When using the OAuth 2.0 authentication model, the Zscaler service needs to validate the access token (JSON Web Token) in API requests to accept the requests. To allow Zscaler to perform this validation, you need to add your OAuth 2.0 authorization servers to the Admin Portal. After the authorization server is added, the Zscaler service can obtain the public key set from the authorization server’s JWKS endpoint and cryptographically verify the JWT signature.

In addition to cryptographically verifying the JWT, the Zscaler service allows you to mandate verification against some of the supported JWT claims, including audience, issuer, and client ID. You can specify these values when adding the authorization server to the Admin Portal.

After verifying the authenticity of the JWT, the Zscaler service evaluates the scope claim and other additional claims, if any, to determine whether to accept or reject the API request.

About the OAuth 2.0 Authorization Servers Page

On the OAuth 2.0 Authorization Servers page (Administration > API Configuration > Legacy API > Internet & SaaS API > OAuth 2.0 Authorization Servers), you can do the following:

1. View the base URL for the Internet & SaaS API.
2. Add a third-party OAuth 2.0 authorization server.
3. View information regarding your authorization server. For each authorization server, you can view:
   • Authorization Server Name: The name provided for the authorization server configuration.
   • Status: The status of the authorization server configuration (enabled or disabled).
   • Description: The description of the authorization server configuration.
   • Last Successful Fetch Time: The date and time when the authorization server’s public key was last fetched from its JWKS endpoint.
4. Edit the authorization server.
5. Delete the authorization server.
6. Modify the table and its columns.
7. Go to the Sandbox API Token tab.
8. Go to the cloud service API Key tab.