Skip to content

OAuth 2.0

Audience: Application Admins

Content Summary: Immuta integrates seamlessly with your enterprise OAuth2 provider. Immuta can leverage your OAuth2 provider for authentication and authorizations or use OAuth2 only for authentication while maintaining all user attributes (authorizations and groups) within Immuta's built-in identity manager.

Immuta integrates with Google and Github OAuth2 providers out-of-the-box. To work with a different OAuth2 provider, you will need a custom IAM integration.

This page details configuration options and configuration examples for OAuth2 identity managers, but implementation will vary based on your OAuth provider. For detailed assistance, please contact your Immuta support professional.

Configuration

OAuth2 IAMs are configured in the Advanced Configuration section of the Application Setting page and require some special configuration options:

  • oauth (boolean): Boolean value that must be true to signal for Immuta to allow an OAuth redirect at the Immuta login page.
  • clientOptions (object):
    • clientId (string): Immuta's client ID for your OAuth2 provider.
    • redirectUri (string): Typically http(s)://<your immuta base url>/bim/iam/<your IAM id>/user/authenticate.
    • authorizeTemplate (string): Template for the redirect URL that will send the user to authenticate with your OAuth2 provider. Should include {clientId}, {redirectUri}, and {redirectPath} where appropriate. See directly below for examples.
  • options (object):
    • clientSecret (string): The client secret that is registered with your OAuth provider for Immuta.
    • applicationName (string): The application name that is registered with your OAuth provider for Immuta.
  • supportedActions (array): See Supported Actions for details.

Github Configuration Example

# config.yml
# ...

plugins:
  github:
    id: github
    displayName: Github
    type: github
    plugin: github
    oauth: true
    supportedActions: ['syncGroups', 'syncAuthorizations']
    clientOptions:
        clientId: yourclientid
        redirectUri: https://yourimmutainstance.com/bim/iam/github/user/authenticate
        authorizeTemplate: https://github.com/login/oauth/authorize?client_id={clientId}&redirect_uri={redirectUri}&state={redirectPath}&scope=user%20read:org&allow_signup=false
    options:
        clientSecret: abcdefghijklmnopqrstuvwxyz
        applicationName: Immuta
    schema:
        profile:
        name: name
        email: email
        organization: company
        location: location
        about: bio
        authorizations:
        hireable: hireable
        siteadmin: site_admin
        type: type
        group:
        name: name
        gid: id
        description: description
    defaultPermissions:
    - CREATE_DATA_SOURCE

Google Configuration Example

# config.yml
# ...

plugins:
  googleIAM:
    id: google
    plugin: google
    type: google
    displayName: Google
    oauth: true
    supportedActions: []
    clientOptions:
      clientId: yourclientid.apps.googleusercontent.com
      redirectUri: https://yourimmutainstance.com/bim/iam/google/user/authenticate
      authorizeTemplate: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id={clientId}&redirect_uri={redirectUri}&state={redirectPath}&scope=https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile+https://www.googleapis.com/auth/user.addresses.read+https://www.googleapis.com/auth/user.emails.read+https://www.googleapis.com/auth/user.phonenumbers.read
    options:
      clientSecret: abcdefghijklmnopqrstuvwxyz
      applicationName: Immuta
    schema:
      profile:
        name: name
        email: email
    defaultPermissions:
    - CREATE_DATA_SOURCE