Connector Security
IDHUB uses OAuth2 framework to communicate with the connectors
IDHUB to Connector communication
- Reconciliation Engine and Provisioning engine call the connector using the IDHUB OAuth2 user access token
- The IDHUB access token is validated using jwt validation.
- The public key required for the validation is obtained from Keycloak.
- The path to download the access token is added to the configuration of the connector jar
Connector to IDHUB communication
- A client is created in tenant realm for the connector
- An offline access token is obtained from the tenant realm ( Offline Access Token does not expire unless it is explicitly revoked from the admin console)
- An offline access token is obtained by adding scope=offline_access to the token API
- The offline access token obtained from keycloak is added to the configuration of the connector jar
- For each of the outgoing request from the connector, the offline access token is exchanged for a token from IDHUB realm
Client creation in Keycloak
- For every connector, there is a client in Keycloak tenant realm
- Authentication happens using a token directly. The token doesn't expire unless it is revoked from the admin console
- "offline_access" scope needs to be added to the client scope to create a long-standing token
Offline access token from Keycloak
An offline access token is obtained from keycloak tenant realm during the installation of the setup
POST https://<keycloak-host>/auth/realms/<tenant-realm>/protocol/openid-connect/token
Request body
{
"client_id": <Client ID of the connector in keycloak>
"client_secret": <client_secret>,
"grant_type": "client_credentials",
"scope": "offline_access"
}
JS