Service Accounts
Configure service accounts by leveraging Oauth2 Client Credentials Grant Type
Pre-requisites
- Hoop Gateway Self Hosted instance
- Identity Provider that support OAuth 2.0 Client Credentials Grant flow.
Not all identity providers support the OAuth 2.0 Client Credentials Grant flow. Before implementing this guide, consult your identity provider’s documentation to verify compatibility.
Setup
Obtain an Access Token
Usually to obtain an access token you must know the Oauth2 Authorization Server URL. This configuration may differ depending on your identity provider.
The example below shows how to obtain an access token from the Azure Microsoft Entra ID Identity Provider
A success response generates the following payload:
The access_token
attribute value is used to communicate with the Hoop Gateway API.
In order to obtain always a valid access token programatically you must automate the issuing of this process in your automation workflow.
Create the Service Account
This step creates the service account resource by establishing an association with the sub
claim that is returned when the access token is issued.
This information typically corresponds to the client_id
attribute in your OAuth 2.0 credentials.
For detailed instructions specific to your identity provider, refer to our getting started section documentation.
If you’re having trouble locating this information, consult your identity provider’s configuration guide.
It creates an administrator user with access to all resources in the API.
It creates an administrator user with access to all resources in the API.
It creates a regular access user with non privileged access that belong to groups devops
and ops
Use the Access Token
Configure your client application to use this token to access the Hoop API.
An example using curl
(http client) would be:
It should respond with HTTP status code 200 and return a JSON payload with the user information.
Revoking Access
The command below disable the service account by invalidating any request being sent to the gateway.
It’s important to note that the access token has an expiration time as well.
The Hoop Gateway API provides additional mechanisms to deny access for this service account through its association with the subject
identifier in the token.