API Gateway 10.5 | Using API Gateway | API Gateway Administration | Security Configuration | OAuth, JWT, and OpenID Configuration | Adding a Provider
 
Adding a Provider
Pre-requisites:
You must have the API Gateway's manage security configurations functional privilege assigned to add a provider.
The OAuth 2.0 configuration in API Gateway is split into two sections - Providers and Authorization servers.
You have to add a provider and configure the authorization provider metadata information in this section for API Gateway to communicate with this provider during dynamic client registration only. If there is any deviation from the actual OAuth specification then the provider has to be configured for these deviations.
*To add a provider
1. Expand the menu options icon , in the title bar, and select Administration.
2. Select Security > JWT/OAuth/OpenID > Providers.
3. Click Add provider and provide the following information:
Field
Description
Name
Name of a third-party provider. For example, Amazon.
You can also use one of the following pre-configured third-party providers that is shipped with the API Gateway installation:
*OKTA
*PingFederate
Note:
Considerations while using the PingFederate providers:
*If you want to use the pre-configured PingFederate provider, you have to use the Admin APIs for dynamic client registration for registering clients.
*If you want to use the DCR API, you can create a provider to use DCR API. But, you cannot update or delete the clients created using the DCR API.
Client metadata field mapping. Specifies the mapping of dynamic client registration specification to that of the client implementation of the provider.
The Client metadata field mapping fields are required when you are adding a third-party provider that is not shipped with API Gateway.
Specification name
The client metadata attributes in accordance with the dynamic client registration specification as defined in RFC 7591.
The available values are:
*redirect_uris. Redirection URL that the authorization server uses to redirect the authorization code once the authorization request is approved by end user.
Note:
If you do not specify this attribute, API Gateway automatically generates the URL.
*token_endpoint_auth_method. The client authentication method at the token endpoint.
*grant_types. The grant type of authorization flow to obtain authorization codes, ID tokens, and refresh tokens.
*application_type
*response_types. The type of response that the client application uses at the authorization endpoint.
*client_name. Name of the client to use to represent the client application to the end user during authorization.
*client_uri. URL of the client application.
*logo_uri. URL of an image to use to represent the client application to the end user during authorization.
Note:
The logo_uri is currently not supported in API Gateway.
*scope. List of user-authorized scopes that the client uses for requesting access tokens.
Note:
If you do not specify this attribute, the authorization server registers the client with a default set of scopes.
*contacts. The means (for example, Email address) by which end users can contact the client for support requests.
*tos_uri. URL of the service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.
Note:
The tos_uri is currently not supported in API Gateway.
*jwks_uri. URL of the JSON Web Key (JWK) Set document containing the client's public keys.
Note:
The jwks_uri is currently not supported in API Gateway.
*client_id. Identifier that is unique to the client application.
*client_secret. The password or phrase for the client application to use to authorize communication with the end user.
Implementation name
The client metadata attributes that are used by the authorization server, but are not in accordance with the dynamic client registration specification.
Example:
*For the redirect_uris field, provide the value redirectUris.
*For the grant_types field, provide the value grantTypes.
*For the client_name field, provide the value name.
*For the logo_uri field, provide the value logoUrl.
*For the client_id field, provide the value clientId.
*For the client_secret field, provide the value secret.
Extended request parameters. Specifies the additional client metadata attributes that are specific to the authorization server, and are not specified in the dynamic client registration specification.
In PingFederate (For example):
forceSecretChange = true
Type
Specifies the client metadata attribute type.
The available values are: Client read, Client registration, Client update, Client delete.
Key
The client metadata attribute key that is specific to the authorization server.
Value
A value for the client metadata attribute key. When sending requests to the authorization server, this value is appended to all requests.
You can add multiple request parameters by clicking + Add.
4. Click Save.
The provider is added and displayed in the list of providers.