PingAM 7.5.0

/realm-config/agents/OAuth2Client

AM-specific endpoint that lets AM and agent administrators create, list, and delete OAuth 2.0 clients.

You can also use the endpoint with scalable clients to create and manage large numbers of OAuth 2.0 clients without impacting system performance.

Use the AM API explorer for detailed information about the parameters supported by this endpoint, and to test it against your deployed AM instance.

In the AM admin UI, click the Help icon, and go to API Explorer > /realm-config > /agents > /OAuth2Client.

Create an OAuth 2.0 client

This example registers a basic OAuth 2.0 client named myClient in the alpha realm. Provide the SSO token of an administrative user as a header, and append the name of the client to the URL.

Example
$ curl \
--request PUT \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--header "iplanetDirectoryPro: AQIC5wM…​3MTYxOA..*" \
--data '{
   "coreOAuth2ClientConfig":{
      "agentgroup":"",
      "status":{
         "inherited":true,
         "value":"string"
      },
      "userpassword":"forgerock",
      "clientType":{
         "inherited":false,
         "value":"Confidential"
      },
      "redirectionUris":{
         "inherited":false,
         "value":[
            "https://www.example.com:443/callback"
         ]
      },
      "scopes":{
         "inherited":false,
         "value":[
            "write",
            "read"
         ]
      },
      "defaultScopes":{
         "inherited":true,
         "value":[
            "write"
         ]
      },
      "clientName":{
         "inherited":true,
         "value":[
            "My Test Client"
         ]
      }
   },
   "advancedOAuth2ClientConfig":{
      "name":{
         "inherited":false,
         "value":[
            null
         ]
      },
      "grantTypes":{
         "inherited":true,
         "value":[
            "authorization_code",
            "client_credentials"
         ]
      },
      "tokenEndpointAuthMethod":{
         "inherited":true,
         "value":"client_secret_basic"
      }
   }
}' \
"https://openam.example.com:8443/openam/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient"
{
   "_id":"myClient",
   "_rev":"-60716879",
   "advancedOAuth2ClientConfig":{
      "descriptions":{
         "inherited":false,
         "value":[

         ]
      },

…​

      "clientType":{
         "inherited":false,
         "value":"Confidential"
      },
…​
      "_type":{
      "_id":"OAuth2Client",
      "name":"OAuth2 Clients",
      "collection":true
   }
}

To manage a large number of clients, refer to Scalable OAuth 2.0 clients.

Update an OAuth 2.0 client

To update an existing OAuth 2.0 client, use a similar PUT request to the create request. Make sure you include all the attributes to be retained in the client configuration. If you omit an attribute in the JSON payload, the request effectively deletes that attribute from the client.

Query OAuth 2.0 clients

This example lists the OAuth 2.0 clients in the alpha realm. Provide the SSO token of an administrative user as a header.

Example
$ curl \
--request GET \
--header "Accept-API-Version: resource=1.0" \
--header "iplanetDirectoryPro: AQIC5wM…​3MTYxOA..*" \
"https://openam.example.com:8443/openam/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client?_queryFilter=true"
{
  "result": [
    {
      "_id": "myClient",
      "_rev": "-1788958356",
      "overrideOAuth2ClientConfig": {
        "issueRefreshToken": true,
        "validateScopePluginType": "PROVIDER",
        "tokenEncryptionEnabled": false,
        "evaluateScopePluginType": "PROVIDER",
        "oidcMayActScript": "[Empty]",
        "oidcClaimsScript": "[Empty]",
        "accessTokenModificationPluginType": "PROVIDER",
        "authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider",
        "oidcClaimsPluginType": "PROVIDER",
        "providerOverridesEnabled": false,
        "authorizeEndpointDataProviderScript": "[Empty]",
        "statelessTokensEnabled": false,
        "authorizeEndpointDataProviderPluginType": "PROVIDER",
        "remoteConsentServiceId": null,
        "enableRemoteConsent": false,
        "validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator",
        "usePolicyEngineForScope": false,
        "evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator",
        "overrideableOIDCClaims": [],
        "accessTokenMayActScript": "[Empty]",
        "evaluateScopeScript": "[Empty]",
        "clientsCanSkipConsent": false,
        "accessTokenModificationScript": "[Empty]",
        "issueRefreshTokenOnRefreshedToken": true,
        "validateScopeScript": "[Empty]"
      },
      "advancedOAuth2ClientConfig": {
        "logoUri": [],
        "subjectType": "public",
        "clientUri": [],
        "tokenExchangeAuthLevel": 0,
        "responseTypes": [
          "code",
          "token",
          "id_token",
          "code token",
          "token id_token",
          "code id_token",
          "code token id_token",
          "device_code",
          "device_code id_token"
        ],
        "mixUpMitigation": false,
        "customProperties": [],
        "javascriptOrigins": [],
        "policyUri": [],
        "softwareVersion": null,
        "sectorIdentifierUri": null,
        "tosURI": [],
        "tokenEndpointAuthMethod": "client_secret_basic",
        "isConsentImplied": false,
        "refreshTokenGracePeriod": 0,
        "softwareIdentity": null,
        "grantTypes": [
          "authorization_code"
        ],
        "require_pushed_authorization_requests": false,
        "descriptions": [],
        "requestUris": [],
        "name": [],
        "contacts": [],
        "updateAccessToken": null
      },
      "signEncOAuth2ClientConfig": {
        "tokenEndpointAuthSigningAlgorithm": "RS256",
        "idTokenEncryptionEnabled": false,
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256",
        "requestParameterSignedAlg": null,
        "authorizationResponseSigningAlgorithm": "RS256",
        "clientJwtPublicKey": null,
        "idTokenPublicEncryptionKey": null,
        "mTLSSubjectDN": null,
        "jwkStoreCacheMissCacheTime": 60000,
        "jwkSet": null,
        "idTokenEncryptionMethod": "A128CBC-HS256",
        "jwksUri": null,
        "tokenIntrospectionEncryptedResponseAlg": "RSA-OAEP-256",
        "authorizationResponseEncryptionMethod": null,
        "userinfoResponseFormat": "JSON",
        "mTLSCertificateBoundAccessTokens": false,
        "publicKeyLocation": "jwks_uri",
        "tokenIntrospectionResponseFormat": "JSON",
        "requestParameterEncryptedEncryptionAlgorithm": "A128CBC-HS256",
        "userinfoSignedResponseAlg": null,
        "idTokenEncryptionAlgorithm": "RSA-OAEP-256",
        "requestParameterEncryptedAlg": null,
        "authorizationResponseEncryptionAlgorithm": null,
        "mTLSTrustedCert": null,
        "jwksCacheTimeout": 3600000,
        "userinfoEncryptedResponseAlg": null,
        "idTokenSignedResponseAlg": "RS256",
        "userinfoEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256",
        "tokenIntrospectionSignedResponseAlg": "RS256"
      },
      "coreOpenIDClientConfig": {
        "claims": [],
        "backchannel_logout_uri": null,
        "defaultAcrValues": [],
        "jwtTokenLifetime": 0,
        "defaultMaxAgeEnabled": false,
        "clientSessionUri": null,
        "defaultMaxAge": 600,
        "postLogoutRedirectUri": [],
        "backchannel_logout_session_required": false
      },
      "coreOAuth2ClientConfig": {
        "status": "Active",
        "clientName": [],
        "clientType": "Confidential",
        "loopbackInterfaceRedirection": false,
        "defaultScopes": [],
        "agentgroup": null,
        "refreshTokenLifetime": 0,
        "scopes": [],
        "accessTokenLifetime": 0,
        "redirectionUris": [],
        "authorizationCodeLifetime": 0
      },
      "coreUmaClientConfig": {
        "claimsRedirectionUris": []
      },
      "_type": {
        "_id": "OAuth2Client",
        "name": "OAuth2 Clients",
        "collection": true
      }
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "EXACT",
  "totalPagedResults": 1,
  "remainingPagedResults": -1
}

To query a large number of clients, refer to Scalable OAuth 2.0 clients.

Delete an OAuth 2.0 client

This example deletes an OAuth 2.0 client named myClient in the alpha realm. Provide the SSO token of and administrative user as a header, and append the name of the client to the URL.

Example
$ curl \
--request DELETE \
--header "Accept-API-Version: resource=1.0" \
--header "iplanetDirectoryPro: AQIC5wM…​3MTYxOA..*" \
"https://openam.example.com:8443/openam/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient"
{
    "_id": "myClient",
    "_rev": "-614477476",
    ...
}