Configure OAuth 2.0 client applications that can authenticate with the Mividas API.

Warning: Changes made here affect low-level platform behavior and can disrupt service if misconfigured. Only make changes if you understand their impact, and always use the standard web interface when the same setting is available there.

Form fields

When adding or editing a record, the following fields are available:

FieldDescription
UserThe user associated with this record.
Redirect urisAllowed URIs list, space separated.
Post logout redirect urisAllowed Post Logout URIs list, space separated.
Client typeChoose the OAuth client type:

Confidential – Applications running on protected servers where unauthorized users cannot access the configuration or source code, allowing them to maintain a client_secret safe.
Public – Applications running in environments where source code or binaries are accessible to the end-user, making it impossible to securely store a client_secret.
Authorization grant typeChoose the OAuth authorization grant type:

Authorization code – A secure, redirection-based flow where the application exchanges a temporary authorization code for an access token. This is the industry standard for both web apps and public clients (when paired with PKCE).
Device code – Designed for internet-connected devices that lack a web browser or have limited input capabilities (e.g., CLI tools). It prompts the user to review the authorization request on a separate device, like a smartphone.
Implicit – A legacy, redirection-based flow where access tokens were returned directly in the URL fragment without a code exchange step. It is now deprecated due to security risks and replaced by Authorization Code with PKCE.
Resource owner password-based – A legacy flow that requires users to provide their raw credentials (username and password) directly to the client application. It is strongly discouraged, except for highly trusted, first-party legacy migrations.
Client credentials – A machine-to-machine flow used when applications need to authenticate themselves without any user interaction. The client application uses its own credentials to access its own service resources.
OpenID Connect hybrid – An extension of OAuth 2.0 that allows an application to request both an ID token and an authorization code at the same time. This enables the frontend to quickly get identity details while the backend securely handles the main token exchange.
Hash client secretWhether to store the client secret hashed.
NameA descriptive name used to identify this record.
Skip authorizationWhether to skip the user authorization step.
AlgorithmSelect the signing algorithm used for tokens: No OIDC support, RSA with SHA-2 256, HMAC with SHA-2 256.
Allowed originsAllowed origins list to enable CORS, space-separated.
Enable customer restrictionThis will be activated if some customers are selected in the list.
Limit to customersHold down Control, or Command on a Mac, to select more than one.
Limit to IP addressesA list of approved IP addresses/networks.
Client idThe OAuth client ID.
Client secretHashed on Save. Copy it now if this is a new secret.
On This Page
    © Mividas Video Solutions AB 2026