Configuring the OAuth 2.0 clients
To configure an OAuth 2.0 client, use the \Site\Properties\Oidc\Clients properties collection in DPM. The name of each properties collection under the “Clients” property defines the client id and the properties in that collection define the client.
The following clients are already installed: DMQuery, Prometheus, and SwaggerUI.
When using the ClientCredentials flow, you must add a user with the same name as the ClientId to User Administration, and then authorize them for the Web API feature. All requests made using that client credential are executed as that user with the permissions configured in User Administration.
Properties
▪For all clients, you must set the Client Id (the properties collection name), and the ClientName, ClientSecrets, and Flow properties.
▪For an interactive flow, you must set the RedirectUris property.
▪For a non-interactive flow (ResourceOwner or ClientCredentials), you must set the EnableLocalLogin property to True.
AbsoluteRefreshTokenLifetime
The maximum lifetime of the refresh token, measured in seconds.
The default value is 2592000 seconds (that is, 30 days).
AccessTokenLifetime
The lifetime of an access token, measured in seconds.
The default value is 3600 seconds (that is, 1 hour).
AccessTokenType
Specifies the type of token that is to be generated. The client should supply this token to the Web API in the Authorization header variable as a bearer token.
▪Reference generates an opaque reference token. Use this option in most cases, because reference tokens can be invalidated, for example, when the user logs out, but JSON web tokens are valid until they expire.
▪Jwt generates a JSON web token (JWT). If you use this option, make sure that the “token” URL used to request the access token is the same as the URL that is specified by the \Site\Properties\Oidc\PublicUrl property. They must be the same because the Web API uses the Oidc token introspection URL to verify the JSON web token, which includes verifying the “audience” matches, including verifying the case.
The default value is Reference.
AllowedScopes
If the “offline_access” scope is required, specify a list of required scopes, separated by commas, for example:
openid,offline_access,intelligence_web_api
The default scopes are “openid” and “intelligence_web_api”.
AllowRememberConsent
True: Enables users to select an option on the consent page that allows their consent selection to be remembered.
False: Hides the option.
The default value is True.
AuthorizationCodeLifetime
The lifetime of an authorization code in seconds.
The default value is 300 seconds (that is, 5 minutes).
ClientName
A description of the client.
This is different from the name of the properties collection which is the “id” of the client and which is used as the client id in the OAuth2.0 request. The ClientName is used only when the name of the client is displayed to the user; for example, when the provider requests consent from the user to grant the client access.
ClientSecrets
Specify a value that cannot be easily guessed. This easiest way to generate a new client secret is to generate a UUID using a cryptographically secure random number generator, for example by using the Version 4 UUID Generator at https://www.uuidgenerator.net/.
You can specify multiple secrets; separate them by using commas. The client is able to specify any of the listed secrets.
EnableLocalLogin
True: Users must authenticate directly with the Oidc identity provider. Usually, True is specified only when the Flow property is set to “ResourceOwner” or “ClientCredentials”.
False: Users are redirected to an external provider (usually WsFed) to login.
The default value is False.
Flow
The OAuth2.0 grant type that the client will use. Specify one of the following values: AuthorizationCode, AuthorizationCodeWithProofKey, Implicit, Hybrid, ResourceOwner, or ClientCredentials.
IdentityProviderRestrictions
A list of the external identity providers that are available to the user.
The default value is empty; that is, all external identity providers are available.
IdentityTokenLifetime
The lifetime of an identity token, measured in seconds.
The default value is 300 seconds (that is, 5 minutes).
PostLogoutRedirectUris
A list of URIs (separated by commas) to which redirects on logout are permitted. It is possible to use wildcards (for example, http://*) for testing purposes.
RedirectUris
A list of URIs (separated by commas) to which tokens and authorizations may be returned. It is possible to use wildcards (for example, http://*) for testing purposes.
RefreshTokenExpiration
Specify one of the following values:
▪Absolute: The refresh token expires after the fixed period of time specified by the AbsoluteRefreshTokenLifetime setting.
▪Sliding: The lifetime of the refresh token is extended by the period of time specified by the SlidingRefreshTokenLifetime setting each time that a refresh occurs. The total lifetime of the refresh token never exceeds the value of the AbsoluteRefreshTokenLifetime property.
The default value is Absolute.
RefreshTokenUsage
Specify one of the following values:
▪ReUse: The refresh token stays the same when refreshing the access token.
▪OneTime: A new refresh token is generated each time that the access token is refreshed.
The default value is OneTime.
RequireConsent
True: When an interactive login flow is used, users are prompted to consent to allowing access for the named client.
False: Does not display the prompt.
The default value is True.
SlidingRefreshTokenLifetime
The sliding lifetime of a refresh token, measured in seconds.
The default value is 1296000 seconds (that is, 15 days).
See also