17.7.2.1.1. Configuration hints

The following should be considered, when configuring the OAuth 2.0 / OpenID Connect:

  • Target Application using Identity Propagator
    • The URL Pattern of the target application must match the URL of the target application
      • Additionally, the list of target applications must not contain a target application with a more generic URL pattern, as target applications get selected based on this pattern. Therefore such a target application would hide the current one.
    • The Application Entry URLs list must contain a pattern that matches the URL of the target application
    • The Default URL of the target application should point to the welcome page of the target application; this URL is only used when the login process is started by the Authentication Server instead of the Client.
    • How to get a consent from the end-user can be configured in property "Consent". Usually the "OAuth 2.0 Local Consent" is used but Airlock IAM also supports the concept of 13.3.1.3.1. Remote consent applications with OAuth.
  • OAuth 2.0 Authorization Code Grant Identity Propagator / OpenID Connect Identity Propagator
    • The Redirect URL must match the following patterns:
      • The URL Pattern of the target application
      • The Application Entry URLs of the target application
  • Access Token Config
    • These plugins specify how the access token is written to and read out of resource requests.
    • The access token can be included in a request parameter or in a header.
  • Client Secret Config
    • These plugins specify how the client secret is written to and read out of token endpoint requests.
    • The client secret can be included in a request parameter or in a header.

It is highly recommended to avoid "OAuth 2.0 No Client Secret Authentication"! Using the client secret authentication strengthens the security of the OAuth 2.0 protocol significantly as Airlock IAMgains the ability to verify OAuth 2.0 clients. Only use for OAuth 2.0 clients that are unable to authenticate with a client secret.