I heard that the managed connection supports custom OAuth2 authorization providers.
However, it is not clear, which part is done by the service team, and what information is needed form customer side?
Integration of project specific custom OAuth2 authorization providers (based on OpenID Connect Discovery 1.0) can be supported upon request.
Feel free to contact the team taking care of the digital twin layer, namely Bosch IoT Things team via https://bosch-iot-suite.com/support/.
Please send the following information using the official support ticket system:
The name of the project
The service instance ID
The discovery URL of your custom OAuth2 authorization provider (based on OpenID Connect Discovery 1.0)
Some example tokens (base64 encoded bearer token without valid signature would suffice)
Additional hints about relevant scopes and claims, that you want to use for authorization
You will get a subject prefix and we will discuss via ticket the needed scopes/claims and other details, which should be relevant for the authorization on thing entities.
Given your discovery URL is https://access.your-project.com and the JWT looks like in the following snippet:
Our authorization subject prefix proposal is based on your project name or your issuer, like “your-project”.
Your authorization subject IDs will be derived from the claims of the tokens and are based - by default - on the subject (sub) and scope (scp) claims and also include the client_id of your OAuth client. In this example your-subject/your-scope1 and your-subject/your-scope2, both extended with the suffix @your-client.
By default for each separate scope entry in the token, an authorization subject with the format <prefix>:<sub>/<scope>@<client> will be derived.
Using the authorization subjects in a policy
The complete authorization subjects to be used in the policy of a thing would look like in the following snippet: