# OIDC and OAuth integration OpenIAM acts as a fully-featured **OAuth 2.0 Authorization Server** and **OpenID Connect Provider (OP)**. This document covers two things: 1. **Admin UI** — how to configure an OAuth/OIDC client in the webconsole 2. **Endpoints** — the live URLs an application uses to run OAuth/OIDC flows ## Concepts: Scopes as Resources In OpenIAM, **OAuth scopes are modelled as Resources** in the resource catalogue.\ When you assign scopes to an OAuth client, you are selecting which Resources the client is allowed to request.\ Standard OIDC scopes (`openid`, `profile`, `email`) are also backed by system Resources. ## Creating an OAuth client {% stepper %} {% step %} ### Create an authentication provider To create a new authentication provider: * Log in to **Webconsole** and go to **Access Control** → **Authentication Providers**. * Select **Create New Provider**. * Select **OAuth Client** from **Select a Provider Type**.

Give the provider a descriptive **Name** (e.g., `My App – Production`). The system will auto-generate:

Field	Example	Notes
Client ID	`3f8a1c2d-...`	UUID, read-only after creation
Client Secret	`aBcD1234...`	Read-only, shown once; rotate via Regenerate

{% endstep %} {% step %} ### Configure the OAuth client provider

Field Name	Description
Provider name	A descriptive name for this configuration, such as `OpenIAM OAuth2 with Spring Boot`.
Redirect URL	Redirect URLs are a critical part of the OAuth flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Since the redirect URL can contain sensitive information, it is critical that the service doesn't redirect the user to an arbitrary location.
Allow multiple Active Tokens	Set this value to `Off`, which is the default.
Signing Algorithm	Select the algorithm used to sign tokens issued for your application or API. For example, `RS-256`.
JWT Issuer	Identifies the client that the JWT is issued to. You can use a descriptive value such as `openiam-spring-test`.
Final JWT Issuer view	Generated automatically after you enter the JWT Issuer value.
OpenID Connect Discovery URL	Generated automatically after you enter the JWT Issuer value. Use this URL to configure OIDC clients.
Authorization Grant Flow	Select the grant type your application will use. This setting must match the flow configured in the client application. For this example, select `Authorization Code`.
Client Authentication Type	Describes how the client sends credentials to the authorization server. You can choose Basic Authentication or Request Body.
Default Scopes	Scopes limit the access granted to a token. Select the scopes from the dropdown. In OpenIAM, scopes are resources that you manage through Resource Manager.
Skip scope approval	Set this to `Off`.
Token expiration	The access token expires after the specified period of inactivity. A common value is 30 minutes.
Use refresh token	Refresh tokens let the client request a new access token. In most cases, set this value to `Off`.
Protect by 2FA	Set this value to `Off` unless you want to use 2FA during the authentication process.

This example shows a provider configuration for the Spring Boot test application referenced earlier in this page. After you save the configuration, OpenIAM generates the `clientId` and `clientSecret` for the OAuth 2.0 client. {% endstep %} {% step %} ### Configure core settings Configure the following: * **JWT Issuer** — a short identifier used to construct the OIDC issuer URL: `/idp/oauth2/{jwtIssue}`. It must be unique across all providers. * **Issuer URL** — computed as `https://{host}/idp/oauth2/{jwtIssue}` * **Discovery URL** — computed as `https://{host}/idp/oauth2/{jwtIssue}/.well-known/openid-configuration` {% endstep %} {% step %} ### Choose a grant flow You can select one in the **Authorization Grant Flow** dropdown.

Grant Flow	When to use
`AUTHORIZATION_CODE`	Web apps with a back-end server (most common, most secure)
`AUTHORIZATION_CODE` + PKCE	Single-page apps, mobile / native apps (no client secret)
`CLIENT_CREDENTIALS`	Machine-to-machine (no user involved)
`REFRESH_TOKEN`	Any flow that needs long-lived access via refresh tokens
`IMPLICIT`	Legacy only. Not recommended — use Authorization Code + PKCE instead
`HYBRID`	Returns code + token (or id_token) in the authorization response

{% hint style="info" %} Multiple flows can co-exist: e.g., enable `AUTHORIZATION_CODE` + check **Use Refresh Token** to also allow the refresh grant. {% endhint %} {% endstep %} {% step %} ### Select client authentication type It controls how the client proves its identity when calling the Token endpoint.

Auth Type	Transport	When to use
`BASIC`	HTTP `Authorization: Basic base64(id:secret)`	Default for confidential apps
`POST`	`client_id` + `client_secret` in POST body	When Basic Auth is not supported
`JWT`	Client-signed JWT (private key)	High-security, no secret transmitted
`ASSERTION`	Generic assertion (SAML or JWT bearer)	Federation scenarios
`DEVICE`	Out-of-band device flow	Smart TVs, CLIs, IoT

For **Client Authentication Type = JWT**, also set: * **JWT Signing Algorithm** — e.g., `RS256`, `HS256`, `ES256` * **Client JWT Validation URL** — JWKS endpoint to fetch the client's public key for validation * **Client JWT Validation Key** — Symmetric (HMAC) key if using HS256 For **Client Assertion Type**, choose: * `JWT_BEARER` — RFC 7523 JWT Bearer grant * `SAML_BEARER` — RFC 7522 SAML 2.0 Bearer grant {% endstep %} {% step %} ### Configure token and session settings

Field	Unit	Description
Token Expiration	seconds	Lifetime of access tokens (e.g., `3600` = 1 hour)
Max Active Session Time	seconds	Maximum total authenticated session time
Use Refresh Token	boolean	Enable refresh token grant for this client
Multiple Active Tokens Allowed	boolean	Allow concurrent active tokens (default: one token per user per client)

{% endstep %} {% step %} ### Configure authentication acopes In the **OAuth Scopes** multi-select, pick the Resources this client is allowed to request. Common selections: * `openid` — Required for OIDC; triggers ID token issuance * `profile` — Basic user profile claims (name, locale, etc.) * `email` — Email address claim * Custom resources — Business-specific API scopes {% endstep %} {% step %} ### Select redirect URIs Add every allowed callback URL in the **Redirect URIs** list. Rules: * Must match **exactly** (including trailing slashes) what the app sends in `redirect_uri` * Add all environments: `https://app.example.com/callback`, `http://localhost:3000/callback` {% endstep %} {% step %} ### Select advanced options

Option	Effect
Skip Scopes Dialog	Suppress the user consent screen — scopes are auto-approved
Protected by 2FA	User must complete 2FA before a token is granted
Send ID Token as Access Token	Returns the ID token value as the access token (non-standard, for legacy integrations)
Public Application Key	A stable key for public/native clients that cannot store a `client_secret` securely

{% endstep %} {% step %} ### Save and retrieve credentials Click **Save**. The **Client ID** and **Client Secret** are displayed.\ Share these with the application developer: {% code overflow="wrap" %} ```html Client ID: 3f8a1c2d-4e5f-6789-abcd-ef0123456789 Client Secret: Issuer: https://iam.example.com/idp/oauth2/myapp Discovery: https://iam.example.com/idp/oauth2/myapp/.well-known/openid-configuration ``` {% endcode %} {% endstep %} {% endstepper %} ## Managing OAuth tokens per user Users' token can be managed using the respective tab in the Users menu **Webconsole** → **Users** → \[select user] → **OAuth Tokens** tab. It shows a table of active tokens.

Column	Description
Client	OAuth client (provider) name
Grant Type	Flow used to obtain the token
Issued	Creation timestamp
Expires	Expiry timestamp
Actions	Revoke button to immediately invalidate the token

## API endpoints reference All endpoints are hosted on the IDP module. Base URL: `https://{host}/idp` ### OIDC discovery ``` GET /idp/oauth2/{issuer}/.well-known/openid-configuration ``` Returns the full OIDC Provider Metadata JSON. Clients that support auto-discovery (most modern libraries) only need this URL. **Example response (abbreviated):** ```json { "issuer": "https://iam.example.com/idp/oauth2/myapp", "authorization_endpoint": "https://iam.example.com/idp/oauth2/authorize", "token_endpoint": "https://iam.example.com/idp/oauth2/token", "userinfo_endpoint": "https://iam.example.com/idp/oauth2/userinfo", "jwks_uri": "https://iam.example.com/idp/oauth2/myapp/.well-known/jwks", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token"], "grant_types_supported": ["authorization_code", "client_credentials", "refresh_token", "implicit"], "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "private_key_jwt"], "id_token_signing_alg_values_supported": ["RS256", "HS256", "ES256"], "scopes_supported": ["openid", "profile", "email"] } ``` ### Authorization endpoint ``` GET /idp/oauth2/authorize ``` Initiates an OAuth/OIDC flow. The browser (not the server) hits this URL. **Query parameters:**

Parameter	Required	Description
`response_type`	Yes	`code` (Authorization Code), `token` (Implicit), `code token`, `code id_token` (Hybrid)
`client_id`	Yes	The client's UUID
`redirect_uri`	Yes	Must match a registered redirect URI exactly
`scope`	Yes	Space-separated. Include `openid` for OIDC.
`state`	Recommended	Random value; echoed back to prevent CSRF
`nonce`	Required for OIDC	Random value embedded in ID token to prevent replay
`prompt`	Optional	`none` (no UI), `login` (force re-auth), `select_account`
`max_age`	Optional	Max seconds since last authentication
`code_challenge`	PKCE	Base64url(SHA256(code_verifier))
`code_challenge_method`	PKCE	`S256` (recommended) or `plain`

**Example — Authorization Code request:** ``` GET /idp/oauth2/authorize ?response_type=code &client_id=3f8a1c2d-4e5f-6789-abcd-ef0123456789 &redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback &scope=openid%20profile%20email &state=xyz-random-state &nonce=abc-random-nonce ``` **Success redirect:** ```html https://app.example.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz-random-state ``` **Error redirect:** {% code overflow="wrap" %} ```html https://app.example.com/callback?error=access_denied&error_description=User+denied+access&state=xyz-random-state ``` {% endcode %} ### Token endpoint ``` POST /idp/oauth2/token Content-Type: application/x-www-form-urlencoded ``` Exchanges a code for tokens, or directly issues tokens for non-interactive grants. **Common parameters:**

Parameter	Description
`grant_type`	`authorization_code`, `client_credentials`, `refresh_token`
`client_id`	Client UUID (for `client_secret_post` auth)
`client_secret`	Client secret (for `client_secret_post` auth)
`code`	Authorization code (Authorization Code flow only)
`redirect_uri`	Must match the authorization request (Authorization Code flow only)
`refresh_token`	Refresh token (Refresh Token flow only)
`scope`	Requested scopes (Client Credentials flow)
`code_verifier`	PKCE verifier (Authorization Code + PKCE only)

**Authentication:** send `Authorization: Basic base64(client_id:client_secret)` (preferred) or include `client_id`/`client_secret` in the POST body. **Example response:** ```json { "access_token": "eyJhbGciOiJSUzI1NiJ9...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "8xLOxBtZp8", "id_token": "eyJhbGciOiJSUzI1NiJ9...", "scope": "openid profile email" } ``` ### UserInfo endpoint ``` GET /idp/oauth2/userinfo POST /idp/oauth2/userinfo Authorization: Bearer ``` Returns claims about the authenticated user. Requires an access token granted with at least `openid` scope. **Example response:** ```json { "sub": "3f8a1c2d-4e5f-6789-abcd-ef0123456789", "name": "Jane Smith", "given_name": "Jane", "family_name": "Smith", "email": "jane.smith@example.com", "email_verified": true, "locale": "en-US" } ``` Claims returned depend on the scopes granted: * `openid` → `sub` * `profile` → `name`, `given_name`, `family_name`, `locale`, etc. * `email` → `email`, `email_verified` ### JWKS endpoint ``` GET /idp/oauth2/{issuer}/.well-known/jwks ``` Returns the provider's public keys in JSON Web Key Set format. Used by resource servers (APIs) and relying parties to verify token signatures without calling OpenIAM. **Example response:** ```json { "keys": [ { "kty": "RSA", "use": "sig", "alg": "RS256", "kid": "key-id-1", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2...", "e": "AQAB" } ] } ``` > There is also a legacy per-client JWKS endpoint: `GET /idp/oauth2/.well-known/jwks/{clientId}` (deprecated, kept for backward compatibility). ### Token introspection ``` GET /idp/oauth2/token/info?token={access_token} POST /idp/oauth2/token/info ``` Validates a token and returns its metadata. Intended for resource servers that need to verify tokens issued by OpenIAM. **Example response (active token):** ```json { "active": true, "sub": "jane.smith", "client_id": "3f8a1c2d-...", "scope": "openid profile email", "exp": 1741200000 } ``` ### Token revocation ``` POST /idp/oauth2/revoke GET /idp/oauth2/revoke ``` Immediately invalidates an access token or refresh token.

Parameter	Description
`token`	The token to revoke
`token_type_hint`	Optional: `access_token` or `refresh_token`

## Grant flow examples ### Authorization Code Flow Best for: confidential web apps with a server-side back-end. {% code overflow="wrap" expandable="true" %} ```powerquery 1. Browser → OpenIAM: GET /idp/oauth2/authorize?response_type=code&client_id=...&redirect_uri=...&scope=openid profile&state=...&nonce=... 2. OpenIAM → Browser (redirect after login + consent): https://app.example.com/callback?code=AUTH_CODE&state=... 3. Server → OpenIAM (back-channel): POST /idp/oauth2/token Authorization: Basic base64(client_id:client_secret) grant_type=authorization_code&code=AUTH_CODE&redirect_uri=... 4. OpenIAM → Server: { "access_token": "...", "id_token": "...", "refresh_token": "...", "expires_in": 3600 } ``` {% endcode %} ### Authorization code + PKCE (for public applications) Best for: SPAs, mobile apps, CLI tools — clients that cannot keep a secret. {% code overflow="wrap" expandable="true" %} ```powerquery 1. App generates: code_verifier = random 43–128 char string code_challenge = BASE64URL(SHA256(code_verifier)) 2. Browser → OpenIAM: GET /idp/oauth2/authorize?response_type=code&client_id=...&redirect_uri=... &scope=openid&state=...&code_challenge=CHALLENGE&code_challenge_method=S256 3. OpenIAM → Browser (redirect): https://app.example.com/callback?code=AUTH_CODE&state=... 4. App → OpenIAM: POST /idp/oauth2/token grant_type=authorization_code&code=AUTH_CODE&redirect_uri=... &client_id=...&code_verifier=VERIFIER (no client_secret needed) 5. OpenIAM → App: { "access_token": "...", "id_token": "...", "expires_in": 3600 } ``` {% endcode %} ### Client credentials flow Best for: service-to-service API calls (no user involved). ``` POST /idp/oauth2/token Authorization: Basic base64(client_id:client_secret) grant_type=client_credentials&scope=api.read api.write ``` **Response:** ```json { "access_token": "eyJhbGciOiJSUzI1NiJ9...", "token_type": "Bearer", "expires_in": 3600, "scope": "api.read api.write" } ``` {% hint style="info" %} No `id_token` or `refresh_token` is issued for this grant. {% endhint %} ### Refresh token flow Best for: obtaining a new access token without user re-authentication. Requires **Use Refresh Token** to be enabled on the client. ```powerquery POST /idp/oauth2/token Authorization: Basic base64(client_id:client_secret) grant_type=refresh_token&refresh_token=8xLOxBtZp8 ``` **Response:** ```json { "access_token": "eyJhbGciOiJSUzI1NiJ9...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "new-refresh-token" } ``` ### Implicit flow (Legacy) {% hint style="danger" %} **Not recommended.** Use Authorization Code + PKCE instead. Kept for backward compatibility only. {% endhint %} ``` GET /idp/oauth2/authorize ?response_type=token &client_id=... &redirect_uri=... &scope=openid profile &state=... ``` Tokens are returned directly in the redirect fragment (URL hash), never in a back-channel request. ### Hybrid flow Returns both a code and a token (or id\_token) in the authorization response, allowing the front-end to get an id\_token immediately while the back-end exchanges the code for an access token. ``` GET /idp/oauth2/authorize ?response_type=code id_token &client_id=... &redirect_uri=... &scope=openid profile &state=... &nonce=... ``` **Redirect:** ``` https://app.example.com/callback ?code=AUTH_CODE &id_token=eyJhbGciOiJSUzI1NiJ9... &state=... ``` ## ID Token (OIDC) claims The ID token is a signed JWT. Standard claims:

Claim	Description
`iss`	Issuer: `https://{host}/idp/oauth2/{jwtIssue}`
`sub`	Subject: user's internal ID
`aud`	Audience: `client_id`
`exp`	Expiry (Unix timestamp)
`iat`	Issued-at (Unix timestamp)
`nonce`	Echoed nonce (replay protection)
`name`	Full name (if `profile` scope granted)
`email`	Email address (if `email` scope granted)

Verify signature using the public key from the [JWKS endpoint](#jwks-endpoint). ## Client authentication methods Summary for developers: | Method | Token request header/body | Admin setting | | -------------------------------------------------------- | ----------------------------------------- | ----------------------------------------------------- | | `client_secret_basic` | `Authorization: Basic base64(id:secret)` | Auth Type: `BASIC` | | `client_secret_post` | `client_id=...&client_secret=...` in body | Auth Type: `POST` | | `private_key_jwt` | `client_assertion=` in body | Auth Type: `JWT` | | `urn:ietf:params:oauth:grant-type:saml2-bearer` | SAML assertion in body | Auth Type: `ASSERTION`, Assertion Type: `SAML_BEARER` | | `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` | JWT assertion in body | Auth Type: `ASSERTION`, Assertion Type: `JWT_BEARER` | ## Field reference Complete list of all configurable fields on an OAuth provider:

Field	Type	Default	Description
`clientId`	UUID	auto	Read-only. Use as `client_id` in requests.
`clientSecret`	String	auto	Read-only. Shown after save.
`jwtIssue`	String	—	Short ID used to build issuer URL. Unique per provider.
`grandFlow`	Enum	—	Grant type(s): `AUTHORIZATION_CODE`, `CLIENT_CREDENTIALS`, `REFRESH_TOKEN`, `IMPLICIT`, `HYBRID`
`clientAuthType`	Enum	`BASIC`	Client authentication method: `BASIC`, `POST`, `JWT`, `ASSERTION`, `DEVICE`
`clientAssertionType`	Enum	—	`SAML_BEARER` or `JWT_BEARER` (when Auth Type is `ASSERTION`)
`jwtAlgorithm`	Enum	`RS256`	Token signing algorithm: `RS256`, `HS256`, `ES256`, etc.
`clientJWTValidationURL`	URL	—	JWKS endpoint to validate client JWT assertions
`clientJWTValidationKey`	String	—	HMAC key for client JWT validation (HS256)
`clientScopes`	List	—	Resource IDs representing the scopes the client may request
`redirectURLs`	List	—	Allowed redirect URIs (exact match)
`tokenExpiration`	Integer	—	Access token TTL in seconds
`maxActiveSessionTime`	Integer	—	Max authenticated session length in seconds
`useRefreshToken`	Boolean	false	Enable refresh token grant
`mutliActiveTokenAllowed`	Boolean	false	Allow more than one active token per user
`skipScopesDialog`	Boolean	false	Auto-approve scopes; suppress user consent screen
`protectedBy2FA`	Boolean	false	Require 2FA before issuing tokens
`publicApplicationKey`	String	—	Stable key for public clients that cannot store a secret
`sendIdTokenAsAccessToken`	Boolean	false	Return the ID token value as the access token (non-standard)

## Notes and known issues **OIDC role entitlements — required system setting:** For OIDC role entitlements to work correctly, go to **Administration → System configuration → System** tab and enable **Is OAuth client Authorization Disabled (back compatibility for cases when all OAuth clients were available for any users)**. If this is not enabled, users without explicit entitlements to the OAuth authentication provider will receive an `insufficient_rights` error at login. **HMAC signing algorithms:** When using HMAC to sign JWTs, OpenIAM does not use a public/private key pair — HMAC relies on a shared secret key, so the provider configuration will not contain a key field. **JWT validation error:** If the logs show: {% code overflow="wrap" %} ``` JWT: The JWT returned by the token endpoint could not be validated against the retrieved JSON Web Key Set. ``` {% endcode %} Switch the signing algorithm to **RSASSA-PKCS-v1\_5** with **SHA-512** to resolve the issue. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/federation/oidc-and-oauth-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.