Versions Compared

Old Version 43

changes.mady.by.user Subhajit Sengupta

Saved on

compared with

New Version 44

changes.mady.by.user John Brinckwirth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Use this policy to authenticate a client by delegating the authentication to an OAuth2 provider. If this policy is applied, it is used to authenticate any request that does not contain credentials for any other authentication policies (such as API Key). The client is redirected to the OAuth provider to start the authentication flow. Once the flow completes, and the access token is obtained, the policy uses it to perform one or more requests to get information about the user, such as the ID and assigned role. Finally, a session cookie is returned to the client, and the client is redirected back to the requested URL. Subsequent requests authenticate based on the session cookie instead of repeating the OAuth flow. This implementation is based on the authorization code flow from Okta.

Starting in the October 2023 release, SnapLogic supports the implementation of OpenID. You can now use your OpenID Connect provider for the authentication controls in your Genric OAuth2 API policy.

Info

The Generic OAuth2 API Policy also supports OAuth 1.0.

Note

Policy Requirements

  • All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.

  • Users must enable cookies in their browser for this policy to work with OAuth providers.

...

Examples of Configuring the Generic OAuth2 API Policy with OIDC Providers

Google IdP Application

...

Field Mappings

You can use Google Cloud Services to set up Google as an IdP for your OAuth2.0 policy. Refer to Google Cloud documentation for the account information required to fill out the Generic Oauth2 policy form.

...

The following table provides the mapping between the Google IdP application endpoints and the Generic OAuth2 policy OpenID field values, where the application name is 2ada741a-1b5a-49e4-c3bd-fc2a72b698c.

Refer to Google Cloud documentation for the account information required to fill out the Generic Oauth2 policy form.

Generic Oauth Policy

Google Open ID Connect

Example Value

OpenID Discovery Document URL

"authorization_endpoint"

"https://accounts.google.com/.well-known/openid-configuration"

Login URL*

"openid-configuration "

"https://accounts.google.com/o/oauth2/v2/auth"

JWS Algorithm*

RS256

N/A

Scopes

"openid"
"email"
"profile"

Access Token URL

"token_endpoint"

"zyx321-zyx321-zyx321-zyx321https://oauth2.googleapis.com/token"

Azure IdP Application

...

Field Mappings

Microsoft Entra ID

You can use Microsoft Entra ID as an IdP for your OAuth2.0 policy.

...

Generic Oauth Policy OpenID Fields

Google Open ID Connect

Example Value

OpenID Discovery Document URL

Microsoft Entra ID application endpoint

https://login.microsoftonline.com/2ada741a-1b5a-49e4-c3bd-fc2a72b698c/v2.0/.well-known/openid-configuration

Login URL*

Microsoft Entra ID authorization endpoint

https://login.microsoftonline.com/2ada741a-1b5a-49e4-c3bd-fc2a72b698c/oauth2/v2.0/authorize

JWS Algorithm*

RS256

N/A

Scopes

openid

email

N/A

Access Token URL

Microsoft Entra ID token endpoint

"zyx321-zyx321-zyx321-zyx321https://login.microsoftonline.com/2ada741a-1b5a-49e4-c3bd-fc2a72b698c/oauth2/v2.0/token"

AD B2C Application

Prerequisites

...

Generic Oauth Policy OpenID Fields

Google Open ID Connect

Example

OpenID Discovery Document URL

Azure AD B2C 2.0 Open ID Connect metadata document

https://example-app.b2clogin.com/example-app.onmicrosoft.com/B2C_1_sign/v2.0/.well-known/openid-configuration

Login URL*

Azure AD B2C 2.0 authorization endpoint

https://example-app.b2clogin.com/example-app.onmicrosoft.com/B2C_1_sign/oauth2/v2.0/authorize

JWS Algorithm*

RS256

Scopes

openid

Access Token URL

Azure AD B2C 2.0 token endpoint

"zyx321-zyx321-zyx321-zyx321https://example-app.b2clogin.com/example-app.onmicrosoft.com/B2C_1_sign/oauth2/v2.0/token"

Info

For single tenant uses, you should create a redirect URI, which is the application URL.

...