Service Owner Console

Edit Service

  1. Start Editing
  2. Configuration Categories
  3. Configuration Category: Basic
  4. Configuration Category: User Authentication
  5. Configuration Category: Developer Authentication
  6. Configuration Category: Authorization
  7. Configuration Category: Token
  8. Configuration Category: ID Token
  9. Configuration Category: JWK Set
  10. Configuration Category: OIDC Endpoint
  11. Configuration Category: Document
  12. Apply Changes

1. Start Editing

To start editing configuration parameters of a service, do either of the following.


  • Click "Edit" button in Your Services page or Service Details page.

    "Edit" button
  • Access the URL below directly. Don't forget to replace service-api-key with the actual API key of a service.

    https://so.authlete.com/services/service-api-key/edit

2. Configuration Categories

As the number of configuration parameters of a service is not small, they are categorized. In Edit Service page, there are tabs for the categories.

Edit Service / Tabs

The table below is a brief explanation about the categories.

Configuration categories
Category Description
Basic Basic information such as service name and API credentials.
User Authentication Settings for end-user authentication. See "Authentication Callback for details.
Developer Authentication Settings for developer authentication. See "Developer Authentication Callback for details.
Authorization Settings related to authorization such as supported grant types and OAuth 2.0 endpoints.
Token Settings related to access token such as duration and supported scopes.
ID Token Settings related to ID token such as duration and supported claims.
JWK Set Settings related to JSON Web Key Set (RFC 7517).
OIDC Endpoint Settings related to OpenID Connect endpoints such as user info endpoint.
Document URLs of documents of the serivce.

The following sections describe the configuration categories in detail.


3. Configuration Category: Basic

Edit Service / Basic
Setting Item Description
Service Name The name of this service. Up to 100 Unicode characters.
Token Issuer Identifier The issuer identifier of this service. It is a URL that starts with https:// and has no query or fragment component. For example, https://example.com. It must consist of only ASCII characters and its length must not exceed 200.

The value is used as the value of iss claim in ID tokens issued by this service. Also, it is used as the value of issuer property in the OpenID Provider Metadata of this service.
Service Description The description of this service. Up to 200 Unicode characters.
API Key The API key for this service assigned by Authlete.
API Secret The API secret for this service. A random 256-bit value encoded by base64url (43 characters).
Clients Per Developer The maximum number of client applications that a developer is allowed to create. 0 means no limit.
Client Application Developer Console The URL of Developer Console for this service.

Developer Console is a Web console for developers to manage their client applications. You can login Developer Console with the API key and the API secret of this service.

In addition, you can let other (third-party) developers use Developer Console by implementing a developer authentication callback endpoint.


4. Configuration Category: User Authentication

Edit Service / User Authentication
Setting Item Description
Callback
Authentication Callback Endpoint A Web API endpoint for user authentication which is to be prepared on the service side. It must consist of only ASCII characters and its length must not exceed 200.

The endpoint must be implemented if you do not implement the UI at the authorization endpoint but use the one provided by Authlete. The user authentication at the authorization endpoint provided by Authlete is performed by making a POST request to this endpoint.

See 'Authentication Callback' for details.
Authentication Callback API Key API key for Basic authentication at the authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the authentication callback endpoint.
Authentication Callback API Secret API secret for Basic authentication at the authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.
SNS
Supported SNSes SNSes you want to support 'social login' in the UI at the authorization endpoint provided by Authlete. You need to register a client application in each SNS checked here and set Authlete server's /api/sns/redirection as the redirection endpoint of the client application.
SNS API Credentials List SNS credentials which Authlete uses to make requests to SNSes. The format is JSON. (TODO: Documentation for this is needed.)
Supported Authentication Context Class References Authentication context class references supported for the user authentication at the authorization endpoint. The listed values are used as the value of acr_values_supported property in the OpenID Provider Metadata of this service.

5. Configuration Category: Developer Authentication

Edit Service / Developer Authentication Callback
Setting Item Description
Callback
Developer Authentication Callback Endpoint A Web API endpoint for developer authentication which is to be prepared on the server side. It must consist of only ASCII characters and its length must not exceed 200.

The endpoint must be implemented if you use Developer Console. The developer authentication at the login page of Developer Console is performed by making a POST request to this endpoint.

See 'Developer Authentication Callback' for details.
Developer Authentication Callback API Key API key for Basic authentication at the developer authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the developer authentication callback endpoint.
Developer Authentication Callback API Secret API secret for Basic authentication at the developer authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.
SNS
Supported SNSes SNSes you want to support 'social login' in the login page of Developer Console provided by Authlete. You need to register a client application in each SNS checked here and set Authlete server's /api/developer/sns/redirection as the redirection endpoint of the client application.
SNS API Credentials List SNS credentials which Authlete uses to make requests to SNSes. The format is JSON. (TODO: Documentation for this is needed.)

6. Configuration Category: Authorization

Edit Service / Authorization Edit Service / Authorization Edit Service / Authorization
Setting Item Description
Supported Grant Types Select grant types to support. Grant types are authorization flows defined in RFC 6749 (OAuth 2.0).

AUTHORIZATION_CODE is a flow to get issued an authorization code at the authorization endpoint and exchange it with an access token at the token endpoint.

IMPLICIT is a flow to get issued an access token at the authorization endpoint directly.

PASSWORD is a flow to get issued an access token by presenting a user's credentials (ID & password) at the token endpoint. In normal cases, this flow is used only when other flows cannot be used for some reasons.

CLIENT_CREDENTIALS is a flow to get issued an access token by presenting a client application's credentials (API key & API secret) at the token endpoint. Access tokens issued by this flow are not associated with any user.

REFRESH_TOKEN is a flow to exchange a refresh token for an access token at the token endpoint.
Supported Response Types Select combinations of things issued at the authorization endpoint to support.

In RFC 6749 (OAuth 2.0), what can be issued at a time at the authorization endpoint is either an authorization code or an access token, but the additional specification of OAuth 2.0 Multiple Response Type Encoding Practices has enabled to issue any combination of an authorization code, an access token and an ID token. Also, an option to issue nothing (NONE) has been created. Select whether to support or not for each combination.

NONE, CODE, TOKEN and ID_TOKEN mean that none, code, token and id_token can be independently specified as a value for response_type parameter of an authorization request, respectively.CODE_TOKEN means that the combination of code token can be specified as a value for response_type parameter. Likewise, CODE_ID_TOKEN is for the combination of code id_token, ID_TOKEN_TOKEN for id_token token, and CODE_ID_TOKEN_TOKEN for code id_token token.
Authorization Endpoint
URI The URL of the authorization endpoint. It must consist of only ASCII characters and its length must not exceed 200. It must start with https:// and must not contain a fragment component. The value is used as the value of authorization_endpoint property in the OpenID Provider Metadata of this service.
Direct Endpoint Enabled If YES is selected, the default implementation of the authorization endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/authorization/direct/service-api-key.

If NO is selected, the endpoint returns 404 Not Found. In this case, you have to implement the authorization endpoint by yourself using Authlete's Web APIs such as /api/auth/authorization, /api/auth/authorization/issue and /api/auth/authorization/fail.
Supported Locales at Authorization UI List display languages supported in the authorization UI. In other words, list supported values of ui_locales request parameter at the authorization endpoint. The format of display languages is 'language tag' (RFC 5646).

ui_locales parameter has been added by OpenID Connect Core 1.0. See 3.1.2.1. Authentication Request for details.
Supported Display Types at Authorization UI List display types supported in the authorization UI. In other words, list supported values of display request parameter at the authorization endpoint.

PAGE is the default value to request the entire drawing area of the user agent to be used.

POPUP is the value to request a popup to be used.

TOUCH is the value to request a page suitable for touch devices.

WAP is the value to request a page suitable for feature phones.

display parameter has been added by OpenID Connect Core 1.0. See 3.1.2.1. Authentication Request for details.
Proof Key for Code Exchange (RFC 7636) If YES is selected, code_challenge request parameter is always required for authorization requests using Authorization Code Flow.

See Proof Key for Code Exchange (RFC 7636) for details.
Token Endpoint
URI The URL of the token endpoint. It must consist of only ASCII characters and its length must not exceed 200. It must start with https:// and must not contain a fragment component. The value is used as the value of token_endpoint property in the OpenID Provider Metadata of this service.
Direct Endpoint Enabled If YES is selected, the default implementation of the token endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/token/direct/service-api-key.

If NO is selected, the endpoint returns 404 Not Found. In this case, you have to implement the token endpoint by yourself using Authlete's Web APIs such as /api/auth/token, /api/auth/token/issue and /api/auth/token/fail.
Supported Client Authentication Methods Select client authentication methods to support at the token endpoint.

NONE means that there are cases where client authentication is not required at the token endpoint.

CLIENT_SECRET_BASIC means that Basic Authentication can be used for client authentication.

CLIENT_SECRET_POST means that the method to embed client authentication information in request body is supported.

CLIENT_SECRET_JWT means that JWT (RFC 7519) generated by client applications using HMAC SHA algorithm can be used for client authentication.

PRIVATE_KEY_JWT means that JWT signed by client applications using private keys can be used for client authentication.

See RFC 6749, 2.3. Client Authentication and OpenID Connect Core, 9. Client Authentication for details about client authentication.

Values checked here are used as the value of token_endpoint_auth_methods_supports property in the OpenID Provider Metadata of this service.

Note: Authlete does not provide any API to help implementations for CLIENT_SECRET_JWT and PRIVATE_KEY_JWT, so if you want to support these at your token endpoint, you have to implement everything for them.
Revocation Endpoint
URI The URL of the revocation endpoint (RFC 7009). It must consist of only ASCII characters and its length must not exceed 200. It must start with https://.
Direct Endpoint Enabled If YES is selected, the default implementation of the revocation endpoint (RFC 7009) of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/revocation/direct/service-api-key.

If NO is selected, the endpoint returns 404 Not Found. In this case, if you want to provide a revocation endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/auth/revocation API.

7. Configuration Category: Token

Edit Service / Token
Setting Item Description
Access Token
Access Token Type The method how protected resource endpoints receive access tokens. It must consist of only ASCII characters and its length must not exceed 200.

If implementations of your protected resource endpoints receive access tokens in the ways defined in RFC 6750 (Bearer Token), input Bearer. This value is used as the value of token_type parameter which is passed to a client application when an access token is issued.
Access Token Duration in seconds Specify duration of access tokens in seconds. The maximum value is 999,999,999,999,999 seconds (about 31.7 million years).
Single Access Token Per Subject If YES is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.

Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is YES or NO.
Refresh Token
Refresh Token Duration in seconds Specify duration of refresh tokens in seconds. The maximum value is 999,999,999,999,999 seconds (about 31.7 million years).
Scope
Supported Scopes List scope names that this service recognize. Each scope name must consist of only printable ASCII characters except spaces, double quotation marks and backslashes (RFC 6749, 3.3. Access Token Scope). Also, its length must not exceed 200. Scope names can be listed up to 255 at most.

OpenID Connect has defined some standard scope names. openid is the most important scope. If the scope is not contained in a requect to the authorization endpoint, the request is not regarded as an OpenID Connect request (3.1.2.1. Authentication Request). profile, email, address and phone are scopes to easily request some claims to be contained in an ID token (5.4.Requesting Claims using Scope Values). offline_scope is a scope to request that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in) (11. Offline Access).

Scopes that are not listed here, even if they were contained in a request from a client application, will be ignored by Authlete. Note that if you do not list openid, this service stops providing OpenID Connect functionalities.

8. Configuration Category: ID Token

Edit Service / ID Token
Setting Item Description
ID Token Duration in seconds Specify duration of ID tokens in seconds. The maximum value is 999,999,999,999,999 seconds (about 31.7 million years). This value is used to calculate the value of exp claim in ID tokens.
Claim
Supported Claim Types Select claim types to support.

NORMAL means that this service (OpenID Provider) itself provides claim values directly.

AGGREGATED means that providers of claim values exist separately and this service collects claim values from such providers and returns aggregated information to client applications.

DISTRIBUTED means that providers of claim values exist separately and this service just returns pointers to the providers to client applications.

Items checked here are used as the value of claim_types_supported property in the OpenID Provider Metadata of this service.

See OpenID Connect Core 1.0, 5.6. Claim Types for details about claim types.

Note: If you want to support AGGREGATED and DISTRIBUTED in your service, you have to format information as described in 5.6.2. Aggregated and Distributed Claims and pass it to Authlete's /auth/authorization/issue API. Authlete itself does not support AGGREGATED and DISTRIBUTED directly.
Supported Claim Locales List claim locales to support. Each element is a language tag (RFC 5646) and must consist of ASCII characters only. The maximum length is 30. See OpenID Connect Core 1.0, 5.2. Languages and Scripts for details.

The value is used as the value of claims_locales_supported property in the OpenID Provider Metadata of this service.
Supported Claims List claims to support. 'To support' here means that this service can provide claims values directly or indirectly. Each claim name must consist of only ASCII characters and its length must not exceed 200.

The following standard claims are defined in OpenID Connect Core 1.0, 5.1. Standard Claims: sub, name, given_name, family_name, middle_name, nickname, preferred_username, profile, picture, website, email, email_verified, gender, birthdate, zoneinfo, locale, phone_number, phone_number_verified, address and updated_at

9. Configuration Category: JWK Set

Edit Service / JWK Set
Setting Item Description
JWK Set Endpoint
URI The URL of this service's JSON Web Key Set document (RFC 7517). The URL must consist of only ASCII characters and its length must not exceed 200. This value can be empty if and only if this service does not support asymmetric signatures for ID tokens and asymmetric encryption for request objects.

Client applications access this URL (1) to get the public key of this service to validate the signature of ID tokens issued by this service and (2) to get the public key of this service to encrypt their request objects. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

The value is used as the value of jwks_uri property in the OpenID Provider Metadata of this service.
Direct Endpoint Enabled If YES is selected, the default implementation of the JWK Set endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/service/jwks/get/direct/service-api-key.

If NO is selected, the endpoint returns 404 Not Found. In this case, if you want to provide a JWK Set endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/service/jwks/get API.
JWK Set Content The content of this service's JSON Web Key Set document (RFC 7517).

If this service wants to support asymmetric signatures for ID tokens and asymmetric encryption for
request objects, this item must not be empty and must contain pairs of public/private keys. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

10. Configuration Category: OIDC Endpoint

Edit Service / OIDC Endpoint
Setting Item Description
User Info Endpoint
URI The URL of the User Info endpoint of this service. ASCII characters only. 200 characters at most. The URL must start with https://.
Direct Endpoint Enabled If YES is selected, the default implementation of the userinfo endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/userinfo/direct/service-api-key.

If NO is selected, the endpoint returns 404 Not Found. In this case, if you want to provide a userinfo endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/auth/userinfo API.

This feature is not implemented yet.
Client Registration Endpoint
URI The URL of of the client registration endpoint of this service. ASCII characters only. 200 characters at most. The URL must start with https://.

The value is used as the value of registration_endpoint property in the OpenID Provider Metadata of this service.

See OpenID Cnnect Dynamic Registration 1.0 for details about client registration.

11. Configuration Category: Document

Edit Service / Document
Setting Item Description
Terms of Service URI The URL of this service's Terms Of Service for client application developers. ASCII only and 200 characters at most. The value is used as the value of op_tos_uri property in the OpenID Provider Metadata of this service.
Service Data Policy URI The URL of the document describing how the data provided by this service can be used. ASCII only and 200 characters at most. The value is used as the value of op_policy_uri property in the OpenID Provider Metadata of this service.
Service Documentation for Developers URI The URL of the documentation about this service for developers. ASCII only and 200 characters at most. The value is used as the value of service_documentation property in the OpenID Provider Metadata of this service.

12. Apply Changes

After editing configuration parameters, click "Update" button at the bottom of Edit Service page to apply the changes.

"Update" button