How to configure a custom OAuth2 authorization provider?
I heard that the Things service supports custom OAuth2 authorization providers. However, it is not clear, which part is done by the service team, and what information is needed form customer side.
Answer
Integration of project specific custom OAuth2 authorization providers (based on OpenID Connect Discovery 1.0) can be supported upon request.
Feel free to contact us via https://bosch-iot-suite.com/support/.
Procedure
Please send the following information using the official support ticket system:
- The name of the project
- The service instance ID
- The discovery URL of your custom OAuth2 authorization provider (based on OpenID Connect Discovery 1.0)
- Some example tokens (base64 encoded bearer token without valid signature would suffice)
- Additional hints about relevant scopes and claims, that you want to use for authorization
You will get a subject prefix and we will discuss via ticket the needed scopes/claims and other details, which should be relevant for the authorization on thing entities.
Example
Given your discovery URL is https://access.your-project.com
and the JWT looks like in the following snippet
{
"typ": "JWT",
"alg": "RS256",
"iss": "https://access.your-project.com/v1/",
"exp": 1300819380,
"sub": "your-subject",
"scp": ["your-scope1", "your-scope2"],
"client_id": "your-client"
}
Results
- Our authorization subject prefix proposal is based on your project name or your issuer, like “
your-project
”. - Your authorization subject IDs will be derived from the claims of the tokens and are based - by default - on the subject (
sub
) and scope (scp
) claims and also include theclient_id
of your OAuth client. In this example your-subject/your-scope1 and your-subject/your-scope2, both extended with the suffix @your-client. - By default for each separate scope entry in the token, an authorization subject with the format
<prefix>:<sub>/<scope>@<client>
will be derived.
Using the authorization subjects in a policy
The complete authorization subjects to be used in the policy of a thing would look like in the following snippet:
{
"subjects": {
"your-project:your-subject/your-scope1@your-client": {
"type": "custom-auth"
},
"your-project:your-subject/your-scope2@your-client": {
"type": "custom-auth"
}
}
}