Authorization and authentication

You can use one of the examples to configure the OAuth2 provider details in your application.yaml:

            tbe:
                auth:
                    login-url: "https://accounts.google.com/o/oauth2/auth"
                    token-url: "https://oauth2.googleapis.com/token"
                    jwt-certs-url: "https://www.googleapis.com/oauth2/v3/certs"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    root-admin-emails:
                    - "toolbox.admin@example.com"
            

            tbe:
                auth:
                    vendor: jetbrains-space
                    login-url: "https://jetbrains.team/oauth/auth"
                    token-url: "https://jetbrains.team/oauth/token"
                    jwt-certs-url: "https://jetbrains.team/oauth/jwks.json"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    required-scopes: [ "Profile:ViewProfile" ]
                    ## uses the ‘sub’ field from the JWT token instead of ‘email’
                    root-admin-subjects:
                    - "2XGOQQ2Yz5KS"
            

            tbe:
                auth:
                    login-url: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize"
                    token-url: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token"
                    jwt-certs-url: "https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    required-scopes: [ "profile", "email", "openid" ]
                    root-admin-emails:
                    - "toolbox.admin@example.com"
            

            tbe:
                auth:
                    login-url: "https://<subdomain>.onelogin.com/oidc/2/auth"
                    token-url: "https://<subdomain>.onelogin.com/oidc/2/token"
                    jwt-certs-url: "https://<subdomain>.onelogin.com/oidc/2/certs"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    required-scopes: [ "profile", "email", "openid" ]
                    login-url-prompt-param: "login"
                    root-admin-emails:
                      - "toolbox.admin@example.com"
            

            tbe:
                auth:
                    login-url: "https://<yourOktaDomain>.okta.com/oauth2/v1/authorize"
                    token-url: "https://<yourOktaDomain>.okta.com/oauth2/v1/token"
                    jwt-certs-url: "https://<yourOktaDomain>.okta.com/oauth2/v1/keys"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    required-scopes: [ "profile", "email", "openid", "offline_access"]
                    root-admin-emails:
                    - "your.company.admin@example.com"
            

            tbe:
              auth:
                login-url: "https://<cognito domain>/oauth2/authorize"
                token-url: "https://<cognito domain>/oauth2/token"
                jwt-certs-url: "https://cognito-idp.<Region>.amazonaws.com/<userPoolId>/.well-known/jwks.json"
                client-id: "your_identifier"
                client-secret: "your_password"
                required-scopes: [ "email", "openid", "profile" ]
                root-admin-emails:
                    - "your.company.admin@example.com"
            

Authorization via a custom layer

Toolbox Enterprise allows you to handle authorization outside the Toolbox Enterprise Server using a custom layer. For example, if you use a specific solution inside your company's network to authenticate and authorize requests. You can configure all Toolbox Enterprise components to communicate with this custom layer. In this scenario, users won't need to log in to the Web UI, the Toolbox App, and IDEs explicitly, the custom layer will handle authentication and authorization automatically.

For the no-login setup, you need to configure each Toolbox Enterprise component separately. The Web UI will detect the login details automatically once the Toolbox Enterprise Server is configured.

Toolbox Enterprise Server

For seamless authentication, you need to provide JSON Web Key Sets (JWKS) on the Toolbox Enterprise Server side. These sets of keys are required to verify JSON Web Tokens (JWT) issued by the authorization server.

You will still need to specify the details of your OAuth2 provider in the application.yaml file for proper functioning of the Toolbox Enterprise Server. However, it will use them as a stub and authorization requests will be handled on the custom layer side.

The Toolbox App and IDEs

To support authorization, you need to either patch the original machine-config.json or replace the file with a new one automatically (see Set up Toolbox Enterprise on developer machines). In the machine-config.json file, specify the following parameter:

"overriddenAuthorization" : "Authorization token value"

The Toolbox App will use the provided value and will never ask for explicit login.

Last modified: 16 April 2024