Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Gliffy
imageAttachmentIdatt9146531884
macroId0187f6c2-10cf-4e56-8eea-a9b7e1d56308
baseUrlhttps://ubisecuredev.atlassian.net/wiki
nameSSO OAuth 2.0 Client Credentials Grant authorized access to multiple applications
diagramAttachmentIdatt9146564649
containerId9138405377
timestamp16963180820541696332720345

The Client application is impersonating a User1 which is a member of 2 groups. Each of these groups has access to one server application that should be accessed by the Client1 application. Authorization policies that can be configured for server applications are omitted from the configuration example as it is not mandatory.

...

Code Block
languagejson
...
 "grant_types": [
    "client_credentials"
  ],
  "scope": "openid Server1 Server2"
...
  1. Server applications does not have any grant types or scopes:

    Code Block
    languagejson
    ...
     "grant_types": [],
      "scope": ""
    ...

The following steps are required to configure multiple applications access:

  1. Create and enable authentication method as described in ​OAuth 2.0 Client Credentials Grant authentication method - SSO

  2. Add this method to site Example.

  3. Allow the method for applications: Client1, Server1 and Server2.

  4. Allow the method for groups Group1 and Group2.Allow Group1 to access application Server1.

  5. Allow Group2 to access application Server2.

  6. Allow the method for user account User1.

  7. Make User1 a member of Group1 and Group2.

  8. Add Client1 application to the list of applications impersonating an account User1.

...

Now it should be possible to get the token for Server1 or Server2 with Client1 application credentials:

Code Block
languagenone
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=oidcServer2&client_id=Client1&client_secret=secret

Then the token can be introspected:

Code Block
languagenone
POST {{baseUrl}}/uas/oauth2/introspection
Authorization: Basic Server2 secret
Content-Type: application/x-www-form-urlencoded

token={{accessTokenServer2}}
Expand
titleExample response
Code Block
languagejson
{
  "usn": "Client",
  "iss": "https://localhost:8443/uas",
  "aud": [
    "Server2"
  ],
  "exp": 1696336474,
  "iat": 1696332874,
  "auth_time": 1696332874,
  "amr": [
    "https://localhost:8443/uas/saml2/names/ac/client.credentials.1"
  ],
  "azp": "Server2",
  "session_index": "_2d4a2d858137b04ca0154aac6a651988a5b63089",
  "client.credentials.1.grant_type": [
    "client_credentials"
  ],
  "client.credentials.1.issuer_dn": [
    "cn=Client,ou=Example,cn=Ubilogin,dc=test"
  ],
  "client.credentials.1.issuer": [
    "Client"
  ],
  "client.credentials.1.dn": [
    "cn=User,ou=Example,cn=Ubilogin,dc=test"
  ],
  "client.credentials.1.ldap": [
    "ldap:///cn=Ubilogin,dc=test"
  ],
  "token_type": "access_token",
  "active": true,
  "client_id": "Client",
  "expires_in": 3596
}

Security risk and mitigation

...