[FEATURE-13476] IdP Access Token

Is there a way to get access to the access token provided by IdP after login? We have resource API that we would like to use in our project and the API requires a client to send the access token in the Authorization header.

I am assuming that you are using an OpenID Connect IdP (based on the “access token” jargon)?

There is not currently a way to get the access token from the IdP token API response. Ignition uses OpenID Connect 1.0 as a mechanism to authenticate the user and fetch Identity information about them. Though it is built on top of OAuth 2.0, Ignition is not using the protocol for delegated access control reasons at this time.

Could you explain more about how you would use the access token if it was exposed to you? What do you expect to happen when the access token expires?

Yes, I’m using the OpenID Connect IdP.

One of the cases would be to retrieve additional user information from /userinfo API. I know that I can add the same information to the IdP response data with proper scopes and map them to user attributes. In our case we have extended our IdP to use the access token in other protected resources e.g. /api endpoint. The idea would be to use HTTP binding to make API call to those protected resources with the access token.

Haven’t thought the method for that yet but one would be to prompt the user for authorization again. Refresh token usage is one that we are using in other applications where those tokens are available.

1 Like

Hi @joonas.vainionpaa -

I have created a feature ticket on the backlog to create the capability of accessing the IdP token API response in a Perspective session. We will update this thread when we complete the feature implementation.

1 Like

@jspecht we have recently started using Ignition (7.9.10) as a real time provider in the cloud. source data access is controlled via token. I am looking to leverage this to control access to Ignition resources. How can i do that?

Hi @isaias.berhe -

I’m not really sure how to help based on the information you provided. Do you want to protect access to Ignition’s resources in this case? Or do you want Ignition to gain access to some other protected resources? Which protocol governs the token in this case?

@jspecht I would like to protect access to Ignition resources (gateway resources, project resources such as windows or tags). Here is what i am envisioning to implelment:

  1. Ignition requests a access token from a token service API by passing the user’s SLID used to log in to his/her computer
  2. token service API responds by providing the requested token that has information such as role name, token expiration time, etc
  3. Ignition then decodes the token and provides appropriate access based on predefined access policies that correspond to the roles

I hope this clarifies your question. I am not a access/security expert but will be more than happy to take to our IT department any question that you may have that i may not be able to answer

Hi @isaias.berhe -

This sounds like a good fit for Identity Providers / Security Levels introduced in Ignition 8. You could use an OpenID Connect Provider (OP) to authenticate users. The OP issues id tokens which can be used to drive access control decisions using security level rules. This concept is only usable in Perspective right now but we plan on rolling it out to the Gateway Web Interface, Designer, and Vision clients in the future.

Circling back to this thread. We have finally delivered the ability to call the user info endpoint and to use the access token: see Added Support for OIDC User Info and Token Endpoint Response