Address Manager's API endpoints support the OAuth authorization protocol. This means an Address Manager API client can obtain an access token from the authorization server. The authorization server authenticates the resource owner (the user) and issues the access token for access to the resource server's protected resources (Address Manager API). Configure the authorization server to allow the issuance of access tokens by the authorization server to API clients of Address Manager. The following steps secure Address Manager API endpoints with OAuth.
Note: Before performing the following steps, ensure that Address Manager is configured
as the resource server with the authorization server.
- Select the Settings tab in the sidebar.
- Under System security, select Authenticators.
- Select New > OAuth authorization server.
-
Under Authorization server, complete the following:
- Name (required): The name of the authorization server.
- Description (optional): A brief description of the authorization server.
- Enable OAuth (required): Enables or disables OAuth. The default value is Enable.
-
On the Token validation tab, complete the following:
- User claim name (required): The user claim name of the authorization server.
- Group claim name (required): The group claim name of the authorization server.
- Email claim name (required): The email claim name of the authorization server
-
Validation method (required): Select
Local if the token validation occurs in
Address Manager. Select Authorization if the
token validation occurs in the authorization server.
- If you select Local as the validation
method, set the following parameters:
- Issuer (required): name of the issuer of the token – ADFS adds to the token URL
- Audience (required): the name of the BAM API string obtained from the authorization server ID of the BAM REST API in ADFS
- In the Signing certificate field,
drag and drop or select the authorization server
certificate. Supported file types are
.pem,.cer,.cert,.crt,
- If you select Authorization as the
validation method, set the following parameters:
- Client ID (required): The public identifier of the application.
- Client secret (required): The secret code known only to the application and the AS
- Introspection endpoint
(required): Allows Address Manager to check the validity
of access tokensNote: Address Manager sends the client ID and the client secret to with the introspection request to the introspection endpoint.
- User info endpoint: The information about the user––this includes the group membership information and user ID.
- Authorization option: If you select Basic (header), Address Manager sends the Client ID and Client Secret as part of the header in the request. If you select Post (body), Address Manager sends the Client ID and Client Secret as part of the body in the request.
- If you select Local as the validation
method, set the following parameters:
-
Select Create or Create and add
another.
Note: Address Manager initiates a secure connection with both the introspection endpoint and userinfo endpoint. If the server is not CA-signed, a confirmation page about trusting the server may display.