Public clients such as native and mobile apps cannot maintain the confidentiality of a client secret. When using OAuth 2.0 for native and mobile apps, we generate an app ID, and use the Public Key for Code Exchange (PKCE) to provide additional verification.
PKCE is a technique to secure public clients that don't use a client secret. See this blog for more information about using PKCE with mobile apps.
- You have the required permissions for adding and managing OAuth apps in this Organization. See What Organization roles are available in VMware Cloud Services.
- Click your user name and select Create New OAuth App. , and then click
- Select Native/Mobile app and click Continue.
- Register your app by entering the app details:
- Type a name and description for the new Oauth app.
- Enter at least one redirect URI.
After a user authorizes your client, the authorization server redirects the user back to your client to the URI you specified with an access token. It is best practice to add more than one URI. Use the format http://acme.com.
- Specify a time span for your access token.
The default Access Token time to live (TTL) setting is 30 minutes. The maximum value you can set is 300 minutes (five hours). The minimum value you can set is 1 minute.
- If you want your access token to authorize requests continuously, select the Issue a refresh token and set Refresh Token TTL value.
The default Refresh Token TTL is 30 minutes. The maximum value you can set is 300 minutes (five hours). The minimum value you can set is 1 minute.
- Define scopes.
Scopes provide a way to implement control over what areas in your Organization your client can access - specifically which of your services and the level of permission.
- Select the Open ID check box to get information about the users that authorize your app.
- Click Create to generate the client credentials.
- Copy the app ID or download a JSON file that contains the app ID. You are responsible for storing these credentials in a safe place.
- Click Continue.
What to do next
Paste the credentials into your script.