Client registration and activation - SSO

OAuth 2 clients must be registered with SSO management application to enable OAuth integration. During registration JSON formatted client metadata is exchanged with SSO management.

Registration Request

http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest
https://tools.ietf.org/html/rfc7591#section-3.1

Parameters

  • redirect_uris

Array of redirect uri values

Optional Parameters

  • grant_types

List of allowed grant types for client. It is recommended to list here the grant types the application specifically requires.

When this parameter is not defined, the default is to allow the following grant types: "authorization_code", "password", "refresh_token", and SMS-MT-OTP and SMTP-OTP grant. Exception: if "token_endpoint_auth_method" value "none" has been specified then only "authorization_code" grant type is allowed by default.

Specify empty list "[]" to disable all grant types.

Sample registration request
{
"redirect_uris": [ "https://client.example.com/response" ],
"grant_types": [ "authorization_code" ]
}

Registration Response

http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse
https://tools.ietf.org/html/rfc7591#section-3.2

Parameters

  • client_id

OAuth Client Identifier generated by SSO

  • client_secret

OAuth Client Secret generated by SSO


In addition to client_id and client_secret, the registration response contains all parameters from registration request.

Sample registration response
{
"redirect_uris": [ "https://client.example.com/response" ],
"grant_types": [ "authorization_code" ],
"client_id": "2001221477",
"client_secret": "***"
}

OAuth API Requests with Client Identifier and Secret

OAuth API requests such as Access Token Request at Authorization code grant and web single sign-on - SSO and Token Introspection at Authorization code grant and native applications - SSO require client_id and client_secret as input.

The client_id and client_secret parameters are either encoded as http basic authorization header or alternatively given as form or query parameters. With SSO the recommended method is http basic authorization header.

The http basic authorization mechanism is defined in http://tools.ietf.org/html/rfc2617#section-2.