OAuth 2.0 down-party
OAuth 2.0 Resource
An API is configured as a OAuth 2.0 down-party resource.
- Click Create Down-party and then OAuth 2.0 - Resource (API)
- Specify resource (API) name in down-party name.
- Specify one or more scopes.
A client can subsequently be given access by configuring resource and scopes in the client.
Client Credentials Grant
An application using Client Credentials Grant could be a backend service secured by a client id and secret or key.
- Click Create Down-party and then OAuth 2.0 - Client Credentials Grant
- Specify client name in down-party name.
- Specify client authentication method, default
client secret post
- A secret is default generated
- Optionally change to another client authentication method
- Select show advanced settings
- Select client authentication method:
client secret basicor
private key JWT
private key JWTis selected, upload a client certificate (pfx file)
- Optionally grant the client access to call the
party-api2resource (API) with the
Access tokens can be issued with a list of audiences and thereby be issued to multiple APIs defined in FoxIDs as OAuth 2.0 resources.
Change the claims the down-party pass on with claim transforms.
Resource Owner Password Credentials Grant
Resource Owner Password Credentials Grant is not supported for security reasons because it is insecure and should not be used.
It is important to store client secrets securely, therefor client secrets are hashed inside FoxIDs with the same hash algorithm as passwords. If the secret is more than 20 character (which it should be) the first 3 characters is saved as information and is shown for each secret in FoxIDs Control.