Versions Compared

Old Version 6

changes.mady.by.user Andrei Filippov

Saved on

compared with

New Version 7

changes.mady.by.user Andrei Filippov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following steps are required to configure single application access:

1. Create and enable authentication method as described in OAuth 2.0 Client Credentials Grant authentication method - SSO

...

Now it should be possible to get the token with Client1 application credentials:

Code Block
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=oidc&client_id=client.credentials.app&client_secret=secret

...

In authorized access use case a token issued with client credentials of one application (Client) can grant access to other applications (Server1…ServerNServer1ServerN). Authorization is based on access rights of impersonated user (Service user accountUser).

For example when a Client is a command line script, Server1 is SSO Management API and Server2 is CustomerID API.

...

Gliffy
imageAttachmentIdatt9146531884
macroId0187f6c2-10cf-4e56-8eea-a9b7e1d56308
baseUrlhttps://ubisecuredev.atlassian.net/wiki
nameSSO OAuth 2.0 Client Credentials Grant authorized access to multiple applications
diagramAttachmentIdatt9146564649
containerId9138405377
timestamp16963111570461696315083338

The Client application is impersonating a Service user account User which is a member of 2 Groupsgroups. Each of these groups has access to one server application that should be accessed by the Client application. Authorization policies that can be configured for server applications are omitted from the configuration example as it is not mandatory.

If Client application is using the token to access to itself then User account should be a member of the group which is allowed to access the application.

Prerequisites:

  1. Site Example, OAuth 2.0 applications Client, Server1, Server2, user account User and groups Group1, Group2 exist in SSO.

  2. Application Client has client_credentials grant type and client IDs of server applications in its metadata:

Code Block
languagejson
...
 "grant_types": [
    "client_credentials"
  ],
  scope: "openid Server1 Server2"
...

  1. Server applications does not have any grant types or scopes:

    Code Block
    languagejson
    ...
 "grant_types": [],
  scope: ""
...

The following steps are required to configure multiple applications access:

  1. Create and enable authentication method as described in ​OAuth 2.0 Client Credentials Grant authentication method - SSO

  2. Add this method to site Example.

  3. Allow the method for applications: Client, Server1 and Server2.

  4. Allow the method for groups Group1 and Group2.

  5. Allow Group1 to access application Server1.

  6. Allow Group2 to access application Server2.

  7. Allow the method for user account User.

  8. Make User a member of Group1 and Group2.

  9. Add Client application to the list of applications impersonating an account User.

...

  1. TBD

Now it should be possible to get the token with Client application credentials:

Code Block
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=oidc&client_id=client.credentials.app&client_secret=secret