Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Integrations

OAuth 2.0 Support with SafeNet Access Exchange

search

Please Note:

printsuggest an edit

OAuth 2.0 Support with SafeNet Access Exchange

OAuth authorization flows enable users to authorize access to protected resources.

During an OAuth flow, once a user logs into the system, an access token is issued, eliminating the need to repeatedly verify the user's credentials for subsequent requests. This token serves as a key, granting users access to specific resources without requiring them to re-enter their credentials.

OAuth 2.0 clients, such as front-end applications, can obtain access tokens from the server through the token endpoint and use these tokens to access resources protected by a resource server, such as back-end services. Similarly, SafeNet Access Exchange’s Authorization Services extend OAuth 2.0 functionality by issuing access tokens based on the evaluation of all policies associated with the resources or scopes being requested.

There is no explicit option to configure OAuth flows in SafeNet Access Exchange, but it can issue access tokens if a client application sends a request requiring only an access token.

To demonstrate this functionality, the Postman client is used to generate access tokens from SafeNet Access Exchange. Postman creates a request based on OAuth 2.0, requesting a token from SafeNet Access Exchange. In response, SafeNet Access Exchange returns an access token and a refresh token, which can be used for subsequent requests to other endpoints.

copy link to clipboardConfiguring OAuth Authorization Flow

As prerequisites,

  1. Configure and deploy the following components in your working environment:

  2. Obtain the authorization_endpoint URL and token_endpoint URL by performing the following steps:

    1. On the SafeNet Access Exchange console, in the left pane, under Configure, click Realm settings.

    2. In the right pane, on the General tab, under the Endpoints field, click on the OpenID Endpoint Configuration link.

    3. You will be redirected to another page, which contains the required URLs. Copy the URLs and paste them into a text editor.

  3. Ensure that SAS User federation is enabled in SafeNet Access Exchange.

copy link to clipboardConfiguring Postman as a Client in SafeNet Access Exchange

  1. Log into SafeNet Access Exchange as an administrator.

  2. On the administrator console, select your realm (for example, oauthtwo).

  3. In the left pane, under Manage, click Clients, and in the right pane, click Create client.

  4. Under Create client, perform the following steps:

    1. On the General Settings tab, perform the following steps:

      • In the Client type field, select OpenID Connect.

      • In the Client ID field, enter a client ID (for example, postman-test-client). This ID is an alpha-numeric string that is used to identify the client in requests.

      • (Optional) In the Name field, enter a name of your choice (for example, Postman Client for Oauth).

      • Click Next.

    2. On the Capability config tab, perform the following steps:

      • Turn on the Client authentication toggle.

      • Click Next.

    3. On the Login settings tab, perform the following steps:

  5. After saving the configuration, postman-test-client will be opened. Go to the Credentials tab, copy the value of Client Secret and paste it into a text editor. You will need the client secret while configuring the Postman client.

copy link to clipboardConfiguring SafeNet Access Exchange in Postman Client

  1. Open the Postman client on your machine.

  2. Go to the Authorization tab of your request. Under Auth Type, select OAuth 2.0.

  3. In the right pane, under Configure New Token, complete the following fields:

    Field Value
    Token Name Enter a name for the token (optional).
    Grant Type Select Authorization Code or Authorization Code with PKCE depending on your authentication configuration.
    Auth URL Enter the authorization_endpoint URL that you obtained as a prerequisite.
    Access Token URL Enter the token_endpoint URL that you obtained as a prerequisite.
    Client ID Enter the client ID (for example, postman-test-client) that you entered earlier while creating a client.
    Client Secret Enter the client secret that you obtaind earlier in step 5 of Configuring and Deploying SafeNet Access Exchange as a Client.
    Scope Leave this field blank if you only need an access token.

  4. Scroll down and click Get New Access Token.

  5. You will be redirected to SafeNet Access Exchange login page. Log into SafeNet Access Exchange.

  6. After successful authentication, Access token and Refresh token are generated.

copy link to clipboardImportant Considerations for OAuth Flows

  • SafeNet Access Exchange does not provide an option to configure OAuth 2.0 flows via its console.

  • In SafeNet Access Exchange, the openid scope is hardcoded in the OIDC flow. So, SafeNet Access Exchange is unable to send only Access Tokens and Refresh Tokens. However, the process can still be managed through a client application. By specifying the appropriate scopes in the client request, SafeNet Access Exchange can issue only Access and Refresh Tokens.

  • When using Postman for the OAuth flow and selecting email or any other attribute (except openid) as the scope (or leaving the scope as blank), SafeNet Access Exchange issues only Access and Refresh Tokens in response. If openid is selected as a scope, SafeNet Access Exchange generates ID token also.

On this page