External Oauth 2.0 Providers
In order to add external OAuth 2.0 Provider integration, you have to create a resource called IdentityProvider. It will be used by the auth module to generate redirect links and make API calls to the provider to retrieve access token, user data, etc. All examples in this tutorial are executable in Aidbox REST Console.
1
POST /IdentityProvider
2
Accept: text/yaml
3
Content-Type: text/yaml
4
​
5
resourceType: IdentityProvider
6
system: https://google.com
7
active: true
8
id: <provider-id>
9
authorize_endpoint: https://accounts.google.com/o/oauth2/v2/auth
10
token_endpoint: https://www.googleapis.com/oauth2/v4/token
11
userinfo_endpoint: https://www.googleapis.com/oauth2/v1/userinfo
12
scopes:
13
- https://www.googleapis.com/auth/userinfo.profile
14
- https://www.googleapis.com/auth/userinfo.email
15
client:
16
id: <your auth client id>
17
secret: <your auth client secret>
Copied!
attribute
description
system
adds identifier for the created user with this system
authorize_endpoint
OAuth Provider authorization endpoint
token_endpoint
OAuth Provider access token endpoint
userinfo_endpoint
OAuth Provider user profile endpoint
userinfo_header
Some providers require different prefix then "Bearer" for Authorization header in user info request. Fox example, if set to "OAuth" results in:
GET /<userinfo_endpoint> with Authorization: Oauth <access token>
scopes
array of scopes for which you request access from user
client.id
id of the client you registered in OAuth Provider API
client.secret
secret of the client you registered in OAuth Provider API
Next, we have to create Client resource which will receive access token from Aidbox backend later on and use Aidbox API on behalf of the user. We enable the authorization_code flow for the application and provide the redirect_uri.
1
POST /Client
2
Accept: text/yaml
3
Content-Type: text/yaml
4
​
5
id: my-client
6
grant_types: ["authorization_code"]
7
first_party: true
8
auth:
9
authorization_code:
10
redirect_uri: <your app redirect uri>
Copied!
You will also need to register /auth/callback/<provider-id> as callback URI in your OAuth provider client application configuration.
To initiate authorization, redirect the user to the endpoint /auth/redirect/<provider-id>. You should provide at least two query parameters client_id and response_type. The following API interactions happen as a result:
1
GET /auth/redirect/google?client_id=my-client&response_type=code
2
# your application entrypoint
3
# redirects to
4
​
5
GET https://accounts.google.com/o/oauth2/v2/auth?...
6
# user enters his credentials, allows aidbox access to his profile data
7
# provider redirects to
8
​
9
GET /auth/callback/google?...
10
# aidbox receives temporary token, exchanges it on access token by calling
11
​
12
GET https://www.googleapis.com/oauth2/v4/token?...
13
​
14
# using access token, aidbox calls user data endpoint
15
GET https://www.googleapis.com/oauth2/v1/userinfo
16
# then it creates User resource and continues with the flow specified
17
# in response_type query param
18
​
19
GET <your app redirect uri>?code=...
20
​
Copied!
By default, everything that is returned by provider's userinfo endpoint gets stored into User.data. You can also configure mapping to other User attributes by adding 'toScim' object into IdentityProvider.
1
PUT /IdentityProvider/<provider-id>
2
Accept: text/yaml
3
Content-Type: text/yaml
4
​
5
toScim:
6
default_email:
7
- email
8
first_name:
9
- name
10
- givenName
11
last_name:
12
- name
13
- givenName
Copied!
Each key here refers to the key in the userinfo response object, while value is an array that specifies path in User resource.
Last modified 2mo ago
Copy link