|
| 1 | +--- |
| 2 | +title: OAuth 2.0 |
| 3 | +--- |
| 4 | + |
| 5 | +OAuth 2.0 is an online authorization tool that uses tokens to grant access to API resources like Segment’s tracking API. You can use OAuth 2.0 as a security requirement for connections to third-party tools. |
| 6 | + |
| 7 | +> info "" |
| 8 | +> This feature is currently in pilot. For pilot, Segment doesn’t support OAuth for Web and Mobile sources where an end-user is involved. OAuth 2.0 only supports server to Segment communication, a machine-to-machine workflow. |
| 9 | +
|
| 10 | +## Permissions |
| 11 | +Depending on your workspace permissions, your access to OAuth apps is limited. |
| 12 | + |
| 13 | +Segment Role | Permission |
| 14 | +------------ | ----------- |
| 15 | +Workspace Owner | You can view/create/edit **Workspace Settings>Access Management>OAuth application**. |
| 16 | +Workspace Member | You cannot view/create/edit **Workspace Settings > Access Management > OAuth app**. |
| 17 | +Source Admin | You can view/edit **Source> Settings > OAuth app**. <br> You can connect/disconnect OAuth application. <br> You can enable/disable OAuth enforcement. |
| 18 | +Source Read-only | You can only view **Source > Settings > OAuth app**. |
| 19 | +Function Admin | You can view/edit **Source Function Instance > Settings > OAuth app**. <br>You can connect/disconnect OAuth application. <br>You can enable/disable OAuth enforcement. |
| 20 | +Function Read-only | You can only view **Source Function Instance > Settings > OAuth application**. |
| 21 | + |
| 22 | +## Create an OAuth app |
| 23 | + |
| 24 | +> info "" |
| 25 | +> You must have already created workspace in Segment to use OAuth. |
| 26 | +
|
| 27 | +To create a new OAuth application: |
| 28 | + |
| 29 | +1. Create a private and public key by running the script: |
| 30 | + |
| 31 | + ``` |
| 32 | + openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048 |
| 33 | + openssl rsa -in private.pem -pubout -outform PEM -out public.pem |
| 34 | + ``` |
| 35 | +
|
| 36 | +2. Navigate to **Settings > Workspace** settings and select the Access Management tab. |
| 37 | +3. Select the **OAuth application** tab within the **Access Management** page. |
| 38 | +4. Click **Create OAuth app**. |
| 39 | +5. Enter the configuration settings: |
| 40 | +
|
| 41 | + Settings | Details |
| 42 | + -------- | ------- |
| 43 | + Application name | The name of the OAuth app. |
| 44 | + Public key | Upload a public key in PEM format to authenticate through the OAuth application. You can upload a second public key after you create the OAuth application. |
| 45 | + Public key name | Enter a name for your public key. |
| 46 | + Token expiration period | You can choose between: 1 day, 2 days, 3 days, 1 week, 2 weeks, 3 weeks, 30 days. |
| 47 | + Scope | This specifies what type of access is needed for each API. For pilot, Segment offers these 2 scopes: <br><li>Tracking API <br><li><li> `tracking_api:write` <br><li>Public API <br><li><li>`public_api:read_write` |
| 48 | +6. Click **Create**. |
| 49 | +
|
| 50 | +## Connect a source to OAuth |
| 51 | +> info "" |
| 52 | +> OAuth only supports server-side sources and does not support. Currently for beta, only http API and node.js and public api and source functions are other api points that are covered |
| 53 | +
|
| 54 | +To connect a source to OAuth: |
| 55 | +
|
| 56 | +1. Navigate to **Connections > Sources**. |
| 57 | +2. Select the source you want to enable OAuth for. |
| 58 | +3. Go to the **Settings** tab of the source page and select **OAuth app**. |
| 59 | +4. Click **Create OAuth app**. |
| 60 | +5. Select the OAuth app you want to connect the source to. |
| 61 | +6. Click **Connect**. |
| 62 | +7. Select the toggle to **Enable OAuth** for the source. |
| 63 | +
|
| 64 | +To disconnect the source from OAuth, select **Disconnect**. |
| 65 | +
|
| 66 | +## Request the access token |
| 67 | +
|
| 68 | +To request the access token, run: |
| 69 | +
|
| 70 | +``` |
| 71 | +./gentoken.sh -k <private-key.pem> -i <key_id> -a <oauth_app_id> | jq '.access_token' |
| 72 | +``` |
| 73 | +
|
| 74 | +## Edit an OAuth application |
| 75 | +To edit an existing OAuth application: |
| 76 | +
|
| 77 | +1. Navigate to **Settings > Workspace** settings and select the **Access Management** tab. |
| 78 | +2. Select the **OAuth application** tab within the **Access Management** page. |
| 79 | +3. Click the application name of the OAuth application you want to edit. |
| 80 | +4. On the **Overview** tab you can: |
| 81 | + 1. Revoke a token |
| 82 | + 2. Copy the Application ID and the Public key |
| 83 | + 3. Delete the OAuth application |
| 84 | +5. Select the **Settings** tab on the right window where you can: |
| 85 | + 1. Edit the **Application name** |
| 86 | + 2. Delete a public key |
| 87 | + 3. Add a new public key |
| 88 | + 4. Change the token expiration period |
| 89 | + 5. Edit your scope |
| 90 | +6. Click **Save changes**. |
| 91 | +
|
| 92 | +
|
| 93 | +## Delete an OAuth app |
| 94 | +> info "" |
| 95 | +> In order to delete an OAuth app, you must remove all connected sources from the app. |
| 96 | +
|
| 97 | +To delete an OAuth app: |
| 98 | +1. Navigate to **Settings > Workspace settings** and select the **Access Management** tab. |
| 99 | +2. Select the **OAuth application** tab within the **Access Management** page. |
| 100 | +3. Select the **App name** of the OAuth app you want to delete. |
| 101 | +4. Select **Delete OAuth app**. |
| 102 | +5. Enter the name of the OAuth app you want to delete. |
| 103 | +6. Click **Delete OAuth app**. |
| 104 | +
|
| 105 | +## Remove a token |
| 106 | +To remove a token: |
| 107 | +1. Navigate to **Settings > Workspace settings** and select the **Access Management** tab. |
| 108 | +2. Select the *OAuth application tab within the **Access Management** page. |
| 109 | +3. Select the **App name** with the token you want to delete. |
| 110 | +4. Enter the complete token |
| 111 | +5. Click **Revoke token**. |
0 commit comments