How to configure a custom OAuth2 authorization provider?

I heard that the Things service supports custom OAuth2 authorization providers. However, it is not clear, which part is done by the service team, and what information is needed form customer side.

Answer

Integration of project specific custom OAuth2 authorization providers (based on OpenID Connect Discovery 1.0) can be supported upon request.

Feel free to contact us via https://developer.bosch-iot-suite.com/support/.

Procedure

Please send the following information using the official support ticket system:

  • The name of the project
  • The service instance ID
  • The discovery URL of your custom OAuth2 authorization provider (based on OpenID Connect Discovery 1.0)
  • Some example tokens (base64 encoded bearer token without valid signature would suffice)
  • Additional hints about relevant scopes and claims, that you want to use for authorization

You will get a subject prefix and we will discuss via ticket the needed scopes/claims and other details, which should be relevant for the authorization on thing entities.

Example

Given your discovery URL is https://access.your-project.com and the JWT looks like in the following snippet

{
 "typ": "JWT",
 "alg": "RS256",
 "iss": "https://access.your-project.com/v1/",
 "exp": 1300819380,
 "sub": "your-subject",
 "scp": ["your-scope1", "your-scope2"],
 "client_id": "your-client"
}

Results

  • Our authorization subject prefix proposal is based on your project name or your issuer, like “your-project”.
  • Your authorization subject IDs will be derived from the claims of the tokens and are based - by default - on the subject (sub) and scope (scp) claims and also include the client_id of your OAuth client. In this example your-subject/your-scope1 and your-subject/your-scope2, both extended with the suffix @your-client.
  • By default for each separate scope entry in the token, an authorization subject with the format <prefix>:<sub>/<scope>@<client> will be derived.

Using the authorization subjects in a policy

The complete authorization subjects to be used in the policy of a thing would look like in the following snippet:

{
  "subjects": {
     "your-project:your-subject/your-scope1@your-client": {
        "type": "custom-auth"
     },
     "your-project:your-subject/your-scope2@your-client": {
        "type": "custom-auth"
      }
  }
}           
Imprint Legal info Privacy statement