Creating a profile with an authorization code for authorization server endpoints

Create an OAuth client profile that uses the grant type of authorization code when the DataPower® Gateway is authorization server endpoint.

Procedure

  1. Set the client type.
  2. Select the method to authenticate the OAuth client.
    This property is valid only when the client type is confidential.
    • If you use the client secret for authentication, specify whether to generate the client secret or define the client secret. The specification references the client secret as client_secret.
    • If you use the client certificate from a mutual TLS communication for authentication, define the validation credentials.
    • If you use the JWT that the client sends for authentication, define the JWT validator configuration for client authentication.
  3. Set the method to verify the scope for authorization grants and access tokens.
    • If customized, specify the location of the stylesheet or GatewayScript file that validates and sets the scope to check.
    • If explicit, enter the expression that defines the scope to check.
  4. Set the shared secret key that protects tokens. The shared secret key must be at least 32 bytes in length.
  5. Set of redirection URIs that the OAuth client supports to exchange tokens.
    Specify each redirection URI as a PCRE. Redirection URIs help to detect malicious clients and prevent phishing attacks. The authorization endpoint must have the registered redirection URIs before the authorization endpoint can validate the authorization request from the client. For mobile applications, the redirection URI can be an application URL; for example mobiletrafficapp:// that is defined with the ^mobiletrafficapp:\/\/? PCRE.
  6. Set the location of the stylesheet or GatewayScript file that generates the authorization form and error page.
    The authorization form and error page are for the resource owner and handle errors.
  7. Set the caching mechanism to indicate whether to support revocation.
  8. Set the location of the stylesheet or GatewayScript file for additional OAuth processing.
  9. Set which OAuth features to enable.
    • Indicate that the access token is a one-time use token. One-time use tokens require the token cache or the distributed cache.
    • Indicate whether the refresh token can be reused until it expires or is revoked.
    • Indicate that applications must use Proof Key for Code Exchange (PKCE) for authorization code grant type. For details, see RFC 7636.
    • Return verbose details on success, or returns the error description when an error occurs. You can also enable this feature by setting the var://context/oauth/features variable to verboseerror. When enabled, includes the following extra data.
      • On success, includes grant_type and, when the access token is a one-time use token set, includes one_time_use.
      • On failure, includes error_description.
  10. Set the default value of the scope if none is requested in the request.
  11. Set the lifetime for the local authorization page in seconds.
  12. Set the lifetime for an authorization code in seconds.
  13. Set the lifetime for the access token in seconds.
  14. Set the maximum number of refresh tokens that can be generated for a specific permission set. If the value is not 0, specify the lifetime for the refresh token in seconds.
  15. Set the maximum consent lifetime in seconds before the application must gather consent again.
  16. Indicate whether to use a stylesheet or GatewayScript file to extract information about the resource owner.
    If yes, specify the location of the stylesheet or GatewayScript file, which must be in the local: or store: directory.
  17. When you do not select Disable Validation Grant, set the validation grant type features to enable.
    • Whether to support introspection format.
    • Whether to allow anonymous access to the validation grant type.