OAuth2 AC (Beta)

The beta_oauth2 block lets you configure the oauth2_authorization_url() function and an access control for an OAuth2 Authorization Code Grant Flow redirect endpoint. Like all access control types, the beta_oauth2 block is defined in the definitions block and can be referenced in all configuration blocks by its required label.

Block name	Context	Label
`beta_oauth2`	Definitions Block	⚠ required

A nested jwt_signing_profile block is used to create a client assertion if token_endpoint_auth_method is either "client_secret_jwt" or "private_key_jwt".

Attributes

Name	Type	Default	Description
`authorization_endpoint`	string	-	The authorization server endpoint URL used for authorization.
`backend`	string	-	References a backend in definitions for token requests. Mutually exclusive with `backend` block.
`client_id`	string	-	The client identifier.
`client_secret`	string	-	The client password. Required unless `token_endpoint_auth_method` is `"private_key_jwt"`.
`custom_log_fields`	object	-	Log fields for custom logging. Inherited by nested blocks.
`grant_type`	string	-	The grant type. Required, to be set to: `"authorization_code"`
`redirect_uri`	string	-	The Couper endpoint for receiving the authorization code. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the `accept_forwarded_url` attribute if Couper is running behind a proxy.
`scope`	string	-	A space separated list of requested scope values for the access token.
`token_endpoint`	string	-	The authorization server endpoint URL used for requesting the token.
`token_endpoint_auth_method`	string	`"client_secret_basic"`	Defines the method to authenticate the client at the token endpoint. If set to `"client_secret_post"`, the client credentials are transported in the request body. If set to `"client_secret_basic"`, the client credentials are transported via Basic Authentication. If set to `"client_secret_jwt"`, the client is authenticated via a JWT signed with the `client_secret`. If set to `"private_key_jwt"`, the client is authenticated via a JWT signed with its private key (see `jwt_signing_profile` block).
`verifier_method`	string	-	The method to verify the integrity of the authorization code flow. Available values: `"ccm_s256"` (`code_challenge` parameter with `code_challenge_method` `S256`), `"state"` (`state` parameter)
`verifier_value`	string	-	The value of the (unhashed) verifier. E.g. using cookie value created with `oauth2_verifier()` function](../functions)

If the authorization server supports the code_challenge_method S256 (a.k.a. PKCE, see RFC 7636), we recommend verifier_method = "ccm_s256".

The HTTP header field Accept: application/json is automatically added to the token request. This can be modified with request header modifiers in a backend block.

Nested Blocks

Name	Description
`backend`	Configures a backend for token requests (zero or one). Mutually exclusive with `backend` attribute.
`error_handler`	Configures an error handler (zero or more).
`jwt_signing_profile`	Configures a JWT signing profile to create a client assertion if `token_endpoint_auth_method` is either `"client_secret_jwt"` or `"private_key_jwt"` (zero or one).

< Basic Auth

Client Certificate >