Hi,
We are going to use OAuth2 for a customer and reading the Appian doc, I can see this :
- "OAuth 2.0: Client Credentials Grant" : is used when access is being requested on behalf of an application,
- "OAuth 2.0: Authorization Code Grant" : is used when access is being requested on behalf of a user,
- "OAuth 2.0: SAML Assertion flow" : used with SAML...
Could you explain me the main differences between each of them please ? (with possibly examples )
Regards
Discussion posts and replies are publicly visible
The documentation explains that pretty well. Do you have any concrete question?
What does "We are going to use OAuth2 for a customer" mean?
I think if I ask you the question, it is probably the documentation does not light me sufficiently.
One of my concrete question would be :
If the remote system needs access from a user, I will use "Authorization Code Grant",If it needs access from an application, I will use "Client Credentials Grant",Lastly if it needs SAML, I use the third one?
or this as simple as this, or is there any other major aspects to take in consideration?
The "Code Grant" requires the user to log in to that other system as a separate action. Appian will then use the user's credentials to call the other system.
https://docs.appian.com/suite/help/22.4/authorization_link_component.html
The "Credentials Grant" store a single set of credentials of a service user account and uses that.
SAML is specific to browser based single-sign-on and cannot be used for API calls.
Thanks a lot Stefan
Stefan, I've got some additional informations.
We have the following situation: Today, our customer's Appian application is using ESB APIs (I don't know wich one).But he needs to migrate their Old ESB to Synapse (API solution). The migration will need actions at Appian level where the endpoints must be updated to the Synapse ones. At the same time, as Synapse is a SaaS solution outside of their Network, they would need to use OAuth2.
So if I have well understood your explanations, we can only choose between "Code Grant" and "Credential Grant" solutions, and forget "SAML" one? (as they need to make API calls from Appian).
Maybe the "Credential Grant" one would be the best solution, using a service user account ?
Thanks a lot for that update. Yes, indeed, the credential grant would be your best bet.
Ok great! thank you Stefan.
Stefan, to connect to the remote system, my Connected System will needs the inputs below :
- Base URL
- Client ID
- Client Secret
- Scope
- Token Request Endpoint
Does these inputs are sufficient for Integration calls ?
I'm asking you this question, because in your previous message you're talking about "service user account" so I have a doubt.I the admin console, we can create "Client Credentials" (Service Account) but it is dedicated for Web API.But in our case, the customer will access the Synapse API through Integration only (no Web Api).
Does this Service account must be created anyway?
That service account needs to be created on the Synapse side, or at the identity provider used. They will then hand out the credentials to you.
You would create a service account in Appian when Synapse calls a Web API in Appian.
So from the Appian side, we have nothing more to do than juste creating the Connected System with the five inputs listed below (inputs that were provided to me from the Synapse team)?
Exactly
Thank you again Stefan.