Manage OAuth authorization

If you have an OAuth client application and you want to allow the application to access resource server APIs/URLs, you need to set up OAuth authorization. OAuth allows you to grant applications access to resources of another entity on behalf of a user by obtaining JWT access tokens for this purpose. Consider the following example:

Example: Bank ABC wants to be able to provide a trusted client application access to user mortgage capability so partners can issue mortgage quotes to customers. Bank ABC creates a user mortgage API/URL and adds it as an authorized API/URL in Identity as a Service and provides corresponding scopes (view:mortgage, add:mortgage, edit:mortgage, remove:mortgage). The scopes correspond to the permissions the client application can request on behalf of the user. Bank ABC protects the mortgage API/URL by validating the JWT access tokens issued by Identity as a Service and presented by the client application.

Limitations

a. Select Enabled to make this API/URL resource active in Identity as a Service. JWT access tokens will not be issued unless the authorization is active.

d. Add a Value for the resource. The value should be an absolute URI value. The value corresponds to the API (aka audience value) that the resource server is protecting.

e. Select the Supported OIDC/OAuth Applications from the drop-down list. These are the applications that have permission to access the resource server. If you want all OIDC and OAuth applications to access the resource server, leave this field blank.

a. Select Require Consent to prompt users for consent when an OAuth token is requested.

b. Select Include Application Name to include the application name in OAuth access tokens.

d. Select Include OIDC Scopes and Claims to include the claims derived from OIDC scopes and claim requests in OAuth access tokens.

e. Select Include Authentication Claims to include authentication claims in OAuth access tokens.

f. Select Include Transaction Claims to include the transaction details in OAuth access tokens (for applications using the JWT IDaaS grant type).

g. From the Access Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the access tokens during authentication.

h. Set the Access Token Timeout to the time that the access token is valid before it expires.

i. Select Refresh Token to allow refresh token requests for OAuth token access. If you select this option, complete the following:

i) Set the Refresh Token Timeout to the time that the refresh token associated with the access token is valid.

ii) Set the Refresh Token Limit to the maximum amount of a time a refresh token process is valid.

6. Under Scope Configuration, add the scopes (the permissions) the OIDC and OAuth application can request on behalf of the user for the configured API/URL (for example, view:calendar, edit:calendar). To add scopes:

a. Select Allow All Scopes to be requested to allow client applications to use the specific scope all_scopes to request all scopes the user has access to for this API/URL. This is a short-hand mechanism to request all scopes instead of listing out all scopes in the request.

b. Select Role-Based Access Control (RBAC) to enable access to scopes based on their Access Management Role associations. If disabled, the user has access to all scopes associated with the API/URL regardless of their Access Management Role. When enabled, the user only has access to the scopes permitted by the Access Management Role associations. To create RBAC, see Configure Role-Based Access Control (RBAC ).