Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=oidc&client_id=client.credentials.appClient1&client_secret=secret

Authorized access use case

...

In authorized access use case a token issued with client credentials of one application (ClientClient1) can grant access to other applications (Server1ServerN). Authorization is based on access rights of impersonated user (UserUser1).

For example when a Client Client1 is a command line script, Server1 is SSO Management API and Server2 is CustomerID API.

The configuration with 2 server applications shown below.

Gliffy
imageAttachmentIdatt9146531884
macroId0187f6c2-10cf-4e56-8eea-a9b7e1d56308
baseUrlhttps://ubisecuredev.atlassian.net/wiki
nameSSO OAuth 2.0 Client Credentials Grant authorized access to multiple applications
diagramAttachmentIdatt9146564649
containerId9138405377
timestamp16963150833381696318082054

The Client application is impersonating a User User1 which is a member of 2 groups. Each of these groups has access to one server application that should be accessed by the Client Client1 application. Authorization policies that can be configured for server applications are omitted from the configuration example as it is not mandatory.

If Client Client1 application is using the token to access to itself then User User1 account should be a member of the group which is allowed to access the application.

...

  1. Site Example, OAuth 2.0 applications ClientClient1, Server1, Server2, user account User User1 and groups Group1, Group2 exist in SSO.

  2. Application Client Client1 has client_credentials grant type and client IDs of server applications in its metadata:

...

  1. Create and enable authentication method as described in ​OAuth 2.0 Client Credentials Grant authentication method - SSO

  2. Add this method to site Example.

  3. Allow the method for applications: ClientClient1, Server1 and Server2.

  4. Allow the method for groups Group1 and Group2.

  5. Allow Group1 to access application Server1.

  6. Allow Group2 to access application Server2.

  7. Allow the method for user account UserUser1.

  8. Make User User1 a member of Group1 and Group2.

  9. Add Client Client1 application to the list of applications impersonating an account User User1.

...

  1. TBD

Now it should be possible to get the token with Client Client1 application credentials:

Code Block
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=oidc&client_id=client.credentials.appClient1&client_secret=secret

Security risk and mitigation

TBD