Managing Third Party Client Applications

OAuth is an open standard for authorization. The OAuth authorization framework provides client applications secure delegated access to CCH Axcess server resources on behalf of a resource owner. This method specifies a process for resource owners to authorize third-party access to resources and removes the risk of exposing user credentials for inappropriate usage. Administrators can register access and, if needed, revoke registration.

Note: The location for registering third-party applications has moved to the Developer Tools section. Applications registered prior to July 2020 can still be accessed and managed from the Utilities option under Firm. Application registration of Active Directory Sync and integration with Sureprep may still be required. Please open a support case for current details.

Registering Applications

To add access for a client application, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Developer Tools under Firm.
  2. Click Add Application.
  3. Enter details for the application.
    1. Enter a name for the application.
    2. Select the appropriate application type.
      • Select AuthorizationCode for a web application.
      • Select Implicit application for a Windows application which was previously in the legacy Oauth mode.
    3. Enter a description for the application.
    4. Select the access token lifetime. An access token acts as a session ID that the application uses to access resources. It should be protected as though it were a user's credentials. Access tokens have a limited lifetime that is specified by the session timeout in CCH Axcess.
    5. For web applications, select the refresh token lifetime. For implicit or installed applications, the refresh token lifetime is always four weeks. The refresh token is used to obtain a new access token by the registered application.
  4. Click Next or the Scope Definition tab.
  5. On the Scope Definition page, select the check boxes for the scopes that you want to enable, and clear the check boxes for scopes that you want to disable.
  6. Click Next or the OAuth Settings tab. The Client ID and, for AuthorizationCode (web) applications, the Client Secret display at the top of the window. These are the credentials users will enter to log in to CCH Axcess. Implicit or installed application users only enter the Client ID to log in.
  7. Under Redirect URL, click Add URL, and then enter the redirect URL to launch after a successful authentication or, in some cases, the URL that is used in certain OAuth authentication workflows. Click to save the URL.

    8. Notes:

    • For AuthorizationCode (web) applications, use HTTPS protocol unless the URL domain is Localhost, in which case, HTTP can be used.
    • The redirect URL must be in the format https://<host> or http://<host>. Custom URL schemas are not supported.
    • If you are using multiple URLs, separate each with a comma (,).
  8. Under Post Logout Redirect URL, click Add URL, and then enter the redirect URL to launch after logging out of the application. Click to save the URL.
  9. Click Finish.

Revoking Access

When registration is revoked, users are not able to log in and authorize their third party applications to access CCH Axcess resources.

To remove registration for an application, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Developer Tools under Firm.

    Note: Applications registered prior to July 2020 can still be accessed and managed from the Utilities option under Firm.

  2. Click Revoke Application in the applicable row for the application you want to remove.
  3. Click Yes to confirm the removal.