IDHUB uses OAuth2 framework to communicate with the connectors

IDHUB to Connector communication

  • Reconciliation Engine and Provisioning engine call the connector using the IDHUB OAuth2 user access token
  • The IDHUB access token is validated using jwt validation.
    • The public key required for the validation is obtained from Keycloak.
    • The path to download the access token is added to the configuration of the connector jar

Connector to IDHUB communication

  • A client is created in tenant realm for the connector
  • An offline access token is obtained from the tenant realm ( Offline Access Token does not expire unless it is explicitly revoked from the admin console)
    • An offline access token is obtained by adding scope=offline_access to the token API
  • The offline access token obtained from keycloak is added to the configuration of the connector jar
  • For each of the outgoing request from the connector, the offline access token is exchanged for a token from IDHUB realm

Client creation in Keycloak

  • For every connector, there is a client in Keycloak tenant realm
  • Authentication happens using a token directly. The token doesn't expire unless it is revoked from the admin console
  • "offline_access" scope needs to be added to the client scope to create a long-standing token

Offline access token from Keycloak

An offline access token is obtained from keycloak tenant realm during the installation of the setup

POST https://<keycloak-host>/auth/realms/<tenant-realm>/protocol/openid-connect/token

Request body

	"client_id": <Client ID of the connector in keycloak>
	"client_secret": <client_secret>,
	"grant_type": "client_credentials",
	"scope": "offline_access"

Token exchange from IDHUB realm