OAuth2 Clients for SDK or API on Enterprise Accounts
1. Description
When using the Alteia API or Python SDK, users have to provide credentials for authentication.
They usually do so using their account credentials (user email and password), either as direct arguments or via a configuration file, when creating an SDK instance.
On Enterprise Accounts (white-label versions), an additional alternative way of authenticating can be offered, via personal OAuth2 clients.
When enabled, a personal OAuth2 client for the SDK may be used to authenticate yourself with a client identifier and a client secret, instead of your email and password.
Several personal clients could be created for different uses, and set an expiration date for them or revoke explicitly at will.
There are two main cases where domain managers on an Enterprise Account might want this feature to be enabled:
- On domains where Single Sign On is strictly enforced, it is the recommended way to enable some users to use personal clients for SDK usage, without having to consider granting them password credentials exceptions.
- Even if your domain doesn’t use Single Sign On, you might prefer such personal clients to be enabled to mitigate the risk of users sharing, inadvertently or not, their account credentials (in scripts, code, ...).
2. Create a personal OAuth2 client
Only users with the appropriate role given by the Domain Manager could create personal OAuth2 clients with as many personal access tokens as necessary.
Step 1 - In the top-right corner, select your profile icon.
Step 2 - Select "My OAuth2 clients".
Step 3 - Select "CREATE CLIENT".
Step 4 -.Enter a friendly name for this client and an expiration date.
Step 5 - Click on "SAVE".
Copy and save the personal client secret somewhere safe. After clicking "CLOSE" or leaving the page, the secret is no longer accessible.
Be aware that this personal OAuth2 client has exactly the same permissions as your account.
It's possible to return to this page for checking the active personal OPAuth2 clients and if needed to revoke them by opening the three-dots menu and selecting Delete.
3. Manage your users' OAuth clients (domain managers)
When the feature is enabled, domain managers can:
- Grant users the role permitting using OAuth2 clients.
- List, sort, and filter their users’ personal OAuth2 clients and revoke them by opening the three-dots menu and selecting "Delete".
3.1 Granting a user permission to create OAuth2 clients
When inviting new users or editing existing user profiles, grant them the appropriate domain role (its exact name may vary depending on the configuration).
3.2 Viewing, sorting, filtering, and revoking users’ personal OAuth2 clients
Domain managers can access the “OAuth2 clients” menu in the Administration module. As above, a given client may be revoked (deleted) using the three-dots menu and selecting "Delete".
Domain managers are responsible for administrating users according to company policy.