OAuth
AM is a full OAuth 2.0 and OpenID Connect authorization server—issue tokens, validate scopes, and integrate with any OAuth-compatible system.
Whether you’re building mobile apps, SPAs, IoT devices, or service-to-service integrations, AM supports the appropriate flow.
Supported Flows
Authorization Code (with PKCE)
For web and mobile apps. Supports S256 and plain PKCE methods.
Device Authorization (RFC 8628)
For TVs, CLIs, and IoT devices without browsers.
Refresh Token
Obtain new access tokens without re-authentication.
Client Credentials
Service-to-service authentication. No user involved.
JWT Bearer (RFC 7523)
Exchange a signed JWT for an access token.
SAML 2.0 Bearer (RFC 7522)
Exchange a SAML assertion for an access token.
Token Exchange (RFC 8693)
Exchange an existing access token for a more specific token.
Endpoints
| Endpoint | Purpose |
|---|---|
/oauth2/authorize | Start authorization, show login |
/oauth2/token | Exchange code/credentials for tokens |
/oauth2/userinfo | Get user profile claims (OIDC) |
/oauth2/introspect | Validate token (RFC 7662) |
/oauth2/revoke | Invalidate refresh token |
/oauth2/device_authorization | Start device flow |
/.well-known/openid-configuration | OIDC discovery |
/.well-known/jwks.json | Public signing keys |
Scopes
| Scope | Access Granted |
|---|---|
openid | OIDC ID token |
profile | Name, picture, locale |
email | Email address, verified status |
offline_access | Refresh tokens |
Token Configuration
Per-client settings for:
- Access token lifetime (default: 1 hour)
- Refresh token lifetime (default: 14 days)
- ID token claims
- Signing algorithm (RS256)
- Cookie storage options
Related
- Clients - Client configuration
- Client - Client resource
- Backend Integration - Token verification