ACP OAuth authorization server
Description of the ACP OAuth authorization server
Authorization server concept
The authorization server issues access tokens to the client application after successfully authenticating the resource owner and obtaining the authorization. 1
Cloudentity Authorization Control Plane (ACP) allows to create multiple authorization servers per tenant.
You may want to create one authorization server for financial APIs and another one for enforcing OAuth clients to use the PKCE extension.
Authorization server features
- Authorization server is identified by a unique issuer URL, which is a base URL for OAuth/OIDC
endpoints, such as
- Authorization server has a dedicated jwks key set at
/.well-known/jwks.jsonused to sign IDs and access tokens.
- Authorization server has a list of supported grant types: you can enforce clients to use only specific OAuth/OIDC flows).
The authorization server allows to enable
- PKCE enforcement: when enabled, all clients within the authorization server need to use the PKCE extension.
- Dynamic client registration.