Advanced configuration

We discuss a few advanced configuration properties. Please refer to the plugin descriptions for more details.

Allowing access tokens to be sent to URLs chosen by the caller

The sample configuration limits the allowed URLs where the access token may be sent to exactly one URL, namely "". You can allow additional URLs by relaxing the patterns in the target application.

For example, you can define:

  • URL Pattern:
  • https://this\.is\.your\.redirect\.url/.*
  • Application Entry URLs:
  • https://this\.is\.your\.redirect\.url/.*

to allow the token to be issued to :

In this case, the client would have to use "" in the initial request.

Choose the Redirect URL with Care

It is highly important that the redirect URL is validated properly. Thus, the "URL Pattern" and the "Application Entry URLs" must be chosen carefully. Otherwise, this might allow attacks that leak access tokens to the attacker by choosing, e.g., "" as redirect location. Also remember to always escape any dots in patterns with \. to make sure it doesn't match any character. Otherwise, in the abovementioned example, an attacker could easily set the redirect_uri to "https://thisZisZyourZredirect.url/".

Dealing with multiple OAuth 2.0 clients

It is possible to configure several target applications, each with its own "OAuth 2.0 Implicit Grant Identity Propagator" and Client ID. The configuration is analogous to the example above.