- Manage Security
- Manage Authentication
- OIDC Identity Providers
Best Practices for OAuth/OIDC Identity Providers
When using OIDC Federation on StreamNative Cloud, your OAuth/OIDC identity provider handles all identity management. While this provides flexibility in managing users and their resource access, the overall security depends heavily on how well your identity provider is configured and protected. This guide outlines key best practices for securely managing your OAuth/OIDC identity provider.
Managing a Single Identity Provider Across Multiple Organizations
When using the same OAuth identity provider (sharing the same Issuer URI and JWKS URI) across multiple organizations under your control, be aware that access tokens issued by this provider can potentially be used across all organizations. To maintain proper access control:
- Implement pool filters to restrict token usage to specific operations or purposes within each organization
- Carefully plan and document your token usage strategy across organizations
- Regularly audit access patterns to detect any unauthorized cross-organization usage
Implementing Identity Pool Filters
Always configure identity pool filters for your identity pools. These filters provide granular access control by:
- Using claims like
aud(audience) andscp(scope) to define precise access boundaries - Restricting operations to specific purposes or functions
- Creating logical groupings of permissions based on business needs
Restricting Access Using Claims
To limit token usage to specific organizations, configure your identity provider to issue tokens with organization-specific claims. Here's how:
- Configure your identity provider to issue tokens with specific claim values (such as
aud,scp, or custom claims) - Set up identity pool filters in each organization to match these claims
- Even though the token signature remains valid across all organizations, access is granted only when token claims match an organization's identity pool filters
This approach ensures that tokens are only valid within their intended organizational context, despite sharing a common identity provider.