OAuth Client and Identity Provider Registration

OAuth Client Registration

You can register OAuth clients using the self-service registration page.

Authorization Code

  1. Go to the OAuth Client page on my.tapkey.com.
  2. Click on the plus button in the lower right corner.
  3. Enter a name of your choice in the Client name input. This is used to identify the OAuth client and can be changed later.
  4. Choose "Authorization Code" from the Grant type input.
  5. Choose "With client secret" from the Authorization type input.
  6. Enter the location of your client's logo in the Logo URL input. The logo will be shown to Tapkey users when they are asked to grant your application access to their Tapkey account. A square PNG works best.
  7. Enter any required redirect URIs, separated by comma, in the Redirect URIs input.
  8. Enter any required allowed CORS origins, separated by comma, in the Allowed CORS origins input.
  9. Enter any required post-logout URIs, separated by comma, in the Post-logout URIs input.
  10. Choose the required scopes from the Permissions section. The scopes required are listed along every operation in the API documentation.
  11. Click on the check mark button in the lower right corner to create the new OAuth client.
  12. A dialog with the client's secret appears. Note the secret and store it at secure place. This is the only time the secret is displayed.

Warning

Although multiple values can be entered into the Redirect URIs, Allowed CORS origins and Post-logout URIs inputs, it is strongly discouraged to use clients pointing to localhost in production. Keep testing and production environments separated by using multiple OAuth clients.

Secret rollover

In order to gracefully replace the client's secret, the OAuth client registration form has a secret rollover function.

  1. Go to the OAuth Client page on my.tapkey.com.
  2. Choose the OAuth client from the list.
  3. Click on the secret rollover button in the secret reset section.
  4. Choose an expiration time in minutes for any previous secrets. Any previous secrets will stop working after that time.
  5. Start secret rollover by clicking the button at the bottom of the dialog.

Authorization Code with PKCE

  1. Go to the OAuth Client page on my.tapkey.com.
  2. Click on the plus button in the lower right corner.
  3. Enter a name of your choice in the Client name input. This is used to identify the OAuth client and can be changed later.
  4. Choose "Authorization Code" from the Grant type input.
  5. Choose "With PKCE" from the Authorization type input.
  6. Enter the location of your client's logo in the Logo URL input. The logo will be shown to Tapkey users when they are asked to grant your application access to their Tapkey account. A square PNG works best.
  7. Enter any required redirect URIs, separated by comma, in the Redirect URIs input.
  8. Enter any required allowed CORS origins, separated by comma, in the Allowed CORS origins input.
  9. Enter any required post-logout URIs, separated by comma, in the Post-logout URIs input.
  10. Choose the required scopes from the Permissions section. The scopes required are listed along every operation in the API documentation.
  11. Click on the check mark button in the lower right corner to create the new OAuth client.

Warning

Although multiple values can be entered into the Redirect URIs, Allowed CORS origins and Post-logout URIs inputs, it is strongly discouraged to use clients pointing to localhost in production. Keep testing and production environments separated by using multiple OAuth clients.

Client Credentials

  1. Go to the OAuth Client page on my.tapkey.com.
  2. Click on the plus button in the lower right corner.
  3. Enter a name of your choice in the Client name input. This is used to identify the OAuth client and can be changed later.
  4. Choose "Client Credentials" from the Grant type input.
  5. Choose the required scopes from the Permissions section. The scopes required are listed along every operation in the API documentation.
  6. Click on the check mark button in the lower right corner to create the new OAuth client.
  7. A dialog with the client's secret appears. Note the secret and store it at secure place. This is the only time the secret is displayed.

Secret Rollover

In order to gracefully replace the client's secret, the OAuth client registration form has a secret rollover function.

  1. Go to the OAuth Client page on my.tapkey.com.
  2. Choose the OAuth client from the list.
  3. Click on the secret rollover button in the secret reset section.
  4. Choose an expiration time in minutes for any previous secrets. Any previous secrets will stop working after that time.
  5. Start secret rollover by clicking the button at the bottom of the dialog.

Token Exchange

Tip

An identity provider must be registered before a client with Token Exchange grant type can be created.

  1. Go to the OAuth Client page on my.tapkey.com.
  2. Click on the plus button in the lower right corner.
  3. Enter a name of your choice in the Client name input. This is used to identify the OAuth client and can be changed later.
  4. Choose "Token Exchange" from the Grant type input.
  5. Select the desired identity provider from the Identity provider input.
  6. Choose the required scopes from the Permissions section. The scopes required are listed along every operation in the API documentation.
  7. Click on the check mark button in the lower right corner to create the new OAuth client.

Identity Provider Registration

You can register identity providers using the self-service registration page.

  1. Go to the Identity Provider page on my.tapkey.com.
  2. Click on the plus button in the lower right corner.
  3. Enter a short name of your choice in the Short Name input. This is used to identify the identity provider and can be changed later.
  4. Enter the desired audience in the Audience input. Must correspond to the audience field of JWT tokens issued by this identity provider.
  5. Enter the desired issuer in the Issuer input. Must correspond to the issuer field of JWT tokens issued by this identity provider.
  6. Enter the public key of the key pair used to sign JWT tokens by this identity provider. Consult the "Creating a key pair" section of the identity provider registration guide for more information.
  7. Click on the check mark button in the lower right corner to create the new identity provider.

Key Rollover

In order to gracefully replace signing keys, the identity provider registration form has a key rollover function.

  1. Go to the Identity Provider page on my.tapkey.com.
  2. Choose the identity provider from the list.
  3. Click on the key rollover button below the list of public keys.
  4. Choose an expiration time in minutes for any previous keys. Any previous keys will stop working after that time.
  5. Enter the public key of the new key pair.
  6. Start key rollover by clicking the button at the bottom of the dialog.