Managing OpenID Connect and OpenID Connect for Open Banking application API access

Edit online

If a developer builds an application that uses one or more of the Verify functions, the application must be entitled to call the appropriate Verify APIs. Register the in-house application as an API client in API access to assign it a unique client ID and secret.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Verify administration console as an Administrator.
Note: Only users with the proper entitlements can see the client secret. For more information, see Security updates for entitlements.

About this task

You can grant API access to your OpenID Connect for Open Banking application when you create it or later by using the edit option. API clients can be created for the application and each API client can have a different set of API access entitlements.

You can also implement an IP filter so that token issuance and usage can be limited to or exclude certain IP address range.

Procedure

  1. Select Applications > Applications.
  2. Select Add application.
  3. Select OpenID Connect or OpenID Connect for Open Banking application and select Add application.
  4. Select API access.
  5. Create the application API client.
    1. Select Add API client.
    2. Specify the following information for the API client:
      Table 1. Application API client
      Field Settings
      Name Specify the name of the API client
      Note: Only alphanumeric characters and the following special characters are allowed:
      • -
      • .
      • _
      Enabled Indicates whether the API client is enabled or disabled. The default setting is enabled.

      An checked checkbox enabled API client can call the APIs to which it is entitled to access.

      A Cleared checkbox disabled API client cannot call any APIs, including those APIs to which it is entitled to access.

      Client ID

      Unique identifier of the API client.

      This information is automatically generated and displayed in the API Clients list after you save the API client.
      Client secret

      Used with the client ID to verify the identity of the API client.

      It is a secret that must be known only to the application and to the authorization server.

      This information is automatically generated after you save the API client.
      Client authentication method Verify supports the following client authentication methods:
      • Default
      • Client secret basic
      • Client secret POST
      • Private key JWT
      • Mutual TLS
      Note: The default client authentication method is default.

      If left as default, both client secret basic and POST are allowed. If the relying party supports it, use private key JWT or Mutual TLS as the configuration. For more information about Mutual TLS client authentication, see OpenID Connect mutual TLS client authentication and certificate-bound access token.
      Validate client assertion JTI This option is displayed only when the private key JWT client authentication method is selected.

      Indicates whether the JTI in the client assertion JWT is validated for single-use.

      Allowed signature verification keys This option is displayed only when the private key JWT client authentication method is selected.

      The signature verification key IDs that can be used to verify the client assertion JWT.

      JWKS URI This option is displayed only when the private key JWT client authentication method is selected.

      The URI where the relying party publishes its public keys in JSON Web Keys Set (JWKS) format. This URI is used for JWT signature verification or encryption. The system can reject an unreachable or unresponsive JWKS URI. The system can also reject the JWKS URI if the JWKS size is too large. If the relying party does not publish a JWKS URI, a public key can be added, in the form of a X509 certificate, into the system. See Managing certificates. The 'Friendly Name' that is associated with the public certificate is the value of the key ID (kid) header of JWT.
      TLS client authentication attribute This option is displayed only when the Mutual TLS client authentication method is selected.
      The certificate attribute that is used for authentication.
      • Subject DN
      • SAN DNS
      • SAN URI
      • SAN IP
      • SAN email address
      TLS client authentication attribute value This option is displayed only when the Mutual TLS client authentication method is selected.

      The value of the attribute in the certificate that will be used for authentication.

      Certificate-bound access tokens Indicates whether the tokens generated will be certificate-bound. For more information about certificate-bound access tokens, see OpenID Connect mutual TLS client authentication and certificate-bound access token.
  6. Configure the access token and refresh token expiry to limit the time of unauthorized access when these tokens are stolen.
    Access token is used to authorize access to the protected resource. After the access token expires, the authorization is revoked.
    Table 2. Token settings
    Field Description
    Access token expiry (secs)

    It sets the length of time in seconds after which, the access token is expired.

    Set an access token expiry to limit the time that an attacker can access the resource with the stolen token when the client application is compromised.

    Only positive integers are allowed.

    The default value is 7200 seconds. The minimum allowed value is 1 and the maximum is 2147483647 seconds.
    Access token format Specifies the format of the access token. The following options are available:
    • default
    • JWT
  7. Specify the following information if you want to implement an IP filter to make sure the API client ID and secret are distributed safely.
    Table 3. IP filter settings
    Field Description
    Enable IP filtering

    Indicates whether the IP filter is enabled or disabled.
    Allow list/Deny list

    Indicates the type of filter, whether the list is an allow or deny list.

    Required if Enable IP filtering is enabled.
    IP filters

    List of IP filters.

    Required if Enable IP filtering is enabled.

    The IP filters are in the form of a single IP address, IP range, or IP subnet mask. Both IPv4 and IPv6 are supported. For example: 192.0.2.55, 192.0.2.55-192.0.2.61, 192.0.2.55/24, 2001:db8::1, 2001:db8::1-2001:db8::ff, 2001:db8:1234::/48
  8. Select the Restrict custom scopes checkbox.

    If you select Restrict custom scopes, the scopes that are granted to the client at the end of the flow are restricted to those scopes that are specified in this section. Type the name of the custom scope that you want to grant and a description. The scope name refers to the OAuth2/OIDC scope that is requested by a relying party or client. The description is a friendly explanation for the scope. Select Add scope to grant more scopes.

  9. Select the APIs that you want to grant access.
    See Access entitlements for more information.

    If Select All is set to Off, select the APIs that you want to grant access to for the client. If Select All is set to ON, the client is granted access to all of the APIs. However, you can clear the checkboxes of any APIs that you do not want the client to have access to.

    Note:
    • You can create an API client that has no initial permission to call any APIs. You can edit it later to grant the specific API access.
    • Only the APIs that are relevant to your subscription plan are available for selection.
    • For OIDC applications, a default client with a client name that is the same as the application name is in the list of API clients for that application. It cannot be deleted unless the application is deleted or switched to a different sign-on method.
  10. Select Done.
  11. Ensure that you completed the required fields on the General and Sign-on tabs.
  12. Select Save.

    The Client ID and Client Secret are generated, and the application and API client are created.

  13. View and edit the API client
    1. Scroll to find the API client.
    2. Hover over the API client and select the Edit icon.

      The Edit API Client dialog box is displayed.

    3. Use the following options:
      • Select Show to view the client secret.
      • Select Hide to hide the client secret.
      • Select Copy to copy the client ID or secret to the clipboard.
      • Select List to view rotated client secrets.
        • Select one or more rotated client secrets from the list, and click Delete to delete them.
      • Select Regenerate to generate a new client secret. Use this option if you think that the client secret is compromised. If you do regenerate the client secret, you must update the client secret in all the OAuth clients for the application.
        • Select the checkbox for Retain current secret to add the current client secret to the list of rotated client secrets.
        • If the Retain current secret checkbox is selected, choose the client secret description and expiration time (in browser local time). If no expiration time is selected, the tenant's Rotated secret lifetime set in the Application settings will apply.
        • Rotated client secrets are hashed and cannot be retrieved in plain text anymore, but they can still be used until the selected expiration date.
        • After confirmation, the client secret is immediately rotated. The new client secret is shown on the screen.
    4. Edit any information that you want to change.
    5. Select Done.
  14. Delete the API client.
    1. Scroll to find the API client.
    2. Select the checkbox for the client.
      To delete multiple API clients, select the checkbox for each client that you want to delete.
    3. Select DeleteDelete from the Items selected toolbar .
      Note: The Delete that is in the lower-left corner of the window deletes the application, not the API client.
      You can also delete an API client by selecting it and selecting the delete icon on the details panel.
    4. Confirm that you want to delete the API client.
    5. When you are done, select Save.