Connecting and Configuring Services in Cloudentity
This article guides you through the process of connecting a service that you want to protect in Cloudentity.
Add and Configure Services
Go to Applications > Clients.
Select Create Service.
In the pop-up window, give your service a name and description and select Create. The service is added to the list.
Configure the service. Follow the information below for details on each configuration form.
Configure Basic Settings
In the Overview page you can see the Service details and Service Capabilities panels.
Service details
Parameter
Description
Name
Name identifying this service
Description
Description identifying this service
Access Token Audience
Default Access Token audience present in Access Tokens issued by Cloudentity.
Custom Access Token Audience
Custom Access Token audience, overriding the default one.
Service capabilities
Parameter
Description
OAuth Resource Server
Controls if this service is an OAuth 2.0 Resource Server, where authorization is governed by scopes.
API Server
Allows for API-level service control. When enabled, you can define access control for individual APIs, including GraphQL APIs or APIs behind a gateway.
Configure Scopes
If you need to learn more about scopes, see the Access (Token) Scopes article.
Open the Scopes page from your service.
Select Create Scope and fill in the form.
Parameter
Description
Scope name
Scope name. This is the name that OAuth clients will need to send with their authorization call. You can define a dynamic scope in a wildcard (dynamic) form by appending
.*
to the scope name. For exampleaccount.*
.Display name
Scope name shown to the user
Description
Scope description
Select Govern Scopes to configure global settings related to authorization flows available for this service. These settings impact all scopes within this service.
Parameter
Description
Human Users
Controls whether or not the Authorization Code flow can be used with this service. If enabled, you can configure the policy for such flow.
Machine Users
Controls whether or not the Client Credentials flow can be used with this service. If enabled, you can configure the policy for such flow.
3rd Party Developers
Controls whether or not third party developers can subscribe to this service . If enabled, you can configure the policy for such flow.
Dynamic Client Registration
Controls whether or not dynamically registered clients can subscribe to this service. Define conditions dynamically registered clients need to meet to subscribe to a protected scope using a policy.
Select the newly created scope and finish its configuration.
Tab
Description
Details
Edit basic scope information
Governance
Assign policies for each flow enabled via Govern Scopes
Advanced
Configure advanced settings
Metadata
Assign metadata to a scope in JSON format
Check the preview panel. It shows the end user's point of view with the current service configuration.
Configure APIs
Under APIs, you can specify the APIs exposed by the service, if your service is defined as an API server. If the APIs are behind a gateway, you can connect the gateway with all the APIs directly. Finally, you can import any Open API-compliant specification.
To add individual APIs:
Select + API
Define the API type (REST or GraphQL), method, and path.
Optionally, assign an API Policy to your API.
Select Add API to finish.
To connect API Gateway:
Select + Gateway API.
Select any API Gateway connected to Cloudentity. If none are available, add an API Gateway first.
Select Connect to finish.
To import an API specification:
Select Import.
Provide the specification in the form.
Source
Description
URL
URL pointing to an Open API-compliant specification
File
JSON or YAML file with your Open API specification
JSON or YAML
Paste the Open API specification directly as a JSON or YAML
Select Import to finish.
Subscribe Clients to Scopes
Having added and configured your Services, you must subscribe the client application to the correct scopes.