Field | Description | |
Require HTTPS | Indicates whether the authorization server should require an HTTPS connection to authorize requests. If enabled (the default), Integration Server requires that the authorization server uses HTTPS to invoke the pub.oauth services. If disabled, Integration Server allows client applications to use HTTP to access the pub.oauth services. If Require HTTPS is enabled and the client application accesses any of the pub.oauth services over HTTP, Integration Server issues an HTTP 400 error response to the client and writes a service exception to the error log. Important: You can disable Require HTTPS to simplify development, but you should use HTTPS in production in accordance with the OAuth Framework. If you do not require HTTPS, the authorization server transmits access tokens in clear text, making them vulnerable to theft. | |
Require PKCE | Indicates whether PKCE (Proof Key for Code Exchange) is required for all public OAuth clients using the authorization code grant. Select the Require PKCE check box to require all public OAuth clients to supply a code_challenge and code_challenge_method to the authorization endpoint (pub.oauth:authorize) service and a code_verifier to the token endpoint (pub.oauth:getToken service). Clear the Require PCKE check box to indicate that public OAuth clients are not required to supply the additional inputs. However, any clients that do send a code_challenge and code_challenge_method to the authorization endpoint will be using the PKCE feature to mitigate the authorization code interception attack. A subsequent request by the client to the token endpoint must include the code_verifier input parameter. | |
Authorization code expiration interval | Specifies the length of time (in seconds) that the authorization code issued by the authorization server is valid. Valid values are between 1 and 2147483647. The default value is 600. | |
Access token expiration interval | Specifies the length of time (in seconds) that access tokens issued by the authorization server are valid. | |
Select | To. | |
Never Expires | Indicate that the access token never expires | |
Expires in and enter the number of seconds. The maximum value is 2147483647. The default is 3600. | Specify the length of time that the access token is valid | |
Token endpoint authorization | Specifies whether the token endpoint accepts an existing session or requires credentials for authentication. The pub.oauth:getToken service functions as the token endpoint. Clients invoke this service to requests an access token from the Integration Server authorization server. | |
Select | To | |
Accept existing session | Indicate that the token endpoint service will accept requests from clients that have an active session on Integration Server. If these clients supply a valid session identified in the Cookie request header, the clients do not have to provide credentials to use the pub.oauth:getToken service. This is the default behavior and matches the behavior that existed prior to the Integration Server version 10.3. | |
Require credentials | Require clients to provide their credentials in the Authorization request header every time they request a new access token or refresh an existing access token by calling the pub.oauth:getToken service. | |
Note: The pub.oauth:getToken service replaces the pub.oauth:getAccessToken and pub.oauth:refreshAccessToken services which are deprecated. Note: Token endpoint authorization impacts clients using the authorization code grant type, resource owner password credentials grant type, and client credentials grant type. |