Token Service Admin Guide¶

Introduction to the Token Service
Defining an OAuth Profile
- Preparing the OAuth Profile
- Base Configuration of an OAuth Profile
OAuth Flows
- Code
- Implicit
- Client Credentials
- Resource Owner Password Credentials
- OpenID Connect Hybrid Flows
- OpenID Connect CIBA Flow
- OAuth 2.0 Token Exchange
- Token Exchange
- Assisted Token
- Refresh
- Revoke
- Introspect
- Json Web Key Set (JWKS)
- Device Authorization Flow
- Assertion Flow
- Logout Flow
Using the device flow
- Configuration
- Endpoints
- Token Procedures
- Templates
Scopes and Claims
- Adding a scope to the profile
- Adding a scope to a client
- Scope Lifetime
- Required scopes
- Prefix scopes
- Claims of a scope
- Claims I/O
- Claim configuration
Configuring OAuth User Authentication
OpenID Connect
- Metadata
- The “claims” request parameter
- Issuing pseudonymous subject identifiers
OAuth Metadata
OpenID Connect Metadata
Dynamic Client Registration
- Architectural Overview of Dynamic Client Registration
- Enabling Dynamic Client Registration
- Dynamic Client Registration Management (DCRM)
- Dynamic Client Management With GraphQL
- Dynamic Client Registration API
- Custom Client Properties
Database Client Management
- Database Client VS DCR
- Enabling Database Clients
- Configuring a Data Source
- Create a Database Client Endpoint
- Authorization Access
- Managing Database Clients in the DevOps Dashboard
- Configuring Clients
- Warnings
- Database Client Limitations
OAuth Client Configuration
- Client Capabilities
- User Authentication
- Client Authentication
- Client Framability
- Redirect URI validation
Issuing OAuth and OpenId Connect Tokens
- Default Token Issuers
- Custom Token Issuers
- More on Wrapped Opaque Tokens
- Encrypted ID Tokens
OAuth Endpoint Reference
- Anonymous
- Authorize
- Assisted Token
- Introspect
- Revoke
- Token
- User Info
- Dynamic Client Registration
- Database Client Management
- Device Authorization
- OpenID Connect Sessions
- Backchannel Authentication
- Verifiable Credentials
User Consent
- Consenting to requested claims
- Asking for consent
- Enabling user consent
- The user consent template
- Consentors
Consentors
- Profile configuration
- Client configuration
- Consentor selection
- Consentor templates
- Consentor result
Mutual TLS Authentication
- TLS termination
- Binding certificates to tokens
- Trusted certificates
- DN comparison
- Subject Alternative Name
- Configuring Mutual TLS
- Reverse Proxy Server Setup
- Non-Templatized Dynamic Client Registration using Mutual TLS
- Database Clients upload client certificate PEM
OpenID Connect Issuer Discovery
Financial-grade Security
- JWT Secured Authorization Request (JAR)
- Pushed Authorization Requests
- Request Object Handling
- JWT Security Authorization Response Mode (JARM)
- Encrypted ID Tokens
Session Management and Logout
- Session Endpoint
- Logout
- OpenId Connect specifications for Session Management and Logout
Token Procedure Plugins
- Configuring and using Token Procedure Plugins
- Developing Token Procedure Plugins
Verifiable Credential Issuance
- Formats and data models
- Endpoints
- Credential Request Handling
- Configuration Model Summary
- Configuration Example