Overview
This document walks you through setting up OAuth in Bridge. For information on how to configure Google OAuth, please see Configure Google OAuth with Bridge.
Requirements
1. Access to OAuth provider configuration.
2. Account Admin access in Bridge.
Configuration
1. Sign into Bridge as an account admin
2. Navigate to Admin > Account Management > Account Settings > Auth > OAuth2 - Select Enable
3. Enter the corresponding values into the required fields listed below and determine if you want to use the optional fields and Save
Required OAuth 2.0 fields
- Client ID: The Bridge app identifier that the IdP can use to associate incoming authorization requests with the correct requestor.
- Client Secret: Used for the out-of-band token exchange with the IdP after authorization.
- Authorize URL: IdP endpoint used to initiate the authorization request.
- Token URL: IdP endpoint used to exchange an authorization code for an access token.
- Profile URL: IdP endpoint for accessing user profile information. It is typically accessed as the second of two out-of-band requests after a user has authenticated, and it can require the access token, obtained during the token exchange step.
Note: If your provider can configure valid callback or redirect URLs, use https://auth.bridgeapp.com/oauth2/callback
Additional OAuth 2.0 options
- Scope: A list of space delimited terms that define user access once authorized. Scope terms are optional and should be specified by the client IdP. For example, a scope of email profile would return user information like “name”, “nickname”, “updated_at” specific to the profile scope, and “email” and “email_verified” specific to the email scope. If nothing is entered for this field, a default scope of openid email profile will be applied. The openid scope returns user information specific to OpenID Connect claims like issuer, subject, audience, and token expiration time.
- Login Attribute: An attribute to map an IdP parameter (e.g., id or email) to the Bridge unique identifier field. Bridge defaults to id If no attribute specified.
- Just In Time Provisioning: Provision the user if they do not already exist as a Bridge user.
- Use Access Token As Auth Header: Force Bridge to use the access token returned as the authorization header in calls to the user profile endpoint to retrieve user data. This setting is activated by default.