Application Management
The Application Management section allows administrators to register and configure OAuth clients (applications) that can authenticate with S-Auth.
Application List
Navigate to Applications to see all registered OAuth clients.
Application Information
| Field | Description |
|---|---|
| Name | Human-readable application name |
| Client ID | Unique identifier for OAuth |
| Type | Confidential or Public |
| Logo | Emoji displayed in Launchpad |
| Public | Whether visible to all users |
| Created | Registration date |
Creating an Application
- Click New Application button
- Fill in the required fields:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Display name (e.g., "My App") |
| Description | No | Brief description |
| Redirect URIs | Yes | Callback URLs (one per line) |
| Client Type | Yes | Confidential or Public |
| Allowed Grants | Yes | Which OAuth flows to allow |
| Allowed Scopes | Yes | Which scopes the app can request |
| Logo Emoji | No | Emoji for Launchpad (default: lock) |
| Public App | No | Show in Launchpad for all users |
- Click Create Application
Client Credentials
After creation, you'll receive:
- Client ID:
abc123...(safe to share) - Client Secret:
scs_xyz...(keep secure!)
The client secret is only shown once. Save it immediately!
Redirect URIs
Redirect URIs are the URLs where S-Auth will send users after authentication.
Rules
- Must be exact matches (no wildcards)
- Multiple URIs can be specified (one per line)
- HTTPS required in production
localhostand127.0.0.1allowed for development
Examples
https://myapp.com/callback
https://myapp.com/auth/callback
http://localhost:3000/callback
Client Types
Confidential Clients
- Can securely store a client secret
- Server-side web applications
- Backend services
- Use client_secret for authentication
Public Clients
- Cannot securely store secrets
- Single Page Applications (SPAs)
- Mobile applications
- Desktop applications
- Must use PKCE for security
Allowed Grants
Select which OAuth flows the application can use:
| Grant Type | Description | Typical Use |
|---|---|---|
authorization_code | Standard OAuth flow | Web apps |
refresh_token | Renew access tokens | Long sessions |
client_credentials | Machine-to-machine | Backend services |
Recommended Combinations
Web Application (Confidential):
- authorization_code
- refresh_token
Single Page App (Public):
- authorization_code (with PKCE)
- refresh_token
Backend Service:
- client_credentials
Allowed Scopes
Control what user data the application can access:
| Scope | Data Included |
|---|---|
openid | Required for OIDC |
profile | name, user_id |
email | email address |
Editing an Application
- Click on an application, or click the Edit action
- Modify the configuration
- Click Save Changes
Editable Fields
- Name and description
- Redirect URIs
- Allowed grants and scopes
- Logo emoji
- Public visibility
Not Editable
- Client ID
- Client type (confidential/public)
Regenerating Client Secret
If a client secret is compromised:
- Edit the application
- Click Regenerate Secret
- Confirm the action
- Update your application with the new secret
Regenerating the secret immediately invalidates the old one. Your application will stop working until updated.
Public Applications
Public applications appear in the Launchpad for all users.
When to Use
- Company-wide tools
- Shared family applications
- General-purpose utilities
How to Enable
- Edit the application
- Check Public Application
- Save changes
Logo Emoji
The logo emoji is displayed in the Launchpad application grid.
Choosing an Emoji
- Use a relevant emoji that represents the app
- Common choices: tool icons, activity symbols
- Default: 🔒 (lock)
Examples
| App Type | Suggested Emojis |
|---|---|
| Dashboard | 📊 📈 🎛️ |
| Media | 🎬 📺 🎵 |
| Documents | 📄 📁 📝 |
| Communication | 💬 📧 📱 |
| Gaming | 🎮 🎲 🎯 |
| Development | 💻 🔧 ⚙️ |
Deleting an Application
Deleting an application is permanent and will immediately break any clients using it.
- Click Delete action
- Confirm the deletion
What Gets Deleted
- Application registration
- Client ID and secret (invalidated)
- All active tokens for this client
- All authorization codes
What Happens to Users
- Users are logged out of the application
- They cannot re-authenticate until a new client is registered
Best Practices
- Use descriptive names - Make it clear what each app does
- Limit scopes - Only request the scopes you actually need
- Separate environments - Create different clients for dev/staging/prod
- Rotate secrets periodically - Regenerate client secrets every few months
- Review regularly - Remove applications that are no longer in use
- Use PKCE for public clients - Always enable PKCE for SPAs and mobile apps