Authentication
API Authentication
Personal Access Tokens are used for API authentication and are required for use of the Python SDK.
To create a Personal Access Token click on your profile badge in the lower left of the UI, then click on "Personal Access Token." We recommend saving this as an environment variable like DBNL_API_TOKEN for future use.
New tokens can be generated at any time, but old tokens cannot currently be revoked, so please remember to keep your tokens safe.
User Authentication
The DBNL platform uses OpenID Connect or OIDC for user authentication. OIDC providers that are known to work with DBNL include:
The DBNL Sandbox Deployment does not use OIDC for authentication, but just a default username/password for all users. For fuller authentication controls please consider a full Deployment.
Configuration
OIDC can be configured using the following options in the DBNL Helm chart or Terraform module:
audienceclientIdissuerscopes
Instructions on how to get those options for each provider can be found below.
Follow the Auth0 instructions to create a new SPA (single page application).
In Settings > Application URIs, add the DBNL deployment domain to the list of Allowed Callback URLs (e.g. dbnl.mydomain.com).
Navigate to Settings > Basic Information and copy the Client ID as the OIDC
clientIdoption.Navigate to Settings > Basic Information and copy the Domain and prepend with
https://to use as the OIDCissueroption (e.g.https://my-app.us.auth0.com/).Follow the Auth0 instructions to create a custom API.
Use your DBNL deployment domain as the Identifier (e.g. dbnl.mydomain.com).
Navigate to Settings > General Settings and copy the Identifier as the OIDC
audienceoption.Set the OIDC
scopesoption to"openid profile email".
Follow the Microsoft Entra ID instructions to create a new SPA (single page application) and enable OIDC.
Add the DBNL deployment domain as the callback URL (e.g. dbnl.mydomain.com).
[Optional] Follow the Microsoft Entra ID instructions to restrict access to certain users.
Navigate to App Registrations > (Application) > Manage > API permissions and add the Microsoft Graph email, openid and profile permissions to the application.
Navigate to App Registrations > (Application) > Manage > Manifest and set access token version to 2.0 with
"accessTokenAcceptedVersion": 2.Navigate to App Registrations > (Application) > Manage > Token configuration > Add optional claim > Access > email to add the email optional claim to the access token type.
Navigate to App Registrations > (Application) and copy the Application (client) ID (
APP_ID) to be used as the OIDCclientIdand OIDCaudienceoptions.Set the OIDC
issueroption tohttps://login.microsoftonline.com/{APP_ID}/v2.0.Set the OIDC
scopesoption to"openid email profile {APP_ID}/.default".
Follow the Okta instructions to create a new SPA (single page application) and enable OIDC.
Set the Sign-in redirect URIs to your DBNL domain (e.g. dbnl.mydomain.com)
Navigate to General > Client Credentials and copy the Client ID to be used as the OIDC
clientIdoption.Navigate to Sign on > OpenID Connect ID Token and copy the Issuer URL to be used as the OIDC
issuerand OIDCaudienceoptions.Set the OIDC
scopesoption to"openid email profile".
Was this helpful?