Register a custom application

Identifier used to register your client with AM’s authorization server, and then used when your client must authenticate to AM.

Password used to register your client with AM’s authorization server, and then used when your client must authenticate to AM.

AM URL base for OpenID Provider Configuration.
Default: http://openam.example.com:8088/openam/oauth2

The endpoint for OAuth2.0 authentication.

The endpoint for OAuth2.0 authorization.

The endpoint the application uses to get an access token or a refresh token.

The endpoint that returns validation information for identifier-based access tokens.

The endpoint that returns information about an end user.

The endpoint that returns the identity token.

Custom URL for handling login. Overrides the default OpenAM login page.

Custom URL for handling logout. Example: http://client.example.com:8080/openam/XUI/?realm=/#logout.

Specify the set of OAuth 2.0 grant types, also known as grant flows allowed for this client:

Specify scopes presented to the resource owner when the resource owner is asked to authorize client access to protected resources. The openid scope is required.

Scopes set automatically when tokens are issued. The openid scope is required.

Specify the response types that the client uses. The response type value specifies the flow that determines how the ID token and access token are returned to the client. By default, the following response types are available:

Claims can be entered as simple strings, such as name, email, profile, or sub. Or, as a pipe-separated string in the format: scope|locale|localized description. For example, name|en|Full name of end user.

Specify whether AM allows the use of wildcards (* characters) in the redirection URI port to match one or more ports.

The URL configured in the redirection URI must be either localhost, 127.0.01, or ::1. For example, http://localhost:*/, https://127.0.0.1:80*/, or \https://[::1]:*443/.

Enable this setting, for example, for desktop applications that start a web server on a random free port during the OAuth 2.0 flow.

Authentication method client uses to authenticate to AM.
Choose one:

When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2.0 Provider must also be configured to allow clients to skip consent.

Enable this setting only if this OAuth 2.0 client supports the OAuth 2.0 Mix-Up Mitigation draft, otherwise AM will fail to validate access token requests received from this client.

Default Authentication Context Class Reference values. Specify strings that will be requested as Voluntary Claims by default in all incoming requests.

Specify request_uri values that a dynamic client pre-registers.

A base64-encoded X509 certificate in PEM format used to obtain the client’s JWT bearer public key. The client uses the private key to sign client authentication and access token request JWTs, while AM uses the public key for verification.

Default value is public.

Enable this option to enforce a default maximum age of 10 minutes. If the end user session is not currently active, and if more than 10 minutes have passed since the end user last authenticated, then the end user must authenticate again.

Enable this option if you want access tokens issued to this client to be bound to an X.509 certificate. When enabled, access tokens will use the X.509 certificate to authenticate to the access_token endpoint.

The time an authorization code is valid for.
Default value: 120

The time an access token is valid for, in seconds
If you set the value to 0, the access token will not be valid. A maximum lifetime of 600 seconds is recommended. Default value: 3600

The time a refresh token is valid for.
If this field is set to -1, the refresh token will never expire. Default value: 604800

The amount of time the JWT is valid for. Default value: 3600

Custom user-facing title. In this example, MyClient.

User-facing instruction text. In this example, "This application is requesting the following information:"

URI containing the client’s privacy policy documentation. The URI is displayed as a link in the consent page.

Specify the registration_access_token value you provided when registering the client, and then subsequently, when reading or updating the client profile.

Specify the relying party (client) URI to which the OpenID Connect Provider sends "session changed" notification. Message is sent using the HTML 5 postMessage API.

Specify the output format from the userinfo endpoint.
The supported output formats are:

Specifies the format of the token introspection response. The possible values for this property are:

Select the public key for this client, which comes from the JWKs_URI, manual JWKs, or X.509 field.

The URI that contains the client public keys in JSON web key format.

Raw JSON web key value containing the client public keys.

Base64-encoded public key for encrypting ID tokens.

When enabled, encryption uses the algorithm that the ID token must be encrypted with. Default algorithm value is RSA1_5 (RSAES-PKCS1-V1_5).

The login endpoint initiated by the IDP.

The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.

Signed or Unsigned.

Signed or Unsigned.