Proxied Cloud Service Provider
Introduction
This Service Provider allows you to proxy requests to an OAuth-protected resource server. The access token required to connect to that server is injected by the TrustBuilder Gateway. TrustBuilder now allows to dynamically link these third-party tokens to principals authenticated by TrustBuilder. If the OAuth authorization server is already used as an existing IDP, then the tokens are stored and linked automatically. When the resource server is protected by an authentication method that is not already part of your current authentication scheme, then you can initiate the linking procedure manually.
To initiate the linking you have to send an OAuth authentication request (using the details of an existing OAuth SP) with an additional request parameter: token_server. The value of this parameter is the 'identifier' (see below in Fields) of the Proxied Cloud SP.
eg. https://your.hostname/idhub/oidc/v1/authorize?scope=openid+profile&response_type=code&client_id=123456-abcdefghi&redirect_uri=https%3A%2F%2Fmy.application&state=randomvalue&token_server=google-api
When the user is not already authenticated for that OAuth SP, then we'll first complete the usual authentication scheme. As soon as the user is authenticated, he will be redirected to the third party to give his consent.
The Proxied Cloud SP is a variation on the API SP. Just like the API SP, its intended use is for Machine-to-Machine communication. When accessing the endpoints without proper authentication you will not be forwarded to a login page, but you will get back a 403 error.
The endpoints of the Proxied Cloud SP require a valid Bearer token. This token has to be an OAuth token, handed out by TrustBuilder. Therefore it does not have an authentication scheme. To be able to get an OAuth token you will need to configure a separate OAuth SP. (Which you CAN connect to an authentication scheme.)
Just like on an OAuth SP, you can set flexible application rules based on the user's attributes, the allowed scopes of the token used, the path that is called, and the HTTP verb.
Fields
Field | Description |
|---|---|
Display Name | User-defined name of the Service Provider |
URL | Not used |
Description | User-defined description of the Service Provider |
Custom Attributes | Key/value pairs that allow you to specify additional info. This does not affect any IDHub functionality. |
Vhosts | Specify the VHosts the gateway should listen for this SP. |
Base bath | The path on which the gateway should expose this SP. Always specify an absolute path. (This value should thus always start with a forward slash.) |
Target API location | The URL of the OAuth resource you want to reach. Generally, it's best to trim the trailing slash. |
Identifier | This is the value that will need to be used to initiate the linking procedure. It needs to be passed as the token_server request parameter. |
Access Token default TTL | If the OAuth server doesn't specify a TTL for the tokens, you can specify how long TrustBuilder should keep these stored. |
Refresh Token default TTL | If the OAuth server doesn't specify a TTL for the tokens, you can specify how long TrustBuilder should keep these stored. |
Existing OAuth IDP vs define OAuth authorization server | Should the authentication server for this resource already be configured as an existing IDP, then you can select it here. Otherwise, you can specify it for this SP specifically. |
Related API calls
Query for already stored tokens
GET /idhub/protected/api/self/users/{principal_UUID}/tokenservers
sample output:
{
"tokenServers": [
{
"tokenServer": "Teamleader",
"tokenAvailable": true
},
{
"tokenServer": "Salesforce",
"tokenAvailable": false
}
]
}