Identity & Access
Go back to website

Client Management

In the platform, we categorize OAuth clients into two types: public and confidential. Here's a breakdown of the core functionality for both client types and how to manage them.

1. Public Clients

Public clients are used in applications where the code runs on the user's device, making it impossible to store secrets securely. We use Authorization Code Flow with PKCE (Proof of Key Code Exchange) to protect against token theft without needing client secrets.

Using Public clients is recommended for the following application types:

  • Browser-based applications (SPAs & Multi-Page Applications)

  • Mobile native apps

  • Progressive Web Apps (PWAs)

  • Desktop applications

Key Configurations for Public Clients:

  • Redirect URIs: The allowed URIs for redirecting after authentication.

  • Allowed Grant Types: For public clients, typically authorization_code and refresh_token grant types are used.

  • Scopes: Permissions requested by the client, such as openid, profile, and email.

2. Confidential Clients

Confidential clients are used in server-based applications, where the client secret can be stored securely. These clients:

  • Require secure storage of the client secret.

  • Can use advanced authentication methods like private key JWT.

Key Configurations for Confidential Clients:

  • Client Secret: A securely stored secret for authenticating with the OAuth server.

  • Token Endpoint Authentication Method: Methods such as client_secret_basic or private_key_jwt for securely authenticating to the token endpoint.

  • Additional Security Settings: Settings for stronger authentication flows, such as JWT signing.

Creating a Client

Steps to Create a Client

  1. Navigate to Client Management Page: Access the admin interface and locate the client management section.

  2. Select Client Type: Choose between creating a Public or Confidential client.

  3. Configure Settings:

    • Public Clients: Configure settings like redirect URIs, allowed scopes, and grant types.

    • Confidential Clients: Securely store client secrets, configure redirect URIs, and apply advanced security settings such as token endpoint authentication.

  4. Save and Register: Once all configurations are made, save the settings and confirm client registration.

Managing Client Settings

Public Client Settings:

  • Redirect URIs: List of authorized URLs for redirecting after authentication.

  • Allowed Grant Types: Grant types like authorization_code and refresh_token.

  • Scopes: Permissions such as openid, email, and profile that the client can request.

Confidential Client Settings:

  • Client Secret: Securely stored secret for authenticating the client.

  • Token Endpoint Authentication Method: Secure authentication methods such as client_secret_post or private_key_jwt.

  • Advanced Security: Additional security configurations for confidential client

PreviousOAuth ManagementNextCreating a Client

Last updated