Configure an external Open Authorization 2.0 authorization server
Configure OAuth 2 external authorization servers to give external applications access to Splunk data without the need for Splunk credentials.
You can configure an external Open Authorization version 2.0 (OAuth 2) server to let external applications connect to and access data that is stored on the Splunk platform without having to share credentials from the Splunk platform. This configuration lets you connect your external identity provider (IdP) to the Splunk platform by defining an OpenID Connect (OIDC) server for the client application on the IdP to interface with the Splunk platform for the purpose of authorization. Since the IdP provides the credentials, you do not need to use Splunk credentials to provide access to the Splunk data.
How the Splunk platform uses OAuth 2.0 to provide access to its data from external applications
The Splunk platform has its own default authentication configuration, known as native authentication. When you configure a Splunk platform instance with native authentication, users can log into the instance and, depending on the user and the roles that the user holds, they have access to the data that you, as the Splunk administrator, provide to them through those roles.
A growing number of use cases prevent use of this basic form of authentication. OAuth 2.0 provides a secure authorization method that lets administrators share access to resources without having to provide local credentials to external consumers of those resources. The Splunk platform leverages your OAuth server as the authentication and authorization source, which lets all authorization happen there from the client application identity that you define and manage.
In the case of the Splunk platform, configuring OAuth 2.0 support consists of several steps:
-
Resource owners first configure and register a client application on their OAuth server, which they use to connect to the Splunk platform.
-
They then register the OIDC server on the Splunk platform through an OAuth 2.0 configuration.
-
After that, they map client groups from the OIDC server to roles on the Splunk platform instance.
After you register the OIDC server on the Splunk platform instance:
-
The client application authenticates against the OAuth server using its client credentials and receives an OAuth access token.
-
The client application, through the OAuth server, exchanges the OAuth access token for a Splunk access token.
-
Further REST API calls from the client application use the Splunk token for authentication, accessing Splunk data that is available to it through the group-to-role mappings that you made when you set up the OIDC connection. The client application on the IdP never uses Splunk credentials to access the Splunk platform instance.
Example for configuring an external OAuth server
You are a Splunk administrator and need to activate a bespoke application to fetch data from your Splunk platform instance to perform some analysis. You currently have a local user account with a username and password which this application uses. Compliance requirements for your organization have recently changed, and you can no longer use local Splunk user accounts. You must now use OAuth 2.0 as a replacement for the local user.
You access your Splunk platform instance and add your OAuth server. This creates a trust between your OAuth server and your Splunk platform instance. Using the OAuth server, you provision an OAuth client for your application. You provide the OAuth Client ID and secret to your developer as well as the Splunk token endpoint URL.
The application developer modifies the application to call your OAuth server with the provided Client ID and secret and receives an OAuth access token. The application then calls the Splunk token endpoint URL to exchange the OAuth access token for a Splunk token. Because the Splunk platform trusts the OAuth provider, the application receives a Splunk OAuth access token and uses that token for all API calls. This now replaces the local user account, which you can delete.