Use the OAuth Server menu to configure various settings to support the grant types that your applications require.

A screenshot of the OAuth Server menu
  1. Configure the authorization server (AS) settings in the OAuth Server > Authorization Server Settings screen.
  2. Define any number of optional common scopes and exclusive scopes, create scope groups from any optional scopes as needed, and enter an optional description for the default scope using the OAuth Server > Scope Management configuration wizard.
  3. Create one or more access token management instances using the OAuth Server > Access Token Management configuration wizard.
    This is where you define the access token attribute contract for any given access token management instance.
  4. Configure one or more entries to map attributes from authentication sources to the persistent grants.
    Authorization Code or Implicit
    • Map attributes from an IdP adapter instance to the persistent grants using the OAuth Server > IdP Adapter Mapping configuration wizard.
    • Map attributes from an IdP connection to the persistent grants using the IdP Connection > Browser SSO > OAuth Attribute Mapping configuration wizard.
    • Create an authentication policy contract (APC) using the Policy Contracts configuration wizard, define an authentication policy to map attributes from the authentication sources (IdP adapter instances, IdP connections, or both) to the APC, and map attributes from the APC to the persistent grants using the OAuth Server > Authentication Policy Contract Mapping configuration wizard.
      Tip:

      If you are using a combination of authentication policies, APCs, and APC mappings, you can skip the IdP Adapter Mapping and OAuth Attribute Mapping configurations.

    Resource Owner Password Credentials
    • Map attributes from a password credential validator instance to the persistent grants using the OAuth Server > Resource Owner Credential Mapping configuration wizard.

    Note that this is the first stage of the two-stage access token mapping process through the persistent grants.

  5. Configure one or more entries to map attributes from the persistent grants (or the authentication sources directly) to the attribute contract of your access token management instances using the OAuth Server > Access Token Mapping configuration wizard. Additionally, you can configure a mapping for clients using the client credential grant type.
    Note that this is the second stage of the two-stage access token mapping process through the persistent grants.

    (For more information about the access token mapping process, see Mapping OAuth attributes.)

  6. For the client-initiated backchannel authentication (CIBA) flow, configure one or more CIBA authenticator instances and then one or more CIBA request policies.
  7. For the JWT Bearer or SAML 2.0 Bear assertion grants flow, configure a mapping on the IdP Connection > OAuth Assertion Grant Attribute Mapping screen.
    Note that this use case exchanges a JWT or a SAML assertion for an OAuth access token.
  8. Define one or more OpenID Connect policies using the OAuth Server > OpenID Connect Policy Management configuration wizard if you support OpenID Connect use cases and the OpenID Connect protocol is enabled in System > Protocol Settings > Roles & Protocols screen.
  9. Create one or more OAuth clients in the OAuth Server > Client Management screen.
  10. Optional: Configure client settings and registration policies for dynamic client registration.
  11. Optional: Configure client session management settings.