Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOWTO] Authorize Access to Protected Resources using OAuth2.0

10 September,19 at 02:45 AM



  1. OAuth 2.0 is the industry-standard protocol for authorization
  2. Understanding the OAuth2.0 standard can be complex, for the main reason being how many different ways OAuth2.0 can be implemented for varying requirements
  3. In this article we will focus on the Client Credentials Flow
  4. Other OAuth2.0 flows include:
  5. Authorization Code Flow
  6. Implicit Flow
  7. Resource Owner Flow
  8. When in doubt, reference the OAuth2.0 spec -> here


Centrify Configuration


  1. Log in to the Centrify Application Services Portal as an Administrator
  2. Switch to Admin Portal
  3. Click on "Apps"
  4. Click on "Add Web Apps"

Screenshot 2017-12-31 11.13.30.png


5. Click the "Custom" tab

6. Add OAuth2 Client Application


Screenshot 2017-12-31 11.16.30.png


7. Select "Yes" when asked "Do you want to add this application?"


Screenshot 2017-12-31 11.18.46.png


8. Close "Add Web Apps" Pop-Up


Screenshot 2017-12-31 11.21.47.png


  9. Begin Application Configuration

10. Within "Description" section, define a unique Application ID


Screenshot 2017-12-31 11.24.05.png


11. Navigate to "General Usage" 

12. Define General Usage as both "Confidential" & "Must be OAuth Client"

13. Skip the link to create a Service User, we'll come back to that later


Screenshot 2017-12-31 11.28.14.png


14. Navigate to "Tokens"

15. Define "Token Type" as "JwtRS256" (256 encrypted "JSON Web Token)

16. Define "Auth Methods" as "Client Creds"

17. Select a desired token lifetime (how long it's valid for)


Screenshot 2017-12-31 11.32.26.png


18. Navigate to "Scopes"

19. Define "Scopes" for what is protected and requires an auth/bearer token


20. In this example we are protecting the tenant APIs exposed by the issuer:             (


21. Select "Add" under "Scope definitions"


Screenshot 2017-12-31 12.33.52.png


22. Give your scope definitions a Name, Description & Regular Expression Filter


23. "RedRock/query" is the standard API syntax for Applications to query specified Centrify Platform 

(Learn more about using queries -> here)


24. Click "Save"


25. Our defined scope now restricts access for running report queries programmaticly


Screenshot 2017-12-31 12.37.16.png


26. Navigate to "User Access"

27. For this example, we're going to restrict query access to only Service Accounts/Users

28. Click "Save" your OAuth2 Client Application Configuration is complete for now


Screenshot 2017-12-31 12.47.30.png


29. Now we need to create a Service User that will act as our Confidential Client

30. Navigate under "Core Services">"Users">"Add User"


Screenshot 2017-12-31 12.50.28.png


31. Create the user by supplying Login Name, Display Name, Password Type,

32. Ensure that user status is defined as both a Service User & OAuth Confidential Client

33. Select "Create User"


Screenshot 2017-12-31 12.54.01.png


34. If you haven't already done so, create a Service_Users Role

35. Now make sure our newly created service user is included under "Members" of our Service_Users Role


Screenshot 2017-12-31 12.58.05.png


Screenshot 2017-12-31 13.02.40.png


36. Under "Administrative Rights" make sure the role includes "Read Only System Administration"


Screenshot 2017-12-31 13.04.12.png


37. Under "Assigned Applications" make sure our newly created OAuth2 Client App is added

38. Click "Save" to complete Role configuration


Screenshot 2017-12-31 13.06.14.png


39. Now we can create a "Bearer Token" to be used to invoke our protected APIs

40. Navigate back to "Apps" and select our newly created OAuth2 Client Application

41. Under the "Actions" dropdown menu, select "Create Bearer Token"


Screenshot 2017-12-31 13.10.18.png


42. Here, you will have to supply the client_id & secret that you established as part of your Service User/Confidential Client

43. Select "Get Token"


Screenshot 2017-12-31 13.12.55.png


44. If the ClientID & Secret are validated as correct, a bearer token will be generated and displayed

45. Select "Copy" to capture/copy token to be used later for authorization


Screenshot 2017-12-31 13.14.31.png


46. Now that we have our Token, we can do a quick recap and put it to the test!

47. Reference below Video on how to use this token and how to validate our setup is correct


48. [Updated March 2018] An alternative and more efficient way of obtaining an authorization token is to retrieve the oauth2 token programatically instead of manually through the User Interface. While several grant_types per the OAuth2.0 spec can achieve this, in our example we will use the grant_type of client_credentials. As per the spec we need to supply the grant_type, client_id & client_secret in the HTTP Post Header. In our example we will use Postman to invoke the oauth2 token endpoint, which requires the request parameters to be passed in the request body. Using a confidential client defined in step 33 we can obtain a token. In this example we will use a separate confidential client or "service user" api_user@eddie_welch_01 but you'll notice they are both attached to the same role, assoicaed with the my_oauth_client AppID. The URL Token Endpoint is as follows:




In our example we will use:


The AppID can be found in the admin console here:


 Screenshot 2018-03-30 11.13.40.png


Here is our Postman Request Headers:



Screenshot 2018-03-30 11.17.21.png


Here is our Postman Request Body which includes our 3 required parameters:


Screenshot 2018-03-30 11.20.19.png


Here is our Postman Response, which includes our Oauth Access Token:


Screenshot 2018-03-30 11.25.24.png