Configuring the ACP workspace

Instructions on how to configure your workspaces in ACP

Configure your ACP workspace

  1. Select Settings from the sidebar in the ACP admin portal.

  2. In the General view, update the name of your workspace and the authorization server URL. Save your changes.

Configure token settings

  1. Select the Token view in the Workspace Settings.

  2. In the Token view, select the access token type:

    • JSON WEB TOKEN (a signed token that contains entity-specific data and can be validated in place)

      or

    • OPAQUE (a random string that requires introspection to be validated / get entity-specific data)

  3. Set Time to Live (TTL) for tokens, authorization code, and cookie max age. Save your changes.

Configure auth settings

  1. In the Workspace Settings view, select the Authorization view.

    Authorization view

    There are a few sections in the Authorization view that need to be configured to optimize protection and security exercised within your workspace. They are

    • Governance (policy execution settings)
    • Allowed grant types
    • Allowed subject identifier types

  2. In the Authorization view, navigate to the Governance section and configure its settings.

    1. Select Client registration policy from the dropdown menu to define the policy that validates developer attributes before they can register applications.

    2. Select Token issue policy from the dropdown menu to define the policy that validates user attributes before they can be provided with a token.

    3. Select Machine token policy from the dropdown menu to define the policy that validates machine-to-machine application attributes before they can be provided with a token.

    Note

    For each policy type, you can either select an existing policy or create a new one.

  3. In the Authorization view, navigate to the Allowed grant types section and enable specific types by selecting the corresponding checkboxes.

    Grant types

    There are a few grant types that you can allow in your workspace for an application to acquire an access token. They are

    • Client credentials
    • Authorization code
    • Refresh token
    • Resource owner password
    • Implicit.

    Enforce PKCE

    For the Authorization code grant type, you can enable two additional options:

    • Enforce PKCE for all clients
    • Enforce PKCE for public clients.

    For the information on how to authenticate the client with the authorization code grant with PKCE, see Getting an access token using the authorization code grant with PKCE.

  4. In the Authorization view, navigate to the Allowed token endpoint authentication methods section and enable specific methods by selecting the corresponding checkboxes.

    Token endpoint authentication methods

    There are a few token endpoint authentication methods that you can allow in your workspace. They are

    • Client secret with three flavors to choose from: Client Secret Basic, Client Secret JWT, and Client Secret Post.
    • JSON web token (Private Key JWT)
    • TLS client authentication with two options to choose from: TLS Client Auth and Self Signed TLS Client Auth.

    Note

    Select None to allow for creating applications without authorization. This option does not prevent you from enabling the other methods.

  5. In the Authorization view, navigate to the TLS Client Authentication section and enable the TLS Client Auth and/or the Self Signed TLS Client Auth methods by selecting the corresponding checkboxes.

    Note

    You can add your trusted client certificates. Privacy-enhanced mail (PEM) encoded root CA certificates are used for client mTLS token endpoint authentication. If you do not add any trusted client certificates, system root Certificate Authority (CA) certificates are used instead.

    Read more

    For more information on setting up the TLS client authentication, see Configuring ACP to verify the client mTLS authentication.

  6. In the Authorization view, navigate to the Allowed subject identifier types section and enable specific types by selecting the corresponding checkboxes.

    Subject identifier types

    ACP supports the Public and Pairwise subject identifier types.

    The Pairwise subject identifier represents one user with unique identifiers to different clients. Each Pairwise subject identifier is assigned to a specific user-client pair for enhancing the user privacy.

  7. With all the sections set up, select Save changes to proceed.

Configure claims

For detailed information on claim configuration, read Configuring claims for ID tokens and access tokens.

The consent screen is a prompt displayed to the end user when an application requests access to the user’s private data.

  1. In the Workspace settings view, select the Consent screen view.

  2. In the Consent screen view, select the type of the consent page that you’d like to use:

    • OAUTH CONSENT based on default scopes or

    • OPEN BANKING CONSENT for specialized use cases, such as Open Banking.

  3. Select Save changes to apply your choice.

Note

The Open Banking consent page requires configuration. For instructions on how to integrate the custom consent page with ACP, see Configuring the custom consent page.

Open Banking consent

If you choose OPEN BANKING CONSENT for your workspace, enter the consent URL in the field provided (1) and select Save changes to proceed. Grab the metadata auto-generated for your client from the right-side pane (2). For detailed instructions on how to enable OPEN BANKING CONSENT in the workspace, see Enabling the custom consent page.

Configure Dynamic Client Registration

  1. In the Settings view, navigate to the DCR section and enable it by selecting the Enable dynamic client registration (DCR) checkbox.

  2. Select a dynamic client registration policy from the dropdown menu or create a new DCR policy.

    Note

    This step is optional: You can leave out dynamic client registration policy if you do not need any access restrictions for DCR.

  3. Optionally, enable Protect by access token and/or Protect by software statement and/or Signed Request Body by selecting the corresponding toggle switches.

Note

For enabled features, choose how to specify your JSON WEB KEY SETS and provide either a code value for your JWKS or a link to it.

Read more

For more information on configuring DCR, see Configuring Dynamic Client Registration with authorization servers.

Result

You have successfully configured your Dynamic Client Registration.

Result

You have configured your workspace so that it uses specific protection and security measures.