-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat:
blog: add OAuth 2.0 Token Exchange and OIDC article
- Loading branch information
Showing
3 changed files
with
69 additions
and
1 deletion.
There are no files selected for viewing
63 changes: 63 additions & 0 deletions
63
blog/2024-12-08-introducing-oauth2-token-exchange-with-oidc.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| --- | ||
| slug: introducing-oauth2-token-exchange-with-oidc | ||
| title: Introducing OAuth 2.0 Token Exchange and OpenID Connect (OIDC) Support | ||
| authors: Grokify | ||
| tags: [authorization] | ||
| --- | ||
|
|
||
|  | ||
|
|
||
| ## Introduction | ||
|
|
||
| OAuth 2.0 and OpenID Connect are the most popular and important security protocols for modern API connectivity. While there are many ways to implement OAuth 2.0 and OIDC, a key use case for thse protocols is to enable service account authorization for APIs and background tasks integrated with third-party Identity Providers (IdPs) for Single Sign-On (SSO). This allows using an IdP such as Microsoft Entra ID, Okta, or Ping Identity as your IdP for background, service account access to Saviynt Identity Cloud APIs. IdP and SSO support have been a popular request to our product team so we are happy to roll this out. | ||
|
|
||
| Specifically, this is implemented using industry standards OAuth 2.0 Token Exchange flow ([IETF RFC-8693](https://datatracker.ietf.org/doc/html/rfc8693)) and the associated OAuth 2.0 Token Introspection API ([IETF RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662)). Read more below for an overview and in our [documentation for "Configuring OAuth 2.0 Token Exchange Authentication"](https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter06-EIC-Configurations/OAuth-Token-Exchange.htm). | ||
|
|
||
| ## How it Works | ||
|
|
||
| At a high level, OAuth 2.0 Token Exchange works with applications requesting a Saviynt Identity Cloud API Access Token by presenting and IdP issued token, which can be an OAuth 2.0 access token or an OIDC ID token, both issued by the IdP. There are 3 major parts to such an integration, described below. | ||
|
|
||
| ### Configuring Saviynt Identity Cloud for Token Introspection | ||
|
|
||
| To configure Svaiynt Identity Cloud, you will need to configure it to call your IdP's IETF RFC-7662 Token Exchange API. This way, when a token exchange request is made to Saviynt Identity Cloud, Saviynt can call your IdP to validate the access or ID token. | ||
|
|
||
| Addtionally, any IdP API credentials such as application client ID and client secret, will need to be configured in both your IdP and Saviynt. The following parameters need to be updated in your `externalconfig.properties` file. | ||
|
|
||
| ``` | ||
| MSOPENID.CLIENTID=<IdP App Client ID> | ||
| MSOPENID.CLIENTSECRET= <IdP App Secret> | ||
| MSOPENID.INTROSPECTION.URL=<IdP Introspection API> | ||
| MSOPENID.USERNAMEINJSON=preferred_username, sub | ||
| ``` | ||
|
|
||
| ### Making the Token Exchange Request | ||
|
|
||
| The Token Exchange request as designed and implemented by Saviynt is as follows. A sucessful reqwuest will return a Saviynt Identity Cloud OAuth 2.0 access token. Behind the scenes, Saviytn Identity cloud is making a Token Introspection API call to your IdP described in the next section. | ||
|
|
||
| ``` | ||
| POST https://<SAVIYNT_HOSTNAME>/ECM/oauth2/token | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Accept: application/json | ||
| grant_type=urn:ietf:params:oauth:grant-type:token-exchange& \ | ||
| subject_token_type_type=urn:ietf:params:oauth:token-type:access_token& \ | ||
| subject_token={access token from the IdP} | ||
| ``` | ||
|
|
||
| ### Making the Token Introspection Request | ||
|
|
||
| Inline to the Token Exchange Request from your client, Saviynt will make a Token Introspection API request to your IdP to ensure the token is still valid. It is important to note that this is a live call to your IdP. | ||
|
|
||
| ``` | ||
| POST /introspect HTTP/1.1 | ||
| Host: <your_idp_host> | ||
| Accept: application/json | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Authorization: Bearer <IdP access token for Saviynt Identity Cloud> | ||
| token=<IdP access or ID token being exchagned for a Saviynt Identity Cloud access token> | ||
| ``` | ||
|
|
||
| ## Next Steps | ||
|
|
||
| Please try this out and let us know your experiences. If you have any questions on this, feel free to post on the [Saviynt Forums](https://forums.saviynt.com/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,11 @@ | ||
| Grokify: | ||
| name: John Wang | ||
| title: VP, Product Management @Saviynt | ||
| url: https://github.com/grokify | ||
| email: [email protected] | ||
| Kkundan: | ||
| name: Kundan Kumar | ||
| title: Director, Product Management @ Saviynt | ||
| url: https://github.com/Kkundan | ||
| image_url: https://github.com/Kkundan.png | ||
| email: kundan.kumar@Saviynt | ||
| email: kundan.kumar@Saviynt |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.