Integration via OAuth 2.0#

If your identity management system does not support OpenID Connect, the integration is possible via OAuth 2.0.

../../_images/ovc_oauth_overview.png

The integration based on OAuth 2.0 is very similar to the integration based on OpenID Connect. This is a natural consequence of the fact that OAuth 2.0 is the foundation of the OpenID Connect standard.

The interactions between NVIDIA and your identity management system follow the authorization code grant flow specified in section 4.1 of RFC 6749.

Authorization Endpoint#

The authorization endpoint of your identity management system must conform to the operations specified in sections 4.1.1 and 4.1.2 of RFC 6749.

Support for the state parameter is required.

OAuth 2.0 does not define any canonical solution to indicate that the user should be prompted for re-authentication and to pass hints about the user identity. To fill these gaps, it is desirable that your identity management supports the login_hint and prompt=login options specified in section 3.1.2.1 of OpenID Connect Core 1.0.

Token Endpoint#

The token endpoint of your identity management system must conform to the operations specified in sections 4.1.3 and 4.1.4 of RFC 6749.

Support for client authentication using the Basic authentication scheme (preferred) or including the credentials in the request body is required. Refer to 2.3.1 of RFC 6749 for the corresponding definitions.

Access to the token endpoint cannot be restricted on a per client source IP address basis. The NVIDIA identity federation system runs on AWS and uses dynamic IP Addresses to call the token endpoint.

User Info Endpoint#

Your identity management system must support an endpoint that enables retrieval of information about the user in exchange for an access token. The endpoint must accept an access token presented using the Bearer authentication scheme specified in RFC 6750 and must return the user information as JSON body.

The response body should include at least the following data:

User info

Description

Subject identifier

REQUIRED – Unique identifier assigned by your identity management system to the user

Username

REQUIRED – Short name that identifies the account used to log in

Email address

REQUIRED – Email address of the user

Email address verification status

RECOMMENDED – Email address verification status

Full name

RECOMMENDED – Full name of the user

Note

NVIDIA can accommodate the use of any set of attribute names to identify the above data. If possible, alignment with the names of the corresponding standard OpenID Connect claims is recommended.

Access to the user info endpoint cannot be restricted on a per client source IP Address basis. The NVIDIA identity federation system runs on AWS and uses dynamic IP Addresses to call the user info endpoint.

Transport Layer Security#

All the endpoints exposed by your identity management system must require the use of TLS and have server certificate traceable to a certification authority recognized by all major web browsers (Chrome, Safari, Firefox). Use of self-signed certificates is not acceptable in any phase of the integration. The domain names used for the endpoints must be owned by your company.

Client Credentials#

The client credentials are the same as those specified in the Integration via OpenID Connect > Client Credentials section.

Email Domains#

The Email domains are the same as those specified in the Integration via OpenID Connect > Email Domains section.

Support for User Groups#

The user group guidelines are the same as those specified in the Integration via OpenID Connect > Support for User Groups section. The option to return the list of groups in the identity token is not applicable because there is no identity token with OAuth 2.0.

Information to Be Provided to NVIDIA#

The following table specifies the information that NVIDIA needs to set up the integration.

Info

Comments

Full URL of the authorization endpoint

Typically exposed at path /authorize

Full URL of the token endpoint

Typically exposed at path /token

Full URL of the user info endpoint and sample request/response

There is no standard definition of the user info endpoint in OAuth 2.0. The sample request/response is intended to help NVIDIA understand the usage supported by your identity management system

Client credentials that NVIDIA can use for the integration

Refer to the Client Credentials section for more details.

List of email domains in use at your company

Refer to the Email Domains section for more details.

Description of how NVIDIA can obtain user groups memberships

Only if groups are used. Refer to the Support for User Groups section for more details.

Test account that NVIDIA can use to verify the integration

If possible, please provide the username and password of one test account
On this page