You can create a client to enable a single application to register with VMware Identity Manager services to allow user access to a specific application.

About this task

Registering the details of the application identifies the application as a trusted client for the OAuth service.

You register the client ID, client secret, and a redirect URI with VMware Identity Manager service.


  1. In the administration console Catalog tab, select Settings > Remote App Access.
  2. On the Clients page, click Create Client.
  3. On the Create Client page, enter the following information about the application.



    Access Type

    Options are User Access Token or Service Client Token. Set to Service Client Token. This indicates that the application accesses the APIs on its own behalf, not on behalf of a user.

    Client ID

    Enter a unique client identifier for the application to use to authenticate to VMware Identity Manager. The client id must not match any client id in your tenant. The following characters can be used, alphanumeric (A-Z, a-z, 0-9) period (.), underscore (_), and hyphen (-) and at sign (@).


    Select Identity Manager.


    Select the information that the token contains. When you select NAAPS, OpenID is also selected.

    Redirect URI

    Enter the registered redirect URI.

    Advanced Section

    Click Advanced.

    Shared Secret

    Click Generate Shared Secret to generate a secret that is shared between this service and the application resource service.

    Copy and save the client secret to configure in the application setup.

    The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, then the secret is not used. The shared secret is not used with Web browser-based applications.

    Issue Refresh Token

    To use refresh tokens, leave this option enabled.

    Token Type

    Select Bearer. This attribute tells the application what type of access token it was given. For VMware Identity Manager, the tokens are bearer tokens.

    Access Token TTL

    The access token expires in the number of seconds set inAccess Token Time-To-Live. If Issue Refresh Token is enabled, when the access token expires, the application uses the refresh token to request a new access token.

    Refresh Token TTL

    Set the Refresh Token time to live. New access tokens can be requested until the refresh token expires.

    Idle Token TTL

    Configure how long a refresh token can be idle before it cannot be used again.

    User Grant

    Do not check Prompt users for access.

  4. Click Add.


The client configuration is displayed on the OAuth2 Client page.

What to do next

In the resource application, configure the Client ID and the generated shared secret. See the application documentation.