How-tos

5 mins read

Connecting and Configuring OAuth Applications in Cloudentity

This article guides you through the process of connecting an OAuth application that you want to protect in Cloudentity.

About OAuth Client Applications in Cloudentity

In Cloudentity, Application is defined as a Client and Service. Client can be understood as an OAuth 2.0 Client or a SAML Service Provider.

Services are a bit more complicated. Essentially, the whole set of services in a Cloudentity Workspace constitutes the OAuth 2.0 Resource Server. Cloudentity recognizes that such a server can expose a large number of APIs grouped into particular services, and consequently represents this in the Workspace in order to allow for more fine-grained access control.

This document deals with the configuration of the OAuth Client Application. See Connecting and Configuring Services in Cloudentity for information on Services.

Prerequisites

  • You have login credentials to Cloudentity.
  • You have created a workspace or a developer portal that you want to create your application in.

Create OAuth Application

  1. In the selected workspace, select Applications > Clients from the sidebar.

  2. Select Create client.

  3. In the client form

    1. Enter a name and description to help idenfity your client application.

    2. Select the type of your application, for example, Single-page Application. All application types apart from SAML Service Providers are OAuth applications from Cloudentity’s perspective.

    3. Select CREATE to proceed.

Result

Your application has been created and you are redirected to its Overview for further configuration.

Configure OAuth Client Application

  1. In Overview tab, configure basics settings for your application.

    1. Update Name and Description.

    2. Enter Privacy Policy, which is a link to application usage related policy statements (included as part of the consent screen).

    3. Enter Terms of service, which is a link to application terms and conditions (included as part of the consent screen).

    4. Enter Client Details, which is a link to details on the client application or/and company (included as part of the consent screen).

    5. Select SAVE CHANGES when you’re done configuring Overview.

    Note

    In the Overview tab, you can also delete the application by selecting DELETE APPLICATION.

  2. Select the OAuth tab and configure authorization-related settings.

    1. Select the TRUSTED toggle switch to enable requesting the access token without displaying the consent pages when the user logs in.

    2. Select Grant Types and Response Types from the dropdown menus.

      • Grant Types define the OAuth 2.0 flows this application can follow to obtain an access token from Cloudentity.

      • Response Types define how the Cloudentity is allowed to respond to authorization requests made by this application.

        Note that different grant types require different responses. Cloudentity supports all OAuth 2.0 grant types - you can read more about each flow in Authorization basics.

    3. Select the Subject Type toggle switch to use pairwise subject identifiers (request URL to share user data and place them in the same sector). Additionally, you can add the Sector Identifier URI which points to a JSON file containing an array of Redirect URI values.

    4. Under Client Authentication, specify the signing method for the Request Object. Note that signed authorization requests are required to meet certain security standards, such as Financial-grade API.

      When this option is selected and not set to None, Cloudentity will reject unsigned authorization requests.

    5. Select Token Endpoint Authentication Method from the dropdown menu to define how this application can authenticate itself against Cloudentity.

      Configure authentication methods

      Authentication methods are configured on workspace level. Go to Auth Settings > OAuth > Client Authentication to configure allowed client authentication methods for this workspace.

    6. Under Authorization Response (JARM), you can configure the encoding of the JWT-encrypted response, which is sent by Cloudentity when a JWT response mode is required by the client.

      • Signing algorithm is the algorithm type used for signing the authorization response. The value depends on authorization server signing key algorithm.

      • Encryption algorithm is the encryption algorithm type used for signing the authorization response. If set, the corresponding public key must be configured in either JWKs or JWKs URI. JWT encryption is optional.

    7. Select SAVE CHANGES when you’re done configuring OAuth.

  3. Select the Scopes tab to configure scopes-related settings. You can see a list of services defined in Cloudentity, which are working as OAuth 2.0 Resource Server. To access a particular service, your client application needs to present the correct scopes in the access token. In this form, you decide what the application is allowed to ask for in relation to each service. Select a service to expand it and see the list of scopes governing the access to it. The application will ask the user for consent based on these scopes (and won’t be able to ask if the scopes are not selected here).

    The purpose of Scopes

    Scopes represent data that the application is allowed to ask for. Check the official OAuth Scope definition for details.

  4. Go to Policies and assign policies governing this application in different scenarios. Check the Cloudentity policy definition for more details.

    1. Select User policy (a set of conditions for the user to access the client application).

    2. Select Machine token policy, used when the application is part of the Client Credentials (machine-to-machine) flow.

  5. Select the Endpoints tab to check the OAuth and OIDC-specific endpoints of this application.

  6. Select the Metadata tab to identify information on the application developer or configure metadata on the application.

    Work with Metadata

    For more information on how to preview information on the application developer or configure metadata on the application, see Identifying developers metadata for applications and Configuring application metadata, respectively.

Result

Your application is available in the Client Applications view of your workspace and ready for use.

Updated: Oct 26, 2022