Configure an external Open Authorization 2.0 authorization server

Configure OAuth 2 external authorization servers to give external applications access to Splunk data without the need for Splunk credentials.

You can configure an external Open Authorization version 2.0 (OAuth 2) server to let external applications connect to and access data that is stored on the Splunk platform without having to share credentials on the Splunk platform. This configuration lets you connect your external identity provider (IdP) to the Splunk platform by defining an OpenID Connect (OIDC) server for the client application on the IdP to interface with for the purpose of authorization. Since the IdP provides the credentials, you do not need to use Splunk credentials to provide access to the Splunk data.

How the Splunk platform uses OAuth 2.0 to provide access to its data from external applications

The Splunk platform has its own authentication configuration. When you configure a Splunk platform instance, you can log into the instance and, depending on the user you use and the roles that user holds, you have access to the data that the Splunk administrator provides to you through its groups and roles.

A growing number of use cases prevent use of this basic form of authentication. OAuth 2.0 lets users share access to resources without needing to provide credentials to external consumers of those resources. This lets all authorization happen on the IdP, from the client application.

In the case of the Splunk platform, configuring OAuth 2.0 support consists of several steps:

  1. Resource owners first configure and register a client application on their external IdP which the IdP uses to connect to the Splunk platform with a designated client ID and secret.

  2. They then provide an OIDC server on the Splunk platform through an OAuth 2.0 configuration.

  3. After that, they map groups on the IdP to roles on the Splunk platform instance that hosts the OIDC server.

After the Splunk admin has set up the OIDC server on the Splunk platform instance:

  1. The client application authenticates against the IdP using its client credentials and receives a token from the IdP.

  2. The IdP connects to the Splunk OIDC server through the client application and exchanges its token for a Splunk token.

  3. Further REST API calls from the client application use the Splunk token for authentication, accessing Splunk data that is available to them through the group-to-role mappings that the Splunk administrator made when they set up the OIDC. The client application on the IdP never uses Splunk credentials to access the Splunk platform instance.