Using an External Authorization Server
When Integration Server is the resource server, you must specify an authorization server. As an alternative to using an Integration Server as the authorization server, you can use a third-party server as the authorization server. This allows Integration Server to use OAuth bearer tokens created by a third-party OAuth 2.0 authorization server where the third-party vendor supports RFC 7662, OAuth 2.0 Token Introspection.
To use an external authorization server, you must:
Configure your third-party authorization server. This includes, but is not limited to, the following.
Create a client account that
Integration Server will use to call the authorization server's introspection endpoint.
Make a note of the client_id and client_secret values. You will provide this information as part of defining the external authorization server alias for the Integration Server resource server.
Make a note of the URL for the introspection endpoint. You will provide this information as part of defining the external authorization server alias in the Integration Server resource server.
Create one or more OAuth scopes. These must match the names of the OAuth scopes you create in the
Integration Server resource server.
For more information on creating and configuring an OAuth 2.0 authorization server, consult the documentation provided by the vendor.
Select the external authorization server alias as the
Authorization Server value on the
Security > OAuth > Edit Global Settings page.
Currently, Integration Server can be used with an external authorization server that supports RFC 7662, OAuth 2.0 Token Introspection, including:
Okta
Ping Identity
Note:
When an access token from an external authorization server is rejected, information about the rejection is written to the server log. Set the OAuth logging facility (0010) to Debug to see these messages in the server log.