...
Gliffy | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The Client application is impersonating a User1 which is a member of 2 groups. Each of these groups has access to one server application that should be accessed by the Client1 application. Authorization policies that can be configured for server applications are omitted from the configuration example as it is not mandatory.
...
Code Block | ||
---|---|---|
| ||
... "grant_types": [ "client_credentials" ], "scope": "openid Server1 Server2" ... |
Server applications does not have any grant types or scopes:
Code Block language json ... "grant_types": [], "scope": "" ...
The following steps are required to configure multiple applications access:
Create and enable authentication method as described in OAuth 2.0 Client Credentials Grant authentication method - SSO
Add this method to site Example.
Allow the method for applications: Client1, Server1 and Server2.
Allow the method for groups Group1 and Group2.Allow Group1 to access application Server1.
Allow Group2 to access application Server2.
Allow the method for user account User1.
Make User1 a member of Group1 and Group2.
Add Client1 application to the list of applications impersonating an account User1.
...
Now it should be possible to get the token for Server1 or Server2 with Client1 application credentials:
Code Block | ||
---|---|---|
| ||
POST {{baseUrl}}/uas/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&scope=oidcServer2&client_id=Client1&client_secret=secret |
Then the token can be introspected:
Code Block | ||
---|---|---|
| ||
POST {{baseUrl}}/uas/oauth2/introspection Authorization: Basic Server2 secret Content-Type: application/x-www-form-urlencoded token={{accessTokenServer2}} |
Expand | |||||
---|---|---|---|---|---|
| |||||
|
Security risk and mitigation
...