Service Provider Types: OAUTH Client

Follow

Introduction

Configure a Service Provider that uses the OAUTH or OpenIDConnect Protocol for authentication and/or authorization. 

IDHub will act as an (intermediary) Identity Provider for the Service Provider.

General Settings

Field Description
Display Name User defined name of the Service Provider
URL Not used
Description User defined description of the Service Provider
Authentication Scheme Defines which IDP(s) that can authenticate a user for this Service Provider, and how the user can authenticate.
Type "OAUTH Client"
Subject Primary user attribute that is used to identify the user.
Client ID This is a generated ID that uniquely identifies the Service Provider.  The client has to provide this ID with a secret before it can access the Service Provider.
Because IDHub acts as an Identity Provider, it generates the Client ID and Secret.
The Client ID and Secret is only generated when the Service Provider is initially created.  Note that the secret is only showed once. If you didn't save it, it is lost.   
Then you can only generate a new Client ID and Secret (making the old ones obsolete immediately).
Callback URL's After a user successfully (or unsuccessfully) authorizes an application, IDHub will redirect the user back to the URL provided in the Authentication Request.  

This Callback URL provided in the Authentication Request must be defined (whitelisted) as a Callback URL in IDHub.

The whitelisting is required, because information is sent to the callback URL. This is sensitive information that should be sent only to accepted domains.
Scopes Defines which scopes IDHub can allow the user to authorize for this Service Provider.
To use the OpenIDConnect protocol instead of the OAuth Protocol, the "openid" scope MUST be allowed on this SP.

For more information on the field, see below
Client Profile Defines if the client can securely store a secret.

When this is set to "Public" a PKCE (Proof Key for Code Exchange) is required.
Authorization Code Flow Enabled Allows IDHub to provide Authorization Code Grants

Authorization Code Grants should be used when there is an actual user that can be asked to log in and approve access for the client.
Client Authentication Enabled Allows IDHub to provide Client Credentials Grants

Client Credentials Grant are used in a machine-to-machine context, when there is no user to complete the log in procedure or to provide authorization. In this case the client will simply authenticate itself.
Implicit flow enabled Allows IDHub to provide Implicit Grants.

Implicit grants are intended to be used for user-agent-based clients (e.g. single page web apps) that can’t keep a client secret because all of the application code and storage is easily accessible.
Access Token Type Defines the type of Bearer Token that is dispensed.  Supported types:
  • JWT: JSON Web Tokens. An access token that contains more context about a user (but is not a fully compliant ID Token).  
  • Opaque: Token that contains only a random string with no context about a user.  It acts only as an Access Token.
Access Token Time To Live Defines the duration of how long the access token remains valid after dispensing it.
Refresh Token Enabled Allows IDHub to dispense Refresh Tokens.  A refresh token can be used to obtain a new Access Token, without asking the user to log in again.
Refresh Token Time To Live Defines the duration of how long the refresh token remains valid after dispensing it.
ID Token Time To Live Defines the duration of how long the ID Token remains valid after dispensing it.
Client Authentication Type
  • HTTP Basic Authentication Scheme: The authentication parameters are included in the http header
  • HTTP POST from body: The authentication parameters are included in the body of the http request, which are posted to the server
Cross Origin Request Specify additional domains from which Cross-Origin Requests are accepted.  Eg. *.trustbuilder.com to allow access from all subdomains from trustbuilder.com.
Audience Additional Audience(s) that this ID Token is intended for.
The Client ID of the Service Provider is applied as an audience automatically.
Issuer Defines who issues the ID Tokens. If left empty, the default https://domainname.ext/idhub/oidc  is applied.

Certificates

Certificates are managed at Certificate Overview

It is still possible to import certificates without needing to leave the Service Provider screen.

Field Description
Context

Defines what the certificate is used for.  There is only one option:

Key - Signing: Used to sign messages to the SP

Certificate Alias The alias of the certificate to use for this context.
Used From Defines from when this certificate may be used.  These periods may not overlap for "Key - Signing" certificates.
Used Until Defines until when this certificate may be used.

Allowed Scopes

Field Description
Name Name of the scope, as defined in "scopes"
Click the checkbox before the name to enable or disable this scope.
Type OAuth: Defines which API's (method & URL) the client is given authorization for.
OpenID: Contains a set of attributes that can the user can authorize the IDP to include in the ID Token.

To use the OpenIDConnect protocol instead of the OAuth Protocol, the "openid" scope MUST be allowed on this SP.
Description User defined description of the Scope
Is Default If no scopes are specified in the request, authorization for this scope is requested by default. Multiple scopes can be marked as default.
Have more questions? Submit a request

Comments