To use OAuth2 bearer token authentication for API triggers, you need to provide the details of the OAuth applications that are to be allowed to access APIs. You configure the OAuth application settings from the Settings view.

OAuth application settings

For each OAuth application you need to give at least:

  • Name - the unique descriptor of the OAuth application

  • Issuer - the URL for the OAuth token issuer. This value should be the same as is given in the token.

  • Audience - the intended audience in the issued token, usually the client or resource ID registered on the OAuth provider. This value also needs to be the same as in the issued tokens.

You can also configure some additional settings for the apps:

  • Name claim type - the claim from the token that contains the name of the user, if given. This value will be used for logging purposes, to show who called the API

  • Role claim type - the claim from the token that contains the role name of the user, if available. If set, this value can be used in processes e.g. by calls to ClaimsPrincipal.IsInRole()

  • Scope claim type - the claim from the token that contains the scopes from the token.

  • Well known metadata location override - if the identity provider's OpenID .well-known/openid-configuration endpoint is not located in the default location. This parameter can be used to specify a custom location, which is needed for some providers, such as Azure AD B2C. By default FRENDS assumes the configuration can be found from the URL [Issuer]/.well-known/openid-configuration

  • Signing Certificate Details Json - if the Agent cannot contact the identity provider directly to fetch the well known OpenID configuration, the public key can be provided here. The JSON structure can be found from the URL in the well known OpenID configuration endpoint's jwks_uri field.

  • DEPRECATED (replaced by Signing Certificate Details Json)
    Signing certificate thumbprints string - the thumbprints of the signing certificates already deployed on the Agent machines to use for validating tokens. If left empty, the agent will try to fetch the signing certificates automatically using the OpenID .well-known/openid-configuration endpoint from the issuer. Note that if the issuer is down for some reason, this automatic fetch may fail and token validation with it, so you may want to handle the certificate deployment manually and give the thumbprints here.

Did this answer your question?