SaaS connectors support two OAuth2 flows:
- Authorization Code:
- Client Credentials:
This Authentication Code flow has the following configuration values:
authorization_request: The request to build the URL that is presented to the user to authenticate this connection.
token_request: The request made to retrieve the access token after the authorization code is returned via the
refresh_request(optional): The request to refresh an access token.
expires_in(optional): The lifetime of an access token (in seconds). This is used if the OAuth2 workflow in use does not provide expiration information (RFC 6749 Section 5.1).
The Client Credential flow has all these values except for
authorization_request since it is not required for this flow.
Each OAuth2 request is fully configurable to account for the different ways the parameters can be mapped to a request. The following examples demonstrate the requests generated from sample configuration files.
authentication: strategy: oauth2_authorization_code configuration: authorization_request: ... token_request: ... refresh_request: ...
authorization_request: method: GET path: /auth/authorize query_params: - name: client_id value: <client_id> - name: redirect_uri value: <redirect_uri> - name: response_type value: code - name: scope value: <scope> - name: state value: <state>
authentication_request will generate the following:
The placeholders are sourced from the values defined in the
connector_params of your SaaS config.
<state> placeholder is generated automatically with each authorization request. This authorization URL can be retrieved by calling:
token_request: method: POST path: /oauth/token query_params: - name: client_id value: <client_id> - name: client_secret value: <client_secret> - name: grant_type value: authorization_code - name: code value: <code>
<code> placeholder is defined automatically by Fides.
token_request configuration generates the following:
This request is called automatically after Fides receives a callback response to the
refresh_request: method: POST path: /oauth/token query_params: - name: client_id value: <client_id> - name: client_secret value: <client_secret> - name: grant_type value: refresh_token - name: refresh_token value: <refresh_token>
<refresh_token> placeholder is defined automatically by Fides.
refresh_request configuration generates the following:
This is called automatically when the
access_token is about to expire. The expiration is usually defined in the response to the token request. If the expiration is not returned by the API, it can be specified manually by setting the
expires_in field (which is defined in seconds):
authentication: strategy: oauth2_authorization_code configuration: expires_in: 3600 authorization_request: ... token_request: ... refresh_request: ...
To use OAuth2 as a connection strategy, the following must be configured first:
For All OAuth2 Flows
- Fides must be able to connect to the SaaS provider (Outreach, Salesforce, etc.).
- A Client ID and Client Secret must be generated within the SaaS provider’s admin console.
- This is dependent on the individual SaaS provider. Refer to the provider's documentation.
- The connector using OAuth2 is configured using the steps for how to configure a SaaS connector.
Additional Steps for Authentication Code Flow
- A callback server or network rules are required to forward the callback response from the SaaS providers to an instance of Fides. This is dependent on the user environment where Fides is deployed, and is out of scope for this documentation.
- These incoming requests must be routed to
- The Redirect URI must be registered within the SaaS provider's admin console.
- The OAuth2 workflow is initialized by following the URL returned from