habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f6af8c221ccf55fd3197c5c78872f3ad638a349
authentik/website/docs/providers/oauth2.md
Jens L 920d1f1b0e providers/oauth2: initial client_credentials grant support (#2437) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-03-05 23:24:55 +01:00

60 lines
3.1 KiB
Markdown
Raw Blame History

---
title: OAuth2 Provider
---
This provider supports both generic OAuth2 as well as OpenID Connect
Scopes can be configured using Scope Mappings, a type of [Property Mappings](../property-mappings/#scope-mapping).
| Endpoint | URL |
| -------------------- | -------------------------------------------------------------------- |
| Authorization | `/application/o/authorize/` |
| Token | `/application/o/token/` |
| User Info | `/application/o/userinfo/` |
| End Session | `/application/o/end-session/` |
| JWKS | `/application/o/<application slug>/jwks/` |
| OpenID Configuration | `/application/o/<application slug>/.well-known/openid-configuration` |
## GitHub Compatibility
This provider also exposes a GitHub-compatible endpoint. This endpoint can be used by applications, which support authenticating against GitHub Enterprise, but not generic OpenID Connect.
To use any of the GitHub Compatibility scopes, you have to use the GitHub Compatibility Endpoints.
| Endpoint | URL |
| --------------- | --------------------------- |
| Authorization | `/login/oauth/authorize` |
| Token | `/login/oauth/access_token` |
| User Info | `/user` |
| User Teams Info | `/user/teams` |
To access the user's email address, a scope of `user:email` is required. To access their groups, `read:org` is required. Because these scopes are handled by a different endpoint, they are not customisable as a Scope Mapping.
## Grant types
### `authorization_code`:
This grant is used to convert an authorization code to a refresh token. The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
### `refresh_token`:
Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road.
### `client_credentials`:
Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
An example request can look like this:
```
POST /application/o/token/ HTTP/1.1
Host: authentik.company
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&username=my-service-account&password=my-token
```
This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.
Reference in New Issue View Git Blame Copy Permalink