Couper Documentation

edge

OAuth2 AC (Beta)

The beta_oauth2 block lets you configure the oauth2_authorization_url() function and an access control for an OAuth2 Authorization Code Grant Flow redirect endpoint. Like all access control types, the beta_oauth2 block is defined in the definitions block and can be referenced in all configuration blocks by its required label.

Block nameContextLabel
beta_oauth2Definitions Block⚠ required

A nested jwt_signing_profile block is used to create a client assertion if token_endpoint_auth_method is either "client_secret_jwt" or "private_key_jwt".

Attributes

NameTypeDefaultDescription
authorization_endpoint
string
-

The authorization server endpoint URL used for authorization.

backend
string
-

References a backend in definitions for token requests. Mutually exclusive with backend block.

client_id
string
-

The client identifier.

client_secret
string
-

The client password. Required unless token_endpoint_auth_method is "private_key_jwt".

custom_log_fields
object
-

Log fields for custom logging. Inherited by nested blocks.

grant_type
string
-

The grant type. Required, to be set to: "authorization_code"

redirect_uri
string
-

The Couper endpoint for receiving the authorization code. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the accept_forwarded_url attribute if Couper is running behind a proxy.

scope
string
-

A space separated list of requested scope values for the access token.

token_endpoint
string
-

The authorization server endpoint URL used for requesting the token.

token_endpoint_auth_method
string
"client_secret_basic"

Defines the method to authenticate the client at the token endpoint. If set to "client_secret_post", the client credentials are transported in the request body. If set to "client_secret_basic", the client credentials are transported via Basic Authentication. If set to "client_secret_jwt", the client is authenticated via a JWT signed with the client_secret. If set to "private_key_jwt", the client is authenticated via a JWT signed with its private key (see jwt_signing_profile block).

verifier_method
string
-

The method to verify the integrity of the authorization code flow. Available values: "ccm_s256" (code_challenge parameter with code_challenge_method S256), "state" (state parameter)

verifier_value
string
-

The value of the (unhashed) verifier. E.g. using cookie value created with oauth2_verifier() function](../functions)

If the authorization server supports the code_challenge_method S256 (a.k.a. PKCE, see RFC 7636), we recommend verifier_method = "ccm_s256".

The HTTP header field Accept: application/json is automatically added to the token request. This can be modified with request header modifiers in a backend block.

Nested Blocks

NameDescription
backend

Configures a backend for token requests (zero or one). Mutually exclusive with backend attribute.

error_handler

Configures an error handler (zero or more).

jwt_signing_profile

Configures a JWT signing profile to create a client assertion if token_endpoint_auth_method is either "client_secret_jwt" or "private_key_jwt" (zero or one).