Authentication

API Authentication

Personal Access Tokens are used for API authentication and are required for use of the Python SDK.

To create a Personal Access Token click on your profile badge in the lower left of the UI, then click on "Personal Access Token." We recommend saving this as an environment variable like DBNL_API_TOKEN for future use.

New tokens can be generated at any time, but old tokens cannot currently be revoked, so please remember to keep your tokens safe.

User Authentication

The DBNL platform uses OpenID Connect or OIDC for user authentication. OIDC providers that are known to work with DBNL include:

The DBNL Sandbox Deployment does not use OIDC for authentication, but just a default username/password for all users. For fuller authentication controls please consider a full Deployment.

Configuration

OIDC can be configured using the following options in the DBNL Helm chart or Terraform module:

audience
clientId
issuer
scopes

Instructions on how to get those options for each provider can be found below.

Follow the Auth0 instructions to create a new SPA (single page application).
1. In Settings > Application URIs, add the DBNL deployment domain to the list of Allowed Callback URLs (e.g. dbnl.mydomain.com).
Navigate to Settings > Basic Information and copy the Client ID as the OIDC clientId option.
Navigate to Settings > Basic Information and copy the Domain and prepend with https:// to use as the OIDC issuer option (e.g. https://my-app.us.auth0.com/).
Follow the Auth0 instructions to create a custom API.
1. Use your DBNL deployment domain as the Identifier (e.g. dbnl.mydomain.com).
Navigate to Settings > General Settings and copy the Identifier as the OIDC audience option.
Set the OIDC scopes option to "openid profile email".

Follow the Microsoft Entra ID instructions to create a new SPA (single page application) and enable OIDC.
1. Add the DBNL deployment domain as the callback URL (e.g. dbnl.mydomain.com).
[Optional] Follow the Microsoft Entra ID instructions to restrict access to certain users.
Navigate to App Registrations > (Application) > Manage > API permissions and add the Microsoft Graph email, openid and profile permissions to the application.
Navigate to App Registrations > (Application) > Manage > Manifest and set access token version to 2.0 with "accessTokenAcceptedVersion": 2 .
Navigate to App Registrations > (Application) > Manage > Token configuration > Add optional claim > Access > email to add the email optional claim to the access token type.
Navigate to App Registrations > (Application) and copy the Application (client) ID (APP_ID) to be used as the OIDC clientId and OIDC audience options.
Set the OIDC issuer option to https://login.microsoftonline.com/{APP_ID}/v2.0 .
Set the OIDC scopes option to "openid email profile {APP_ID}/.default".

Follow the Okta instructions to create a new SPA (single page application) and enable OIDC.
1. Set the Sign-in redirect URIs to your DBNL domain (e.g. dbnl.mydomain.com)
Navigate to General > Client Credentials and copy the Client ID to be used as the OIDC clientId option.
Navigate to Sign on > OpenID Connect ID Token and copy the Issuer URL to be used as the OIDC issuer and OIDC audience options.
Set the OIDC scopes option to "openid email profile" .

PreviousData Security NextAdministration

Was this helpful?