Custom OAuth2 Server

OAuth 2.0 is an open-standard framework and specification for authorizing client applications to access online resources. Authorization works by requiring a client to obtain an access token from a server that in turn grants the client access to specific protected resources. The client then sends the access token to the resource whenever it invokes the resource's endpoints.

Privileged Access Service support OAuth 2.0, allowing custom Centrify client applications access to online resources needed by those applications.

This topic covers how to add the custom OAuth2 Server application to the Admin Portal and describes the available configuration fields and options.

Use the custom OAuth2 Server application for use with another web application's APIs. With the OAuth2 Server application, you can set custom claims in the resulting access token.

Refer to https://developer.centrify.com/docs/oauth for more information about using OAuth 2.0.with Centrify.

To add and configure a custom OAuth 2.0 Server application

  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. Click Custom.

  1. On the Custom tab, next to the OAuth2 Server application, click Add.
  2. In the Add Web App screen, click Yes to add the application.

    The Admin Portal adds the application.

  3. Click Close to exit the Application Catalog.

    The application that you just added opens to the Settings page.

  4. On the Settings page, complete the following fields:

    • Application ID: a unique key used to build the OAuth2 endpoint URL (URL format is tenant.my.centrify.net/oauth2/introspect/appID.
    • Customize Name and Description for each language: allows you to specify a name and description for this app, per supported language.
    • Application Name: a descriptive name for the application.
    • Application Description: a description for the application.
    • Logo: you can optionally provide a logo to identify your app.
  5. On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:

    • Client ID Type: choose one of these options:
      • Anything: allows for authorization in any client where authorization is granted by the user (for example, in a popup screen).
      • List: - specifies a list of clients who are allowed access. Click Add and then enter the application name of your client.
      • Confidential: requires an OAuth2 client to send a client ID and secret. A confidential client is recommended for all flows, but is only required for the Client Credentials flow.
    • Issuer: the URL of the server issuing access tokens. Can be left as default.
    • Audience: metadata that a client may use to verify that the tokens it receives are correct (i.e., allows for client-side verification of a token). Can be set to any string. For example, a client may use this field to ensure a match on the issuer.
    • Allowed Redirects: specifies the redirects that should be trusted when redirection occurs during the Authorization Code and Implicit flows. Not applicable for the Client Credential and Resource Owner flows.
  6. On the Tokens page, complete the following fields:

    • Token Type: specifies the type of token to issue (JwtRS256 or opaque).

      JwtRS256 is a Java Web Token (JWT) composed of Base64 encoded user and claim information. An opaque token contains no information about the user. To obtain user and claim information for an opaque token an introspection URL must be used by passing the token. The format of the introspection URL is tenant.my.centrify.net/oauth2/introspect/appID .

    • Auth Methods: specifies the authentication flow(s) for which the specified token type should be issued.
    • Token Lifespan: specifies the token’s lifespan.
    • Issue refresh tokens: when enabled, allows clients to request a refresh token that can be exchanged for a new access token. Not applicable for the Resource Owner or Client Credentials flows.
  7. On the User Access page, select the role(s) that the user must be in, in order to authorize against the server.
  8. (Optional) On the Advanced page, you can enter a custom script that sets claims for JWTs being issued by the tenant for the server.
  9. (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

  10. Click Save.