Auth Integrations
Your third party services are most likely protected by an auth provider. Auth providers can be external services such an OAuth or OpenID Connect service. Or they can be internal to your system such as basic auth services provided by Java EE.
To enable app integrations protected by an auth provider you can register an auth integration with that provider on Istari Digital. Your auth integration data is always stored securely in your storage bucket on your local network. When agents require auth credentials to run a function we facilitate the encryption and transfer of your credentials, but our server never sees them.
RSA Encryption Keys
When executing jobs that require credentials, agents will retrieve those credentials from your secure storage bucket. All credentials are encrypted using FIPS 186-5 approved algorithms while waiting to be retrieved by the agent. Any agent that handles credentials must have access to a private RSA Key to decrypt the credentials. See the section on encryption keys for more information.
Supported Auth Integrations
Istari Digital supports the following types of auth providers.
- Google Accounts
- Microsoft Entra
- Dassault Teamwork Cloud Basic Login
- Dassault 3D Experience 3D Passport Delegated CAS
- PTC Windchill Basic Login
- Ping ID
If your auth provider is not on the list, or you have question about identifying auth providers please contact us.
Adding Auth Integrations
To add an auth integration from the Istari Digital website see the section on integrating third party apps.
To add an auth integration with Istari Digital via SDK follow the steps for creating auth integrations found in the SDK - App Integration section.
Registration Information
To delegate authorization to an agent most auth providers require credentials or other private information referred to as Registration Information. The format for registration information depends on the auth protocol used. The following protocols are supported:
- OAuth 2.0
- Basic Login
- Token
Details on the schemas for registration information can be found below.
OAuth 2.0 Registration
Title: OAuth 2.0 Registration
| Type | object |
| Required | No |
| Additional properties | Not allowed |
Description: A registration secret for OAuth 2.0 authorization. The secret must be registered in order for functions to utilize OAuth2 authorization.
| Property | Pattern | Type | Deprecated | Definition | Title/Description |
|---|---|---|---|---|---|
| + authorizationIssuer | No | string | No | - | Authorization Issuer |
| + clientId | No | string | No | - | Client ID |
| + scope | No | string | No | - | Scope |
| - pkceEnabled | No | boolean | No | - | PKCE |
Example: OAuth 2.0
{
"clientId": "client-id-1234567890",
"authorizationIssuer": "https://accounts.google.com",
"scope": "https://www.googleapis.com/auth/documents.readonly",
"pkceEnabled": true
}
1. Property Basic Registration > authorizationIssuer
Title: Authorization Issuer
| Type | string |
| Required | Yes |
| Format | uri |
Description: The URL of the authorization server that generates and signs access tokens.
| Restrictions | |
|---|---|
| Min length | 1 |
2. Property Basic Registration > clientId
Title: Client ID
| Type | string |
| Required | Yes |
Description: Identifies the set of functions requesting access to resources protected by the auth server.
3. Property Basic Registration > scope
Title: Scope
| Type | string |
| Required | Yes |
Description: A space separated list of permissions requested by the set of functions.
Example:
"read write profile email offline_access"
4. Property Basic Registration > pkceEnabled
Title: PKCE
| Type | boolean |
| Required | No |
| Default | false |
Description: Whether or not the authorization server supports PKCE. Only PKCE with S256 code challenges is supported.
Examples:
true
false
Basic Registration
Title: Basic Registration
| Type | object |
| Required | No |
| Additional properties | Not allowed |
Description: A registration secret for Basic auth. This registration is only required if functions do not have the authenticating URL.
| Property | Pattern | Type | Deprecated | Definition | Title/Description |
|---|---|---|---|---|---|
| + authUrl | No | string | No | - | Auth URL |
Example: Basic Login
{
"authUrl": "https://acme.app/auth"
}
1. Property Basic Registration > authUrl
Title: Auth URL
| Type | string |
| Required | Yes |
| Format | uri |
Description: The URL used for authenticating the username and password.
| Restrictions | |
|---|---|
| Min length | 1 |
Token Registration
Title: Token Registration
| Type | object |
| Required | No |
| Additional properties | Not allowed |
Description: A registration secret for Token based auth. This registration is only required if functions do not have the authenticating URL.
| Property | Pattern | Type | Deprecated | Definition | Title/Description |
|---|---|---|---|---|---|
| + authUrl | No | string | No | - | Auth URL |
Example: Token
{
"authUrl": "https://acme.app/auth"
}
1. Property Token Registration > authUrl
Title: Auth URL
| Type | string |
| Required | Yes |
| Format | uri |
Description: The URL used for authenticating the token.
| Restrictions | |
|---|---|
| Min length | 1 |