "inherited":true,
         "value":[
            "authorization_code",
            "client_credentials"
         ]
      },
      "tokenEndpointAuthMethod":{
         "inherited":true,
         "value":"client_secret_basic"
      }
   }
}' \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient"
Display output
{
    "_id": "myClient",
    "_rev": "720283894",
    "overrideOAuth2ClientConfig": {
        "issueRefreshToken": true,
        "validateScopePluginType": "PROVIDER",
        "tokenEncryptionEnabled": false,
        "evaluateScopePluginType": "PROVIDER",
        "oidcMayActScript": "[Empty]",
        "oidcClaimsScript": "[Empty]",
        "scopesPolicySet": "oauth2Scopes",
        "accessTokenModificationPluginType": "PROVIDER",
        "authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider",
        "oidcClaimsPluginType": "PROVIDER",
        "providerOverridesEnabled": false,
        "authorizeEndpointDataProviderScript": "[Empty]",
        "statelessTokensEnabled": false,
        "authorizeEndpointDataProviderPluginType": "PROVIDER",
        "remoteConsentServiceId": null,
        "enableRemoteConsent": false,
        "validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator",
        "usePolicyEngineForScope": false,
        "evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator",
        "overrideableOIDCClaims": [],
        "accessTokenMayActScript": "[Empty]",
        "evaluateScopeScript": "[Empty]",
        "clientsCanSkipConsent": false,
        "accessTokenModificationScript": "[Empty]",
        "issueRefreshTokenOnRefreshedToken": true,
        "validateScopeScript": "[Empty]"
    },
    "advancedOAuth2ClientConfig": {
        "logoUri": {
            "inherited": false,
            "value": []
        },
        "subjectType": {
            "inherited": false,
            "value": "public"
        },
        "clientUri": {
            "inherited": false,
            "value": []
        },
        "tokenExchangeAuthLevel": {
            "inherited": false,
            "value": 0
        },
        "responseTypes": {
            "inherited": false,
            "value": [
                "code",
                "token",
                "id_token",
                "code token",
                "token id_token",
                "code id_token",
                "code token id_token",
                "device_code",
                "device_code id_token"
            ]
        },
        "mixUpMitigation": {
            "inherited": false,
            "value": false
        },
        "customProperties": {
            "inherited": false,
            "value": []
        },
        "javascriptOrigins": {
            "inherited": false,
            "value": []
        },
        "policyUri": {
            "inherited": false,
            "value": []
        },
        "softwareVersion": {
            "inherited": false
        },
        "tosURI": {
            "inherited": false,
            "value": []
        },
        "sectorIdentifierUri": {
            "inherited": false
        },
        "tokenEndpointAuthMethod": {
            "inherited": false,
            "value": "client_secret_basic"
        },
        "refreshTokenGracePeriod": {
            "inherited": false,
            "value": 0
        },
        "isConsentImplied": {
            "inherited": false,
            "value": false
        },
        "softwareIdentity": {
            "inherited": false
        },
        "grantTypes": {
            "inherited": false,
            "value": [
                "authorization_code"
            ]
        },
        "require_pushed_authorization_requests": {
            "inherited": false,
            "value": false
        },
        "descriptions": {
            "inherited": false,
            "value": []
        },
        "requestUris": {
            "inherited": false,
            "value": []
        },
        "name": {
            "inherited": false,
            "value": [
                "null"
            ]
        },
        "contacts": {
            "inherited": false,
            "value": []
        },
        "updateAccessToken": {
            "inherited": false
        }
    },
    "signEncOAuth2ClientConfig": {
        "tokenEndpointAuthSigningAlgorithm": {
            "inherited": false,
            "value": "RS256"
        },
        "idTokenEncryptionEnabled": {
            "inherited": false,
            "value": false
        },
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm": {
            "inherited": false,
            "value": "A128CBC-HS256"
        },
        "requestParameterSignedAlg": {
            "inherited": false
        },
        "authorizationResponseSigningAlgorithm": {
            "inherited": false,
            "value": "RS256"
        },
        "clientJwtPublicKey": {
            "inherited": false
        },
        "idTokenPublicEncryptionKey": {
            "inherited": false
        },
        "mTLSSubjectDN": {
            "inherited": false
        },
        "jwkStoreCacheMissCacheTime": {
            "inherited": false,
            "value": 60000
        },
        "jwkSet": {
            "inherited": false
        },
        "idTokenEncryptionMethod": {
            "inherited": false,
            "value": "A128CBC-HS256"
        },
        "jwksUri": {
            "inherited": false
        },
        "tokenIntrospectionEncryptedResponseAlg": {
            "inherited": false,
            "value": "RSA-OAEP-256"
        },
        "authorizationResponseEncryptionMethod": {
            "inherited": false
        },
        "userinfoResponseFormat": {
            "inherited": false,
            "value": "JSON"
        },
        "mTLSCertificateBoundAccessTokens": {
            "inherited": false,
            "value": false
        },
        "publicKeyLocation": {
            "inherited": false,
            "value": "jwks_uri"
        },
        "tokenIntrospectionResponseFormat": {
            "inherited": false,
            "value": "JSON"
        },
        "requestParameterEncryptedEncryptionAlgorithm": {
            "inherited": false,
            "value": "A128CBC-HS256"
        },
        "userinfoSignedResponseAlg": {
            "inherited": false
        },
        "idTokenEncryptionAlgorithm": {
            "inherited": false,
            "value": "RSA-OAEP-256"
        },
        "requestParameterEncryptedAlg": {
            "inherited": false
        },
        "authorizationResponseEncryptionAlgorithm": {
            "inherited": false
        },
        "mTLSTrustedCert": {
            "inherited": false
        },
        "jwksCacheTimeout": {
            "inherited": false,
            "value": 3600000
        },
        "userinfoEncryptedResponseAlg": {
            "inherited": false
        },
        "idTokenSignedResponseAlg": {
            "inherited": false,
            "value": "RS256"
        },
        "tokenIntrospectionSignedResponseAlg": {
            "inherited": false,
            "value": "RS256"
        },
        "userinfoEncryptedResponseEncryptionAlgorithm": {
            "inherited": false,
            "value": "A128CBC-HS256"
        }
    },
    "coreOpenIDClientConfig": {
        "claims": {
            "inherited": false,
            "value": []
        },
        "backchannel_logout_uri": {
            "inherited": false
        },
        "defaultAcrValues": {
            "inherited": false,
            "value": []
        },
        "jwtTokenLifetime": {
            "inherited": false,
            "value": 0
        },
        "defaultMaxAgeEnabled": {
            "inherited": false,
            "value": false
        },
        "clientSessionUri": {
            "inherited": false
        },
        "defaultMaxAge": {
            "inherited": false,
            "value": 600
        },
        "postLogoutRedirectUri": {
            "inherited": false,
            "value": []
        },
        "backchannel_logout_session_required": {
            "inherited": false,
            "value": false
        }
    },
    "coreOAuth2ClientConfig": {
        "userpassword": null,
        "status": {
            "inherited": false,
            "value": "Active"
        },
        "clientName": {
            "inherited": false,
            "value": []
        },
        "clientType": {
            "inherited": false,
            "value": "Confidential"
        },
        "loopbackInterfaceRedirection": {
            "inherited": false,
            "value": false
        },
        "defaultScopes": {
            "inherited": false,
            "value": []
        },
        "refreshTokenLifetime": {
            "inherited": false,
            "value": 0
        },
        "scopes": {
            "inherited": false,
            "value": [
                "write",
                "read"
            ]
        },
        "accessTokenLifetime": {
            "inherited": false,
            "value": 0
        },
        "redirectionUris": {
            "inherited": false,
            "value": [
                "https://www.example.com:443/callback"
            ]
        },
        "authorizationCodeLifetime": {
            "inherited": false,
            "value": 0
        }
    },
    "coreUmaClientConfig": {
        "claimsRedirectionUris": {
            "inherited": false,
            "value": []
        }
    },
    "_type": {
        "_id": "OAuth2Client",
        "name": "OAuth2 Clients",
        "collection": true
    }
}

Query OAuth 2.0 clients

This example lists the OAuth 2.0 clients in the alpha realm. Provide the SSO token of a tenant administrator as a header.

$ curl \
--request GET \
--header "Accept-API-Version: resource=1.0" \
--header "<session-cookie-name>: AQIC5wM…​3MTYxOA..*" \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client?_queryFilter=true"
Display output
{
  "result": [
    {
      "_id": "myClient",
      "_rev": "-1788958356",
      "overrideOAuth2ClientConfig": {
        "issueRefreshToken": true,
        "validateScopePluginType": "PROVIDER",
        "tokenEncryptionEnabled": false,
        "evaluateScopePluginType": "PROVIDER",
        "oidcMayActScript": "[Empty]",
        "oidcClaimsScript": "[Empty]",
        "accessTokenModificationPluginType": "PROVIDER",
        "authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider",
        "oidcClaimsPluginType": "PROVIDER",
        "providerOverridesEnabled": false,
        "authorizeEndpointDataProviderScript": "[Empty]",
        "statelessTokensEnabled": false,
        "authorizeEndpointDataProviderPluginType": "PROVIDER",
        "remoteConsentServiceId": null,
        "enableRemoteConsent": false,
        "validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator",
        "usePolicyEngineForScope": false,
        "evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator",
        "overrideableOIDCClaims": [],
        "accessTokenMayActScript": "[Empty]",
        "evaluateScopeScript": "[Empty]",
        "clientsCanSkipConsent": false,
        "accessTokenModificationScript": "[Empty]",
        "issueRefreshTokenOnRefreshedToken": true,
        "validateScopeScript": "[Empty]"
      },
      "advancedOAuth2ClientConfig": {
        "logoUri": [],
        "subjectType": "public",
        "clientUri": [],
        "tokenExchangeAuthLevel": 0,
        "responseTypes": [
          "code",
          "token",
          "id_token",
          "code token",
          "token id_token",
          "code id_token",
          "code token id_token",
          "device_code",
          "device_code id_token"
        ],
        "mixUpMitigation": false,
        "customProperties": [],
        "javascriptOrigins": [],
        "policyUri": [],
        "softwareVersion": null,
        "sectorIdentifierUri": null,
        "tosURI": [],
        "tokenEndpointAuthMethod": "client_secret_basic",
        "isConsentImplied": false,
        "refreshTokenGracePeriod": 0,
        "softwareIdentity": null,
        "grantTypes": [
          "authorization_code"
        ],
        "require_pushed_authorization_requests": false,
        "descriptions": [],
        "requestUris": [],
        "name": [],
        "contacts": [],
        "updateAccessToken": null
      },
      "signEncOAuth2ClientConfig": {
        "tokenEndpointAuthSigningAlgorithm": "RS256",
        "idTokenEncryptionEnabled": false,
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256",
        "requestParameterSignedAlg": null,
        "authorizationResponseSigningAlgorithm": "RS256",
        "clientJwtPublicKey": null,
        "idTokenPublicEncryptionKey": null,
        "mTLSSubjectDN": null,
        "jwkStoreCacheMissCacheTime": 60000,
        "jwkSet": null,
        "idTokenEncryptionMethod": "A128CBC-HS256",
        "jwksUri": null,
        "tokenIntrospectionEncryptedResponseAlg": "RSA-OAEP-256",
        "authorizationResponseEncryptionMethod": null,
        "userinfoResponseFormat": "JSON",
        "mTLSCertificateBoundAccessTokens": false,
        "publicKeyLocation": "jwks_uri",
        "tokenIntrospectionResponseFormat": "JSON",
        "requestParameterEncryptedEncryptionAlgorithm": "A128CBC-HS256",
        "userinfoSignedResponseAlg": null,
        "idTokenEncryptionAlgorithm": "RSA-OAEP-256",
        "requestParameterEncryptedAlg": null,
        "authorizationResponseEncryptionAlgorithm": null,
        "mTLSTrustedCert": null,
        "jwksCacheTimeout": 3600000,
        "userinfoEncryptedResponseAlg": null,
        "idTokenSignedResponseAlg": "RS256",
        "userinfoEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256",
        "tokenIntrospectionSignedResponseAlg": "RS256"
      },
      "coreOpenIDClientConfig": {
        "claims": [],
        "backchannel_logout_uri": null,
        "defaultAcrValues": [],
        "jwtTokenLifetime": 0,
        "defaultMaxAgeEnabled": false,
        "clientSessionUri": null,
        "defaultMaxAge": 600,
        "postLogoutRedirectUri": [],
        "backchannel_logout_session_required": false
      },
      "coreOAuth2ClientConfig": {
        "status": "Active",
        "clientName": [],
        "clientType": "Confidential",
        "loopbackInterfaceRedirection": false,
        "defaultScopes": [],
        "agentgroup": null,
        "refreshTokenLifetime": 0,
        "scopes": [],
        "accessTokenLifetime": 0,
        "redirectionUris": [],
        "authorizationCodeLifetime": 0
      },
      "coreUmaClientConfig": {
        "claimsRedirectionUris": []
      },
      "_type": {
        "_id": "OAuth2Client",
        "name": "OAuth2 Clients",
        "collection": true
      }
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "EXACT",
  "totalPagedResults": 1,
  "remainingPagedResults": -1
}

Delete an OAuth 2.0 client

This example deletes an OAuth 2.0 client named myClient in the alpha realm. Provide the SSO token of the tenant administrator as a header, and append the name of the client to the URL:

$ curl \
--request DELETE \
--header "Accept-API-Version: resource=1.0" \
--header "<session-cookie-name>: AQIC5wM…​3MTYxOA..*" \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient"
{
    "_id": "myClient",
    "_rev": "-614477476",
    …​
}

You can update an existing OAuth 2.0 client by using a similar PUT command, but ensure you include all the attributes to be retained. Omitting an attribute in the resource amounts to deleting the attribute.

Copyright © 2010-2022 ForgeRock, all rights reserved.