IDHUB uses OAuth2 framework to communicate with the connectors
IDHUB to Connector communication
Reconciliation Engine and Provisioning engine call the connector using the IDHUB OAuth2 user access token
The IDHUB access token is validated using jwt validation.
The public key required for the validation is obtained from Keycloak.
The path to download the access token is added to the configuration of the connector jar
Connector to IDHUB communication
A client is created in tenant realm for the connector
An offline access token is obtained from the tenant realm ( Offline Access Token does not expire unless it is explicitly revoked from the admin console)
An offline access token is obtained by adding scope=offline_access to the token API
The offline access token obtained from keycloak is added to the configuration of the connector jar
For each of the outgoing request from the connector, the offline access token is exchanged for a token from IDHUB realm
Client creation in Keycloak
For every connector, there is a client in Keycloak tenant realm
Authentication happens using a token directly. The token doesn't expire unless it is revoked from the admin console
"offline_access" scope needs to be added to the client scope to create a long-standing token
Offline access token from Keycloak
An offline access token is obtained from keycloak tenant realm during the installation of the setup
{
"client_id": <Client ID of the connector in keycloak>
"client_secret": <client_secret>,
"grant_type": "client_credentials",
"scope": "offline_access"
}
JS
Token exchange from IDHUB realm
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
