External identity providers
This article explains how OAuth 2.0 Identity providers can be configured in Aidbox
Last updated
This article explains how OAuth 2.0 Identity providers can be configured in Aidbox
Last updated
This guide provides instructions on how to configure Aidbox to work with any IAM service that supports the OAuth 2.0 specification.
Additionally, we have created guides detailing the setup process for the most frequently requested IdP solutions. You may choose to utilize one of these guides, or you can browse down this page and explore that article.
IdentityProvider
resourceTo add external OAuth 2.0 Provider integration, you should create a resource called IdentityProvider
. Aidbox uses it:
to generate redirect links
to make API calls to the provider
to retrieve access token, user data etc.
All examples in this tutorial are executable in Aidbox REST Console
IdentityProvider
system
adds identifier for the created user with this system
userinfo-source
If id-token
, user.data
is populated with the id_token.claims
value. Otherwise request to the userinfo_endpoint
is performed to get user details.
authorize_endpoint
OAuth Provider authorization endpoint
token_endpoint
OAuth Provider access token endpoint
userinfo_endpoint
OAuth Provider user profile endpoint
userinfo_header
Some providers require different prefix then "Bearer" for Authorization header in user info request. Fox example, if set to "OAuth" results in:
GET /<userinfo_endpoint> with Authorization: Oauth <access token>
scopes
array of scopes for which you request access from user
client.id
id of the client you registered in OAuth Provider API
client.secret
secret of the client you registered in OAuth Provider API
Client
resourceNext, we have to create a Client
resource which receives access token from Aidbox backend later on and uses Aidbox API on behalf of the user. We enable the authorization_code
flow for the application and provide the redirect_uri
.
You should register /auth/callback/<provider-id>
as callback URI in your OAuth provider client application configuration.
To initiate authorization, redirect the user to the endpoint /auth/redirect/<provider-id>
. You should provide at least two query parameters client_id
and response_type
. The following API interactions happen as a result:
By default, everything that is returned by provider's userinfo
endpoint gets stored into User.data
. You can also configure mapping to other User
attributes by adding toScim
object into IdentityProvider
.
Each key here refers to the key in the userinfo
response object, while value is an array that specifies path in a User
resource.