OAuth2 Client Manager (.NET)

The OAuth2 Client Manager API includes the following methods available on the IOAuth2ClientManager interface in the Relativity.Identity.<VersionNumber>.Services namespace.

Note: The <VersionNumber> variable in the namespace indicates the version number of the API. The version number uses the format uppercase V and an integer version number, such as V1 or V2 in .NET.

• CreateAsync() method - adds a new OAuth2 client to Relativity. This overloaded method offers two options for adding a client:
  • Create an OAuth2 client by specifying the flow and redirectUris.
  • Create an OAuth2 client by using OAuth2Client objects. See Create an OAuth2 client.
• DeleteAsync() method - removes an OAuth2 client from Relativity.
• SaveAsync() method - saves changes made to an OAuth2 client. See Update an OAuth2 client.
• RegenerateSecretAsync() method - generates a new secret for an OAuth2 client. All previous secrets are immediately invalidated. See Regenerate a client secret.

The OAuth2 Client Manager API uses the following classes:

• Claim class - represents information about a user or OAuth2 client. It has these properties:
  • Type - a string representing the type of claim.
  • Value - a string representing the claim value.

• OAuth2Client class - represents a OAuth2 client used for obtaining access tokens and authenticating web requests.

View property descriptions
• AccessTokenLifetimeInMinutes - the duration in minutes that access tokens issued to the clients are valid. We recommend using a duration based on the specified OAuth2 flow:
  • Client credentials and code flow - use a short lifetime. We recommend that this value matches the default value of 1 hour or 60 minutes used by the Identity Server. For more information, see the Identity Server 3 documentation on GitHub.
  • Resource Owner access - use a lifetime of 1 hour because a client secret and a refresh token are available.
  • Implicit flow tokens - match the lifetime of Relativity tokens, which is 10 hours or 600 minutes. After this time, the user must log in again.
• Name - a unique name for the OAuth2 client.
• Enabled - a Boolean value indicating whether the client is given access to Relativity. When a client is created, this value is automatically set to true.
• Flow - the mechanism for acquiring an authentication token. It is also called the OAuth2 grant type. This property is set during client creation and cannot be updated. The OAuth2Flow enum defines these values.
• Id - the unique identifier for the client. Relativity autogenerates this value if you do not specify it during client creation.
• IsSystem - a Boolean value indicating whether the OAuth2 client is an internal Relativity application. This property is read-only.
• RedirectUris - the URLs used to redirected the user after a request is authorized. These values must be specified for implicit or code flow types.
• Secret - the unique secret used by the client. Relativity autogenerates this value if you specify the Flow type as client credential, resource owner, or code.
• Scopes - a list of scopes this client is allowed to request. Currently, you cannot set this property, but the following table contains the default scopes:

  Scope / Flow	Implicit	Client Credentials	Code	Resource Owner
  id_token	✓		✓	✓
  access_token	✓	✓	✓	✓
  refresh_token		✓	✓	✓

• ContextUser - used when assigning the user to the OAuth2 client for permissions and auditing. This property is required if OAuth2 flow is set to client credentials. It cannot be used for other flows.
• Claims - list of additional claims the OAuth2 client receives in access tokens. Only specific claim types are allowed by the system.
• OAuth2Flow enum - represents the workflow that an OAuth2 client uses for authorization. It defines the following flows:
  • Implicit = 0
  • Client Credentials = 1
  • Code = 2
  • Resource Owner = 3