Skip to content

Latest commit

 

History

History
104 lines (84 loc) · 9.17 KB

_application-oauth-settings.mdx

File metadata and controls

104 lines (84 loc) · 9.17 KB

import APIBlock from 'src/components/api/APIBlock.astro'; import APIField from 'src/components/api/APIField.astro'; import InlineField from 'src/components/InlineField.astro'; import OAuthWildcardUsage from 'src/content/docs/_shared/_oauth-wildcard-usage.mdx';

The unique client identifier as defined by [RFC 6749 Section 2.2](https://tools.ietf.org/html/rfc6749#section-2.2). This value is read only and is equal to the unique Id of the Application. The client secret as defined by [RFC 6749 Section 2.3.1](https://tools.ietf.org/html/rfc6749#section-2.3.1). When Client Authentication is `Required`, this client secret will be required to obtain an access token from the Token endpoint. 
This value may be regenerated if you think it has been compromised by clicking the regenerate button. If this Application is configured to require client authentication, regenerating the client secret will cause all clients to fail, and they will not be able to complete the OAuth login process. If this Application is not configured to require client authentication, regenerating this secret will not have any effect.
This selector allows you to set a rule for accessing the [Token endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#token). 
The possible values are:
* `Required` - The `client_secret` parameter must be used. This is the default setting. In most cases you will not want to change this setting.
* `Not required` - Use of the `client_secret` parameter is optional.
* `Not required when using PKCE` - Requires the use of the `client_secret` parameter unless a valid PKCE [code_verifier](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1) parameter is used. This is useful for scenarios where you have a requirement to make a request to the Token endpoint where you cannot safely secure a client secret such as native mobile applications and single page applications (SPAs) running in a browser. In these scenarios it is recommended you use PKCE.

See the [Token endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#token) for more information.
This selector allows you to set a rule for [Proof Key for Code Exchange](https://datatracker.ietf.org/doc/html/rfc7636) (or PKCE) requirements when using the authorization code grant. 
The possible values are:
* `Required` - The `code_verifier` parameter must be used. If you want to require PKCE for this application, set <InlineField>PKCE</InlineField> to this value.
* `Not required` - Use of the `code_verifier` parameter is optional. This is the default setting.
* `Not required when using client authentication` - Requires the use of the `code_verifier` parameter unless a valid `client_secret` parameter is used.
When enabled, FusionAuth will return a refresh token when the `offline_access` scope has been requested. When this setting is disabled refresh tokens will not be generated even if the `offline_access` scope is requested. 
In order to use the Refresh Token with the Refresh Grant to refresh a token, you must ensure that the `Refresh Token` grant is enabled. See the <InlineField>Enabled grants</InlineField> field.
Enable debug to create an event log to assist you in debugging integration errors. Controls the validation policy for Authorized redirect URLs and Authorized request origin URLs. 
The possible values are:
* `Exact match` - Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.
* `Allow wildcards` - Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
When OAuth grants, such as the authorization code grant, require a browser redirect to a URL found in the `redirect_uri` parameter, the destination URLs must be added to this list. URLs that are not authorized may not be utilized in the `redirect_uri` parameter or the `post_logout_redirect_uri` parameter. 
You can add as many URLs as you'd like to this list. Prior to version `1.43.0` only exact string matches with the provided `redirect_uri` will be allowed. No partial or wildcard matches will be accepted.

<OAuthWildcardUsage fieldName="Authorized redirect URLs" wildcard="Allow wildcards" />
This optional configuration allows you to restrict the origin of an OAuth2 / OpenID Connect grant request. If no origins are registered for this Application, all origins are allowed. 
By default FusionAuth will add the `X-Frame-Options: DENY` HTTP response header to the login pages to keep these pages from being rendered in an iframe. If the request comes from an authorized origin, however, FusionAuth will not add this header to the response. To load FusionAuth hosted login pages in an iframe, you will need to add the request origin to this configuration.
The optional logout URL for this Application. When provided this logout URL should handle the logout of a user in your application. 
If you need to end an HTTP session or delete cookies to logout a user from your application, these operations should be handled by this URL. When the `/oauth2/logout` endpoint is utilized, each Logout URL registered for Applications in this tenant will be called within an iframe to complete the SSO logout.

If the OAuth2 logout endpoint is used with this Client Id, this configured Logout URL will be also utilized as the redirect URL. This behavior only occurs when the `post_logout_redirect_uri` parameter is not provided.

If this Application has not defined a Logout URL, the value configured at the Tenant level will be used. If no Logout URL has been configured, a redirect to `/` will occur. A specific redirect URL may also be provided by using the `post_logout_redirect_uri` request parameter.

See the [Logout endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#logout) for more information.
This selector allows you to modify the behavior when using the [Logout endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#logout) with this Client Id. 
The possible values are:
  * `All applications` - This is the default behavior. Upon Logout of the FusionAuth SSO, call each registered Logout URLs for the entire tenant and then redirect to the Logout URL registered for this application.
  * `Redirect only` - Do not call each registered Logout URL in the tenant, instead logout out of the FusionAuth SSO and then only redirect to the Logout URL registered for this application.

See the [Logout endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#logout) for more information.
The enabled OAuth2 grants. If a grant is not enabled and a client requests this grant during authentication an error will be returned to the caller indicating the grant is not enabled. 
  * Authorization Code
  * Device
  * Implicit
  * Password
  * Refresh Token

When creating a new Application, the `Authorization Code` and `Refresh Token` grants will be enabled by default. See The [OAuth 2.0 & OpenID Connect Overview](/docs/lifecycle/authenticate-users/oauth/) for additional information on each of these grants.
The URL to be returned during the Device Authorization request to be displayed to the end user. This URL will be where the end user navigates in order to complete the device authentication workflow. 
This field is required if `Device` is enabled in the OAuth <InlineField>Enabled grants</InlineField> for this Application and hidden when not.
When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage. The lambda to be invoked during the generation of the UserInfo response when provided a token associated with this Application. See [UserInfo populate lambda](/docs/extend/code/lambdas/userinfo-populate).