ForgeRock Developer Experience

Register OAuth 2.0 clients in Advanced Identity Cloud

Applies to:

  • ForgeRock SDK for Android

  • ForgeRock SDK for iOS

  • ForgeRock SDK for JavaScript

OAuth 2.0 client profiles define how applications connect to Identity Cloud to obtain OAuth 2.0 tokens.

To allow the SDKs to connect to Identity Cloud and obtain OAuth 2.0 tokens, you must register at least one OAuth 2.0 client application.

There are two types of OAuth 2.0 client:

Public client

Public clients do not use a client secret to obtain tokens because they are unable to keep them hidden. The ForgeRock SDKs commonly use this type of client to obtain tokens, as they cannot guarantee safekeeping of the client credentials in a browser or on a mobile device.

Confidential client

Confidential clients are able to securely store credentials and are commonly used for server-to-server communication. For example, the "Todo" API backend provided with the SDK samples uses a confidential client to obtain tokens.

Only the following tutorials and integrations require a confidential client:

Register a public OAuth 2.0 client

To register a public OAuth 2.0 client application for use with the SDKs in Identity Cloud, follow these steps:

  1. Log in to your Identity Cloud tenant.

  2. In the left panel, click Applications.

  3. Click Custom Application.

  4. Select OIDC - OpenId Connect as the sign-in method, and then click Next.

  5. Select Native / SPA as the application type, and then click Next.

  6. In Name, enter a name for the application, such as Public SDK Client.

  7. In Owners, select a user that is responsible for maintaining the application, and then click Next.

    When trying out the SDKs, you could select the demo user you created previously.
  8. In Client ID, enter sdkPublicClient, and then click Create Application.

    Identity Cloud creates the application and displays the details screen.

  9. On the Sign On tab:

    1. In Sign-In URLs, enter the following values:

      https://localhost:8443/callback.html

      https://com.example.reactnative.todo/callback

      https://com.example.flutter.todo/callback

      Also add any other domains where you host SDK applications.
    2. In Grant Types, enter the following values:

      Authorization Code

      Refresh Token

    3. In Scopes, enter the following values:

      openid profile email address

  10. Click Show advanced settings, and on the Authentication tab:

    1. In Token Endpoint Authentication Method, select none.

    2. In Client Type, select Public.

    3. Enable the Implied Consent property.

  11. Click Save.

The application is now configured to accept client connections from and issue OAuth 2.0 tokens to the example applications and tutorials covered by this documentation.

Register a confidential OAuth 2.0 client

The following tutorials and integrations require a confidential client:

To register a confidential OAuth 2.0 client application for use with the SDKs in Identity Cloud, follow these steps:

  1. Log in to your Identity Cloud tenant.

  2. In the left panel, click Applications.

  3. Click Custom Application.

  4. Select OIDC - OpenId Connect as the sign-in method, and then click Next.

  5. Select Web as the application type, and then click Next.

  6. In Name, enter a name for the application, such as Confidential SDK Client.

  7. In Owners, select a user responsible for maintaining the application, and then click Next.

    When trying out the SDKs, you could select the demo user you created previously.
  8. On the Web Settings page:

    1. In Client ID, enter sdkConfidentialClient

    2. In Client Secret, enter a strong password and make a note of it for later use.

      The client secret is not available to view after this step.

      If you forget it, you must reset the secret and reconfigure any connected clients.

    3. Click Create Application.

      Identity Cloud creates the application and displays the details screen.

  9. On the Sign On tab, click Show advanced settings, and on the Access tab:

    1. In Default Scopes, enter am-introspect-all-tokens.

  10. Click Save.