Add an API/URL resource server

Manage OAuth authorization with a resource server.

Click > Security > Authorization. The Authorization page appears.

Select API/URL to add a protected resource. The APIs/URLs list page appears.

Click . The Add API/URL page appears.

Under Basic Definition, do the following:

Select Enabled to make this API/URL resource active in Identity as a Service. JWT access tokens will not be issued unless the authorization is active.

Enter a Name for the resource.

Enter a Description for the resource.

Add a Value for the resource. The value should be an absolute URI value. The value corresponds to the API (aka audience value) that the resource server is protecting.

Note: The API/URL names and values must be unique across all resource server.

Select the Supported OIDC/OAuth Applications from the drop-down list. These are the applications that have permission to access the resource server. If you want all OIDC and OAuth applications to access the resource server, leave this field blank.

Under Token Definition, do the following:

Select Require Consent to prompt users for consent when an OAuth token is requested.

Select Include Application Name to include the application name in OAuth access tokens.

Select Include Client ID to include the client ID in OAuth access tokens.

Select Include OIDC Scopes and Claims to include the claims derived from OIDC scopes and claim requests in OAuth access tokens.

Select Include Authentication Claims to include authentication claims in OAuth access tokens.

Select Include Transaction Claims to include the transaction details in OAuth access tokens (for applications using the JWT IDaaS grant type).

From the Access Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the access tokens during authentication.

Set the Access Token Timeout to the time that the access token is valid before it expires.

Select Refresh Token to allow refresh token requests for OAuth token access. If you select this option, complete the following:

Set the Refresh Token Timeout to the time that the refresh token associated with the access token is valid.
Set the Refresh Token Limit to the maximum amount of a time a refresh token process is valid.

Under Scope Configuration, add the scopes (the permissions) the OIDC and OAuth application can request on behalf of the user for the configured API/URL (for example, view:calendar, edit:calendar). To add scopes:

Select Allow All Scopes to be requested to allow client applications to use the specific scope all_scopes to request all scopes the user has access to for this API/URL. This is a short-hand mechanism to request all scopes instead of listing out all scopes in the request.

Select Role-Based Access Control (RBAC) to enable access to scopes based on their Access Management Role associations. If disabled, the user has access to all scopes associated with the API/URL regardless of their Access Management Role. When enabled, the user only has access to the scopes permitted by the Access Management Role associations. To create RBAC, see Configure Role-Based Access Control (RBAC ).

Click Add. The Add Scope dialog box appears.

Add a Name for the scope.

Add a Value for the scope, for example, edit:calendar.

Click Add.

Note: Scope names and values must be unique across scopes defined across all APIs/URLs.

Click Save.