Your client applications

Note

If you’re following along with the Playground tour, from the Domain Overview screen, click on “Client applications” then choose the “Playground” application.

Each of your applications that uses Prefactor to authenticate needs to be pre-configured.

Configuring your application

If you’re using a library that understands OpenID Connect configuration discovery (most good ones do) then you’ll need three configuration variables:

• Your client_id: each client application has a different one of these
• Your client_secret: each client application can have zero or more of these. If a client application has more than one, any of them will work; this capability is used during secret rotation to ensure continued service. Once you’ve updated the secrets everywhere, you remove the old one.
• The issuer URL: this is used to form the discovery URL that contains all of the configuration information necessary. Unlike the two previous items, this is unique per-pool — so this information is available on the pool screen.

Configuration required in Prefactor

There are two important bits of configuration needed in Prefactor in order for the authentiation process to succeed:

• Rulesets: This is an indirect way of choosing which pools this client application will work with. By choosing a ruleset, you’re allowing any pool that uses that ruleset to authenticate with this client application.
• Redirect URIs: At the end of the authentication process, Prefactor needs to redirect back to your application. For security reasons these need to be pre-configured. If your application attempts to start an authflow with a redirect URI that doesn’t match, the user will receive an error message.