Understanding Argus OAuth2 Clients#
Using Argus as an OAuth2 Identity Provider, an external application may be defined as an OAuth2 client.
allowing a user to authorize the external client to access Argus on behalf of the user.
allow the external client to authenticate the user which is logged in using Argus credentials
The most common use case allows users accessing an external client, to be redirected to the Argus portal for authorization. If successfully authorized, Argus will redirect the user back to the external client, providing the external client to acquire an Argus session on behalf of the user.
There are multiple flows which may be used, depending on the type of integration:
Authorization Code Flow - Securely pass a session to another web application
Implicit Flow - Provide the user application with a direct access or ID token
Client Credentials Flow - Allow an application to authenticate as itself, rather than on behalf of a user.
Argus OAuth2 Access Control#
An Argus OAuth2 Client is bound to a required role, which the user must have granted in order to be authorized to use the client.
The Client may optionally be bound to a specific customer, in which case the user must be granted the required role for that particular customer, before being granted access.
Listing OAuth2 Clients from Argus, a user will only be presented the clients which he/she is authorized to access.
Argus OAuth2 Permission Scope#
An OAuth2 client being authorized to access Argus, is provided with a new session, bound to the authorizing user. This session is always constrained by the credentials of that user, and API invocations using this session will impersonate the user.
In addition, the client is defined with aPermission Scope, which is an outer constraint on the credentials which the clients session may be granted. The Permission Scope is set when configuring the OAuth2 client in Argus.
The client session is thus constrained to the intersection of the Permission Scope, and the permissions of the authorizing user.
Argus OAuth2 Client IP Restriction#
An additional security feature of the Argus OAuth2 IdP, the OAuth2 Client is administratively specified with a client IP range, from which Argus expects the client to originate from.
This security feature allows defining constraints well-known clients, which are expected to originate from a known infrastructure, so they cannot originate from other IPs.