IntegrationTotalAgility OAuth clientsConfigure a TotalAgility OAuth client

Configure a TotalAgility OAuth client

Configure the TotalAgility OAuth clients.

  1. Navigate to Integration > TotalAgility OAuth clients.

    The TotalAgility OAuth clients page appears.

  2. Click New.

    The New client dialog box is displayed.

  3. In the Name box, enter a unique name for the OAuth client.
  4. In the Description box, enter a description for the OAuth client.
  5. On the Provider list, select the provider and define it.

  6. Click Save.

Configure a TotalAgility OAuth client using an internal provider

For the internal provider, TotalAgility defines the client, generates access tokens and authenticates the client.

  1. On the Authentication method list, select either option.

    Client ID is system generated read-only alphanumeric string to identify the client.

    Client secret Client assertion

    To generate a client secret string, click Generate.

    The secret string is generated. You must keep a copy of the client secret.

    On the General tab, the following read-only fields appear:

    • Issuer: Displays the Client ID.

    • Subject: Displays the Client ID.

    • Audience: The address of the authenticating server.

    1. Click the Signature tab.

    2. On the Signature verification method list, select either option.

      Shared secret Public key

      Select Local or External and then provide the secret string.

      Select either option:

      • Certificates: Enter the public keys of the certificates. The public key for Certificate 1 is mandatory. You can provide a maximum of three public keys.

      • JSON web keys: Enter the web key in the JSON format.

  2. For Access token validity duration, enter or select the duration for which the token should remain valid. (Default: 60 Minutes, Minimum: 5 Minutes) .
  3. On the Resource list, select the resource to apply its access control settings for the REST SDK API calls made using the OAuth access token.
  4. Optional. You can provide an extra authentication while generating the access tokens and for the REST API calls by providing client certificate thumbprints for mTLS.

    You can specify a maximum of three client certificate thumbprints.

    1. Click the Certificate tab.
    2. In the Certificate thumbprint 1 box, enter the thumbprint of a client certificate.

    TotalAgility checks if the client certificates are matching with the given thumbprints and accordingly generated the access tokens.

Configure a TotalAgility OAuth client using an external provider

For the external provider, an authorized third-party provider generates the access tokens, defines the clients, and authenticates the clients. At runtime TotalAgility validates the third-party access token for issuer, client address, and signature.

  1. To accept the access tokens only from the active third-party providers, select Active.
  2. In the Issuer box, enter a valid URL address of the third-party provider that can be verified from the JWT (JSON Web Token) access token.
  3. In the Audience box, enter the client address that can be verified from the JWT access token.
  4. For Access token validity duration, enter or select the duration within which an access token is considered valid. (Default: 0 Minutes, which means the token remains valid until the expiry time of the token is reached.)

    Before setting the validity duration, ensure that the iat claim (time at which the token was created) is present in the access token. The iat claim is used to calculate the validity duration of a third-party access token. For example, if iat claim of an access token is 12:00 pm, and the access token validity duration is set to 10 minutes, the token is considered valid till 12:15 pm. The extra five minutes are added by Microsoft libraries when validating tokens to adjust for clock skew between computers.

  5. On the Access control list, select either option:

    • Resource: Select the resource to apply its access control settings for the REST SDK API calls made using the OAuth access token.

    • Custom process: Select a synchronous process that returns the ID of the resource whose access control settings are to be applied for the API calls made using the access token.

      Or, you can create a new process by clicking Create new process. See Create a new synchronous map for more information.

  6. Define whether the signature is verified using a shared secret or a public key.
    1. Click the Signature tab.
    2. On the Signature verification method list, select either option.
      Shared secret Public key

      Select Local or External, and then provide the secret string.

      Select either option:

      • Certificates: Enter the public keys of the certificates. The public key for Certificate 1 is mandatory. You can provide a maximum of three public keys.

      • JSON web keys: Enter the web key in the JSON format.

Delete a TotalAgility OAuth client

You can delete an OAuth client.

  1. On the TotalAgility OAuth clients page, on the context menu of the OAuth client, click Delete.
  2. Click OK.

    On confirmation, the OAuth client is deleted and the existing access tokens associated with this client are invalidated.