Applications in LumoAuth represent OAuth 2.0 / OIDC clients. RFC 6749 — OAuth 2.0 Authorization Framework defines the core OAuth protocol (the authorize and token endpoints and the supported grant types); OpenID Connect builds an identity layer on top of it by adding an id_token and user-info endpoint. Every app, API, or service that needs to authenticate users or request tokens must be registered here.
Application Types
| Type | Description | Example |
|---|
| Web Application | Server-side app with a backend | Node.js, PHP, Python web app |
| Single-Page Application (SPA) | Client-side JavaScript app | React, Angular, Vue app |
| Native / Mobile | Desktop or mobile application | iOS, Android, Electron app |
| Machine-to-Machine (M2M) | Service-to-service communication | Backend APIs, cron jobs, microservices |
| Device | Input-constrained device | CLI tools, smart TVs, IoT |
Managing Applications
Portal
Navigate to /orgs/{orgId}/portal/applications:
- Create Application - Register a new OAuth client
- Application List - View all registered applications
- Application Detail - View/edit settings, credentials, and configuration
Creating an Application
- Go to
/orgs/{orgId}/portal/applications
- Click Create Application
- Configure:
| Field | Description |
|---|
| Name | Display name for the application |
| Type | Web, SPA, Native, M2M, or Device |
| Redirect URIs | Allowed callback URLs after authentication |
| Allowed Grant Types | Authorization Code, Client Credentials, Device Code, etc. |
| Allowed Scopes | Which scopes this application can request |
| Token Lifetimes | Custom access/refresh token durations |
- After creation, you'll receive:
- Client ID - Public identifier for the application
- Client Secret - Secret key (for confidential clients only)
Client Confidentiality
| Client Type | Has Secret | Use Case |
|---|
| Confidential | Yes | Web apps with a backend that can securely store the secret |
| Public | No | SPAs, mobile apps, CLI tools that cannot securely store secrets |
Public clients must use PKCE (RFC 7636 — Proof Key for Code Exchange) together with the Authorization Code flow. PKCE binds the authorization request to a one-time code_verifier so an intercepted authorization code cannot be exchanged for a token by an attacker.
In This Section