Custom

Create application in OAuth Provider

Register application

The administrator of the OAuth provider must register Connect as an application before an OAuth integration can be configured.

Viewer Integration

The administrator adds a redirect_uri for the OAuth application as seen in the screenshot below. The OAuth provider sends the user credentials to the redirect_uri at the end of the OAuth handshake, allowing Posit Connect to obtain a temporary access token and refresh token.

The OAuth application is configured with the following redirect URL (sometimes referred to as a callback URL): https://connect.example.org/__oauth__/integrations/callback. Replace connect.example.org with the address of the Connect server.

Note

For OAuth application administrators who prefer to use the same OAuth application for both Posit Connect and Posit Workbench, simply register the Workbench redirect URL (https://workbench.example.org/oauth_redirect_callback) in addition to the Connect redirect URL.

Service Account Integration

Service account integrations do not direct the user through a login flow, so a redirect_uri is not required.

Obtain required information

Obtain the following information from the OAuth application administrator:

client_id
client_secret (optional) - required for confidential clients

Obtain the following information from the OAuth application administrator, or from the Authorization Server Metadata Endpoint.

authorization_endpoint
token_endpoint

Ensure the proper authentication type is selected for the type of credentials that will be retrieved from the OAuth provider. See the documentation on supported authenication types for more information.

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an OAuth integration through the dashboard’s Integrations settings. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Alternatively, the example below shows how to create a Confidential Custom OAuth integration using curl and the Connect Server API.

Note

Replace connect.example.org with the address of the Connect server.

Terminal

curl -H "Authorization: Key ${CONNECT_API_KEY}" \
  -XPOST https://connect.example.org/__api__/v1/oauth/integrations \
  --data '{
    "template": "custom",
    "name": "Custom OAuth integration",
    "description": "A helpful description for publishers to use when choosing an OAuth integration for their content.",
    "config": {
      "auth_type": "Viewer"
      "client_id": "<client-id>",
      "client_secret": "<client-secret>",
      "authorization_uri": "<authorization-endpoint>",
      "token_uri": "<token-endpoint>",
      "scopes": "offline_access openid profile email"
    }
  }'
# 200 OK
# {"guid": "<oauth-integration-guid>", ... }

Note

OAuth integrations in Connect use the PKCE (Proof Key for Code Exchange) extension for the authorization code flow by default. PKCE is required in the upcoming OAuth 2.1 specification, and is recommended in all cases to protect against authorization code injection attacks. If necessary, PKCE can be disabled by creating a Custom integration with "use_pkce": false in the config map, but this is not recommended.