OAuth Clients
Overview
OAuth 2.0 is an open-standard framework and specification for authorizing client applications to access online resources. Authorization works by requiring a client to obtain an access token from a server that in turn grants the client access to specific protected resources. The client then sends the access token to the resource whenever it invokes the resource's endpoints.
Centrify supports OAuth 2.0, allowing custom Centrify client applications access to online resources needed by those applications.
You can configure a Centrify tenant and client applications to handle different flows whereby different requirements and API calls are in place to obtain the access token:
- Client Credentials Flow: In this flow, the client application provides a client ID and client secret to obtain an access token from a tenant. For more information see the: Client Credentials Flow RFC.
- Authorization (Auth) Code Flow: in this flow, the client redirects the user to a Centrify popup where the user enters their credentials and grants access. The OAuth server then returns an authorization code to the client. The client then sends a request to the OAuth server to obtain a bearer authorization token, and includes the authorization code in this request. The OAuth server then returns the authorization and refresh token to the client for use in accessing subsequent endpoints. For more information see the Authorization Code Flow RFC
- Implicit Flow: in this flow, the client redirects the user to a Centrify popup where the user enters their credentials and grants access. Centrify then redirects the user back to the client application and includes the access token in the redirection. The client can then use the access token for use in accessing subsequent endpoints. This flow is the simplest and is typically used by Javascript applications running in a browser. Since the access token under this flow is assumed to be used temporarily, no refresh token is issued by the OAuth server.
- Resource Owner Flow: in this flow, the client application provides its own user interface in which the user enters their credentials and grants access to resources. This information is then sent to the Centrify server which returns an access token to the client. Since this flow does not involve redirection to a Centrify popup to obtain authorization, it should only be used in highly privileged client applications such as native applications running on an OS. For more information see the Resource Owner Flow RFC.
Token Discovery
You can obtain information about token signing using the following endpoints:
/oauth2/<servicename>/keys
: provides information on the public elements of the key in use for token signing./oauth2/getmeta?<servicename>
provides information on the service itself and the RFC endpoint URIs it supports.
Updated almost 5 years ago