OAuth 2.0 Client Credentials Setup
The client credentials flow setup in your NetSuite production account is not copied to any other production account, Release Preview account, or sandbox account. Users must set up the flow explicitly in each account, to test the OAuth 2.0 client credentials flow in these accounts. Each time a sandbox account is refreshed, the setup gets cleared.
An administrator, or a user assigned a role with the OAuth 2.0 Authorized Applications Management permission, can create or revoke a mapping for the OAuth 2.0 client credentials flow.
Creating the mapping is a required step for the OAuth 2.0 client credentials flow to work.
Creating a Mapping for the Client Credentials Flow
See the following procedure for steps to create a new mapping for the OAuth 2.0 client credentials flow.
To create a mapping for the client credentials flow:
-
Go to Setup > Integration > Manage Authentication > OAuth 2.0 Client Credentials (M2M) Setup.
The OAuth 2.0 Client Credentials Setup page appears.
-
To create a new mapping, click the Create New button.
-
In the popup window, choose the entity, role, and application to be mapped. Upload the public part of the certificate from your computer.
Note:The application is only available to be selected if the Client Credentials (Machine to Machine) Grant box is checked on the associated integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
-
Click Save.
The mapping is added to the list on the OAuth 2.0 Client Credentials (M2M) Setup page. The list includes the data you entered, as well as the data imported from the certificate. The system creates a record for every unique combination of application and certificate.
To revoke a certificate, click the Revoke button in the Revoked column.
If you revoke a certificate or the certificate expires, you must create a new mapping for the integration record to continue using the OAuth 2.0 client credentials flow.
Certificate Conditions
A certificate for the OAuth 2.0 client credentials flow must contain two parts:.
-
Public key (as a part of the certificate) – an Administrator or a user with the OAuth 2.0 Authorized Applications Management permission uploads the public part of the certificate as part of the client credentials flow mapping process.
-
Private key – The private key provides the signature of the JWT token in the POST request to the token endpoint. For more information, see POST Request to the Token Endpoint and the Access Token Response
The certificate must meet the following requirements:
-
The public key must be in x.509 format with a file extension of .cer, .pem, or .crt.
-
The length of the RSA key must be 3072 bits, or 4096 bits. The length of EC key must 256 bits, 384 bits, or 521 bits.
-
The maximum certificate validity is two years. If the certificate is valid for a longer time period, the system automatically shortens the validity to two years.
-
One certificate can only be used for one combination of integration record, role, and entity. If you want to use the same integration record for multiple entities or roles, you must use a different certificate for each unique combination.
The following examples show how to create a valid certificate using OpenSSL:
ES256
openssl req -new -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -days 365 -out public.pem -keyout private.pem
ES512
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-512 -nodes -days 365 -out public.pem -keyout private.pem
PSS
openssl req -new -x509 -newkey rsa:4096 -keyout private.pem -sigopt rsa_padding_mode:pss -sha256 -sigopt rsa_pss_saltlen:64 -out public.pem -nodes
Treat the certificate as you would any other credentials. Never share the certificate with unauthorized individuals, or outside your company.