Configure OAuth Settings for Client App

In client application’s OAuth you can configure OAuth-related settings like available grant types, response types, and more.

To configure application’s OAuth settings:

1. Navigate to Applications » Clients.

2. Select client application.

3. Go to the OAuth tab.

Skip User Consent

To skip gathering consents from users to share their data, enable the TRUSTED checkbox in Application Properties.

Configure Grant Types and Response Types

1. Navigate to your client applications OAuth tab.

2. Select Grant Types and Response Types from the dropdown menus.

   • Grant Types define the OAuth 2.0 flows this application can follow to obtain an access token from Cloudentity.

   • Response Types define how the Cloudentity is allowed to respond to authorization requests made by this application.

     Note that different grant types require different responses. Cloudentity supports all OAuth 2.0 grant types - you can read more about each flow in Authorization basics.

3. Save changes.

Configure Client Authentication for Client App

1. Navigate to your client applications OAuth tab.

2. Under Client Authentication, specify the signing method for the Request Object. Note that signed authorization requests are required to meet certain security standards, such as Financial-grade API.

   When this option is selected and not set to None, Cloudentity will reject unsigned authorization requests.

3. Select Token Endpoint Authentication Method for the client to use.

   Configure Available Client Authentication Methods

   Available client authentication methods depend on the authorization server configuration.

   Go to OAuth » Authorization Server » Client Authentication to configure allowed client authentication methods for this workspace.

4. If using mTLS client authentication, either enable the JSON Web Key Set option and provide applications JWKS or enable the JWKS URI and provide a link to it.

5. Save changes.

Configure Advanced OAuth Settings for Client Apps

1. Navigate to your client applications OAuth tab.

2. Select the Subject Type toggle switch to use pairwise subject identifiers (request URL to share user data and place them in the same sector). Additionally, you can add the Sector Identifier URI which points to a JSON file containing an array of Redirect URI values.

3. Under Authorization Response (JARM), you can configure the encoding of the JWT-encrypted response, which is sent by Cloudentity when a JWT response mode is required by the client.

   • Signing algorithm is the algorithm type used for signing the authorization response. The value depends on authorization server signing key algorithm.

   • Encryption algorithm is the encryption algorithm type used for signing the authorization response. If set, the corresponding public key must be configured in either JWKs or JWKs URI. JWT encryption is optional.

4. Configure Sender Constrained Tokens.

   Sender Constrained Tokens are a security feature that allows a resource server to verify that a request is being made by an authorized sender.

   Enable either mTLS or DPoP.

5. Configure ID token encryption.

   The authorization server can issue encrypted ID tokens to client application. To get encrypted ID tokens, set the Encryption and Content Encryption algorithms and configure encryption public key in JSON Web Key Set or JSON Web Key set URI.

6. Configure Authorization Response (JARM).

   When JWT Authorization Response Mode (JARM) is used, the Cloudentity platform responds to clients' requests with a signed JSON Web Token for improved security.

7. Enforce Pushed Authorization Requests (PAR).

8. Save changes.