OAuth2 Integration#

Understanding Argus OAuth2 Clients#

Using Argus as an OAuth2 Identity Provider, an external application may be defined as an OAuth2client.

This allows

  • allowing a user to authorize the external client to access Argus on behalf of the user.

  • allow the external client to authenticate the user which is logged in using Argus credentials

A user accessing the external client, will be redirected to the Argus portal for authorization. If successfully authorized, Argus will redirect the user back to the external client, with a authorization code. The external client can use this authorization code to aquire an Argus session on behalf of the user.

Argus OAuth2 Access Control#

  • An Argus OAuth2 Client is bound to a required role, which the user must have granted in order to be authorized to use the client.

  • The Client may optionally be bound to a specific customer, in which case the user must be granted the required role for that particular customer, before being granted access.

  • Listing OAuth2 Clients from Argus, a user will only be presented the clients which he/she is authorized to access.

Argus OAuth2 Permission Scope#

  • An OAuth2 client being authorized to access Argus, is provided with a new session, bound to the authorizing user. This session is always constrained by the credentials of that user, and API invocations using this session will impersonate the user.

  • In addition, the client is defined with aPermission Scope, which is an outer constraint on the credentials which the clients session may be granted.

  • The client session is thus constrained to theintersection of the Permission Scope, and the permissions of the authorizing user.

Argus OAuth2 Client IP Restriction#

  • An additional security feature of the Argus OAuth2 IdP, the OAuth2 Client is administratively specified with a client IP range, from which Argus expects the client to originate from.

  • This security feature allows defining constraints well-known clients, which are expected to originate from a known infrastructure, so they cannot originate from other IPs.