Registering an API protection client

Edit online

Register OAuth API protection clients in the Clients panel. Clients are the entities against which OAuth access and refresh tokens are granted at runtime.

About this task

API Protection clients now have a dynamic data field when they are configured. This allows storage of arbitrary data against the client which can be accessed at runtime (for example, in the consent page or in mapping rules).

Procedure

  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Policy, click OpenID Connect and API Protection.
  4. Click Clients.
  5. Click Add.
  6. Specify the following information:
    Client name
    Specify a meaningful client identifier for each client registration. You can use this value to search for client registrations.
    API definition
    Specifies the related Definition, which owns and defines the client. A Definition can own many client registrations but a client registration can belong to only one Definition. When you create a client, a list of available Definitions are available. When a client is created, this value cannot be modified.
    Confidential
    Specify whether the client type is confidential. A confidential client type requires a client secret. Enable this feature if you want the client to require a client secret.
    Client secret
    This field is enabled only if the client is indicated as confidential. Specify a client secret that is used to authenticate an OAuth client at runtime. It is mandatory for all clients that belong to API protection definitions where the client type is Confidential and the client credentials grant type is enabled. Click Generate to have a client secret that is generated for you or specify your own secret.
    Redirect URI (Optional)
    Click New to specify the redirect URI to use for the client. You can create multiple redirect URI entries. Each URL must be unique.
    Company name
    Specify the name of the company for this client.
    Company URL (Optional)
    Specify the URL of the company website.
    Contact name (Optional)
    Specify a name of the contact person for this client.
    Email address (Optional)
    Specify the email address of the contact person for this client.
    Telephone number (Optional)
    Specify the telephone number of the contact person for this client.
    Contact type (Optional)
    Select the contact type from the list:
    • Administrative
    • Support
    • Technical
    • Billing
    • Other
    Other information (Optional)
    Specify extra information about the client contact.
    Require PKCE (RFC 7636)
    Requires Proof Key for Code Exchange, which adds security when performing the authorization code flow on a mobile device. See Proof Key for Code Exchange support.
    JWKS endpoint

    This endpoint allows retrieval for a client's public key when encryption is used.

    JWT Encryption keystore
    The database that is used in key agreement when using an asymmetric JWT encryption algorithm. You can use a pre-token mapping rule to overload this value at runtime.

    This field is enabled if OIDC is enabled for the selected API Definition.

    JWT Encryption certificate
    The label of the key in the keystore that is used in key agreement, when you use an asymmetric JWT encryption algorithm. You can use a pre-token mapping rule to overload this value at runtime.

    This field is enabled only if a valid encryption keystore is selected from the drop-down list for JWT Encryption keystore.

  7. Enter any dynamic data on the Extension Properties tab.
    Extension Properties
    Free-form JSON data that applies to API clients.
  8. Click OK.