Nintex Community Menu Bar

Configuring a Client Credential Flow OAuth Resource

4 years ago
February 16, 2021
0 replies
554 views
Translate

evanmoore
Nintex Employee

Configuring a Client Credential Flow OAuth Resource

KB002814

PRODUCT

K2 Cloud Update 6

K2 Five 5.2

There is a custom OAuth flow that you can use, upon customer request, that allows you to configure K2 to bypass trust.k2.com. This OAuth token flow gives any service instance an all-access (keys-to-the-kingdom) pass to AAD.

This approach should only be considered if the customer understands the implications of this configuration and refuses to allow configuration of K2 and AAD through the standard approach. It should only be used as a last resort and is not meant as a replacement for using the K2 apps and trust.k2.com to integrate with AAD.

Resource Type Configuration

The Client Credential Flow custom OAuth extension is located at K2Host ServerBinOAuthExtensionsSourceCode.Security.OAuth.Extensions.ClientCredentials.dll

A resource type for this extension is not configured out of the box, so you need to create it for the customer. Use the following information for reference.

Name: Client Credentials
Description: leave blank
Extension: SourceCode.Security.OAuth.Extensions.ClientCredentials
Usage: Authorization
RefreshTokenExpiration: 0
ExpirationWarningDays: 0
InvalidMessageDelayMinutes: 0
ExpiringMessage: leave blank
InvalidMessage: leave blank

Add the resource type parameters:

resource: true for URL Encode, Token Request
grant_type: true for Token Request, client_credentials for Token Default Value
client_id: true for URL Encode, Token Request
redirect_uri: true for URL Encode, Token Request
client_secret: true for URL Encode, Token Request

Create a new resource based on the Client Credentials resource type with the following values

Resource Type: Client Credentials
Name: CC - <K2 Cloud Tenant Name>
Authorization Endpoint: https://login.microsoftonline.com/<AAD Tenant ID>/oauth2/authorize
Token Endpoint: https://login.microsoftonline.com/< AAD Tenant ID>/oauth2/token
Refresh Token Endpoint: leave blank
Metadata Endpoint: leave blank
UseHostServerAuthorizationEndpoint: false

Add values for the resource parameters.

resource: https://graph.windows.net/
grant_type: client_credentials
client_id: <Client ID of your AAD App>
redirect_uri: https://<K2 Cloud URL>/Identity
client_secret: <Client secret of your AAD App>

The last step is to create and/or edit a service instance to use the Client Credentials OAuth resource and test that it's functioning as expected.

Considerations

It is strongly recommended that customers who use this feature upgrade to K2 5.6 for the benefit of storing client secrets securely. For more information see Encrypted Values

Did this topic help you find an answer to your question?

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Configuring a Client Credential Flow OAuth Resource

Resource Type Configuration

Considerations

Reply

Related topics

Re: Configuring a Client Credential Flow OAuth Resource

OAUTH configuration for Custom REST API registered in Azureicon

API Authorization Request: Can I send credentials in body vs headers?icon

How to set up client id, secret id in K2 cloud?

Outbound Authorization and OAuth in K2

Sign up

Log in with SSO

Login to the community

Log in with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings