
Configure OAuth 2.0 client applications that can authenticate with the Mividas API.
Warning: Changes made here affect low-level platform behavior and can disrupt service if misconfigured. Only make changes if you understand their impact, and always use the standard web interface when the same setting is available there.
Form fields
When adding or editing a record, the following fields are available:
| Field | Description |
|---|---|
| User | The user associated with this record. |
| Redirect uris | Allowed URIs list, space separated. |
| Post logout redirect uris | Allowed Post Logout URIs list, space separated. |
| Client type | Choose the OAuth client type: Confidential – Applications running on protected servers where unauthorized users cannot access the configuration or source code, allowing them to maintain a client_secret safe.Public – Applications running in environments where source code or binaries are accessible to the end-user, making it impossible to securely store a client_secret. |
| Authorization grant type | Choose the OAuth authorization grant type: Authorization code – A secure, redirection-based flow where the application exchanges a temporary authorization code for an access token. This is the industry standard for both web apps and public clients (when paired with PKCE). Device code – Designed for internet-connected devices that lack a web browser or have limited input capabilities (e.g., CLI tools). It prompts the user to review the authorization request on a separate device, like a smartphone. Implicit – A legacy, redirection-based flow where access tokens were returned directly in the URL fragment without a code exchange step. It is now deprecated due to security risks and replaced by Authorization Code with PKCE. Resource owner password-based – A legacy flow that requires users to provide their raw credentials (username and password) directly to the client application. It is strongly discouraged, except for highly trusted, first-party legacy migrations. Client credentials – A machine-to-machine flow used when applications need to authenticate themselves without any user interaction. The client application uses its own credentials to access its own service resources. OpenID Connect hybrid – An extension of OAuth 2.0 that allows an application to request both an ID token and an authorization code at the same time. This enables the frontend to quickly get identity details while the backend securely handles the main token exchange. |
| Hash client secret | Whether to store the client secret hashed. |
| Name | A descriptive name used to identify this record. |
| Skip authorization | Whether to skip the user authorization step. |
| Algorithm | Select the signing algorithm used for tokens: No OIDC support, RSA with SHA-2 256, HMAC with SHA-2 256. |
| Allowed origins | Allowed origins list to enable CORS, space-separated. |
| Enable customer restriction | This will be activated if some customers are selected in the list. |
| Limit to customers | Hold down Control, or Command on a Mac, to select more than one. |
| Limit to IP addresses | A list of approved IP addresses/networks. |
| Client id | The OAuth client ID. |
| Client secret | Hashed on Save. Copy it now if this is a new secret. |