IAM Clients

The IAM offers OpenID Connect/OAuth client which users can use.

Creating Clients

Log into the service and click on the My Clients tab
You can create a new client using the +New client button.

Create Client button
You can do some basic configurations before creating the client
You can finalise the client creation with Save client button and the client secret will be generated.

Save Client button
Youe can retrieve the client secret for use in your application via clicking the client > Credentials > Client secret

Clients Configuration

This section will go through key configuration for the client.

Main

Client name: Human readable name of client, non-unique
Client id: Unique ID of your clients
Redirect URIs: List of allowed Redirect URI for the clients usually pointing to your application.
Contacts: Email contacts for admin of the Client

Client Info - Main

Credentials

Token endpoint authentication method: Authentication method of your application
Client secret: The secret of the client

Client Info - Credentials

Scopes

You can use the scopes avaliable for the IAM or build your own custom scopes.

JWT profiles

A JWT profile is a named set of rules that defines which information is included in access tokens, id tokens, userinfo and introspection responses issued by IAM in an OAuth/OIDC message exchanges.

There are 4 unique scopes that set the token profile used in the client, Please only enable 1 in any client:

aarc: AARC token profile
iam: INDIGO IAM token profile
wlcg: WLCG token profile
kc: keycloak token profile

Info

You should only enable 1 of the above scopes, enabling multiple will cause the IAM to default back to the system default, INDIGO IAM token profile.