AuthServer readiness for AppSSO

This topic tells you how to use AuthServer.status as a reliable source to verify an AuthServer’s readiness for Application Single Sign-On (commonly called AppSSO).

However, you are encouraged to verify your AuthServer with the following checks:

  • [ ] Ensure that there is at least one token signing key configured

    curl -X GET {spec.issuerURI}/oauth2/jwks

    The response body should yield at least one key in the list. If there are no keys, please apply a token signing key

  • [ ] Ensure that OpenID discovery endpoint is available

    curl -X GET {spec.issuerURI}/.well-known/openid-configuration

    The response body should yield a valid JSON body containing information about the AuthServer.

Client registration check

It is helpful to verify an AuthServer by executing a test run with a test ClientRegistration. This check also ensures that app developers will also be able to register clients with the AuthServer successfully.

Follow the steps below to ensure that your installation can:

  1. Add a test client.
  2. Get an access token.
  3. Invalidate/remove the test client.


Ensure that you have successfully applied a token signing key to your AuthServer before proceeding.

Define and apply a test client

Apply a ClientRegistration to your cluster in a Namespace that the AuthServer should allow clients from:

kind: ClientRegistration
  name: test-client
  namespace: default
    # appropriate labels for your `AuthServer`
    - client_credentials
  clientAuthenticationMethod: basic

Check out the ClientRegistration API reference for more field definitions.

This defines a test ClientRegistration with the client_credentials OAuth grant type.

Apply the ClientRegistration:

kubectl apply -f appsso-test-client.yaml

Once the ClientRegistration is applied, inspects its status and verify it’s ready.

Get an access token

You should be able to get a token with the client credentials grant for example:

# Get client id (`base64` command has to be available on the command line)
export APPSSO_TEST_CLIENT_ID=$(kubectl get secret test-client -n default -o jsonpath="{.data['client-id']}" | base64 --decode)

# Get client secret (`base64` command has to be available on the command line)
export APPSSO_TEST_CLIENT_SECRET=$(kubectl get secret test-client -n default -o jsonpath="{.data['client-secret']}" | base64 --decode)

# Attempt to fetch access token
curl \
 --request POST \
 --location "{spec.issuerURI}/oauth2/token" \
 --header "Content-Type: application/x-www-form-urlencoded" \
 --header "Accept: application/json" \
 --data "grant_type=client_credentials" \
 --basic \

You should see a response JSON containing populated field access_token. If so, the system is working as expected, and client registration check is successful.

Make sure to delete the test ClientRegistration once you are done.

check-circle-line exclamation-circle-line close-line
Scroll to top icon