How to configure OAuth 2.0 flows

OAuth 2.0 is an open-standard framework and specification for authorizing client applications to access online resources. Authorization works by requiring a client to obtain an access token from a server that in turn grants the client access to specific protected resources. The client then sends the access token to the resource whenever it invokes the resource's endpoints.

Privileged Access Service support OAuth 2.0, allowing custom Centrify client applications access to online resources needed by those applications.

Refer to https://developer.centrify.com/docs/oauth for more information about using OAuth 2.0.with Centrify.

Flows that Privileged Access Service support are:

Flow Description

Client Credentials

The client application must provide a client ID and client secret to obtain an access token from a tenant.

Authorization Code

The client redirects the user to the OAuth authorization endpoint where the user enters their credentials and grants access. The OAuth server then returns an authorization code to the client. The client then sends a request to the OAuth token endpoint to obtain an access token, and includes the authorization code in this request. The OAuth server then returns the authorization (and refresh token if it's configured) to the client for use in accessing subsequent endpoints.

Implicit

The client redirects the user to the OAuth authorization endpoint where the user enters their credentials and grants access. The OAuth authorization endpoint then redirects the user back to the client application and includes the access token in the redirection. The client can then use the access token for use in accessing subsequent endpoints. This flow is the simplest and is typically used by Javascript applications running in a browser. Since the access token under this flow is assumed to be used temporarily, no refresh token is issued by the OAuth server.

Resource Owner

The client application provides its own user interface in which the user enters their credentials and grants access to resources. This information is then sent to the OAuth token endpoint which returns an access token to the client. Since this flow does not involve redirection to an OAuth authorization endpoint to obtain authorization, it should only be used in highly privileged client applications such as native applications running on an OS.

Refer to https://developer.centrify.com/docs/oauth for more information about using OAuth 2.0.with Centrify.

Refer to the following topics for an overview of the OAuth2 client and server applications used to configure access to your Centrify tenant:

  • Custom OAuth2 Client

    Use the custom OAuth2 Client application if the resulting access token is used to call Privileged Access Service APIs.

  • Custom OAuth2 Server

    Use the custom OAuth2 Server application for use with another web application's APIs. With the OAuth2 Server application, you can set custom claims in the resulting access token.