Custom OAuth2 Client

OAuth 2.0 is an open-standard framework and specification for authorizing client applications to access online resources. Authorization works by requiring a client to obtain an access token from a server that in turn grants the client access to specific protected resources. The client then sends the access token to the resource whenever it invokes the resource's endpoints.

Privileged Access Service support OAuth 2.0, allowing custom Delinea client applications access to online resources needed by those applications.

This topic covers how to add the custom OAuth2 Client application to the Admin Portal and describes the available configuration fields and options.

Use the custom OAuth2 Client application if the resulting access token is used to call Privileged Access Service APIs.

Refer to https://developer.delinea.com/docs/oauth for more information about using OAuth 2.0 with Delinea.

To add and configure a custom OAuth 2.0 client

  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. Click Custom.

  3. On the Custom tab, next to the OAuth2 Client application, click Add.

  4. In the Add Web App screen, click Yes to add the application.

    The Admin Portal adds the application.

  5. Click Close to exit the Application Catalog.

    The application that you just added opens to the Settings page.

  6. On the Settings page, complete the following fields:

    • Application ID: a unique key used to build the OAuth2 endpoint URL (URL format is tenant.my.centrify.net/oauth2/introspect/appID.

    • Customize Name and Description for each language: allows you to specify a name and description for this app, per supported language.

    • Application Name: a descriptive name for the application.

    • Application Description: a description for the application.

    • Logo: you can optionally provide a logo to identify your app.

  7. On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:

    • Client ID Type: choose one of these options:

      • Anything: allows for authorization in any client where authorization is granted by the user (for example, in a popup screen).

      • List: - specifies a list of clients who are allowed access. Click Add and then enter the application name of your client.

      • Confidential: requires an OAuth2 client to send a client ID and secret. A confidential client is recommended for all flows, but is only required for the Client Credentials flow.

    • Issuer: the URL of the server issuing access tokens. Can be left as default.

    • Allowed Redirects: specifies the redirects that should be trusted when redirection occurs during the Authorization Code and Implicit flows. Not applicable for the Client Credential and Resource Owner flows.

  8. On the Tokens page, complete the following fields:

    • Token Type: specifies the type of token to issue (JwtRS256 or opaque).

      JwtRS256 is a JSON Web Token (JWT) composed of Base64 encoded user and claim information. An opaque token contains no information about the user. To obtain user and claim information for an opaque token an introspection URL must be used by passing the token. The format of the introspection URL is tenant.my.centrify.net/oauth2/introspect/appID .

    • Auth Methods: specifies the authentication flow(s) for which the specified token type should be issued.

    • Token Lifespan: specifies the token’s lifespan.

    • Issue refresh tokens: when enabled, allows clients to request a refresh token that can be exchanged for a new access token. Not applicable for the Resource Owner or Client Credentials flows.

  9. On the Scope page, add any desired scopes and select from the following options:

    Refer to https://developer.delinea.com/docs/client-credentials-flow#step-3-create-scopes for more information about creating scopes.

    • User must confirm authorization request: Select this option if you want to the user to confirm the authorization request before receiving a token.

    • Allow scope selection: Select this to give users the option of choosing from the scopes that you added.

  10. On the User Access page, select the role(s) that the user must be in, in order to authorize against the server.

  11. (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

  12. Click Save.