46 lines
2.2 KiB
Markdown
46 lines
2.2 KiB
Markdown
|
---
|
||
|
title: OAuth2 Provider
|
||
|
---
|
||
|
|
||
|
This provider supports both generic OAuth2 as well as OpenID Connect
|
||
|
|
||
|
Scopes can be configured using Scope Mappings, a type of [Property Mappings](../../property-mappings/#scope-mapping).
|
||
|
|
||
|
| Endpoint | URL |
|
||
|
| -------------------- | -------------------------------------------------------------------- |
|
||
|
| Authorization | `/application/o/authorize/` |
|
||
|
| Token | `/application/o/token/` |
|
||
|
| User Info | `/application/o/userinfo/` |
|
||
|
| End Session | `/application/o/end-session/` |
|
||
|
| JWKS | `/application/o/<application slug>/jwks/` |
|
||
|
| OpenID Configuration | `/application/o/<application slug>/.well-known/openid-configuration` |
|
||
|
|
||
|
## GitHub Compatibility
|
||
|
|
||
|
This provider also exposes a GitHub-compatible endpoint. This endpoint can be used by applications, which support authenticating against GitHub Enterprise, but not generic OpenID Connect.
|
||
|
|
||
|
To use any of the GitHub Compatibility scopes, you have to use the GitHub Compatibility Endpoints.
|
||
|
|
||
|
| Endpoint | URL |
|
||
|
| --------------- | --------------------------- |
|
||
|
| Authorization | `/login/oauth/authorize` |
|
||
|
| Token | `/login/oauth/access_token` |
|
||
|
| User Info | `/user` |
|
||
|
| User Teams Info | `/user/teams` |
|
||
|
|
||
|
To access the user's email address, a scope of `user:email` is required. To access their groups, `read:org` is required. Because these scopes are handled by a different endpoint, they are not customisable as a Scope Mapping.
|
||
|
|
||
|
## Grant types
|
||
|
|
||
|
### `authorization_code`:
|
||
|
|
||
|
This grant is used to convert an authorization code to a refresh token. The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
|
||
|
|
||
|
### `refresh_token`:
|
||
|
|
||
|
Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road.
|
||
|
|
||
|
### `client_credentials`:
|
||
|
|
||
|
See [Machine-to-machine authentication](./client_credentials)
|