OAuth2 Integration#

Understanding Argus OAuth2 Clients#

Using Argus as an OAuth2 Identity Provider, an external application may be defined as an OAuth2 client.

This allows

  • allowing a user to authorize the external client to access Argus on behalf of the user.

  • allow the external client to authenticate the user which is logged in using Argus credentials

The most common use case allows users accessing an external client, to be redirected to the Argus portal for authorization. If successfully authorized, Argus will redirect the user back to the external client, providing the external client to acquire an Argus session on behalf of the user.

There are multiple flows which may be used, depending on the type of integration:

  • Authorization Code Flow - Securely pass a session to another web application

  • Implicit Flow - Provide the user application with a direct access or ID token

  • Client Credentials Flow - Allow an application to authenticate as itself, rather than on behalf of a user.

Note

OAuth2 Implicit Flow is not recommended, as its security properties are weak. If your client supports authorization code flow, use this instead.

Argus OAuth2 Access Control#

An Argus OAuth2 Client is bound to a required role (requiredFunction), which the user must have granted in order to be authorized to use the client.

The Client may optionally be bound to a specific customer, in which case the user must be granted the required role for that particular customer, before being granted access.

Listing OAuth2 Clients from Argus, a user will only be presented the clients which he/she is authorized to access.

Argus OAuth2 Permission Scope#

An OAuth2 client being authorized to access Argus, is provided with a new session, bound to the authorizing user. This session is always constrained by the credentials of that user, and API invocations using this session will impersonate the user.

In addition, the client is defined with a Permission Scope, which is an outer constraint on the credentials which the clients session may be granted. The Permission Scope is set when configuring the OAuth2 client in Argus (permissionScope).

The client session is thus constrained to the intersection of the Permission Scope, and the permissions of the authorizing user.

If the client is bound to a specific customer, the permission scope of the oauth client session will also be constrainted to that customer.

Argus OAuth2 Max Security Level#

By default, Argus will constrain Oauth client sessions to functions with the lowest security level (“external”). When invoking Argus from an OAuth client, all functions requiring higher security level are rejected.

This means, if your client is rejected with a reference to a function the user has access to, and which is within the clients permissionScope, it may still be rejected if the functions security level exceeds the clients maxSecurityLevel.

Argus OAuth2 Client IP Restriction#

An additional security feature of the Argus OAuth2 IdP, the OAuth2 Client is administratively specified with a client IP range, from which Argus expects the client to originate from.

This security feature allows constraining which IP-addresses clients are allowed to originate from.