Third party authentication with OpenID Connect

OpenID Connect for Servers enables you to give a third party access to a restricted set of Pismo endpoints that they can use within your organization. For example, you could give a company access to only those endpoints that are included in the group pismo-v2:bankaccounts:rw This would enable them to use OpenID to authenticate with the Pismo platform, but they would only get access to the endpoints for reading and writing to bank accounts.

By restricting third parties to just the endpoints they need to do their job, you improve your security and limit your liability.

🚧

You should never give a third party full access to the Pismo APIs.

Setting up third party authentication

Every organization on the Pismo platform has a an org ID (also known as a tenant ID) that you can use to authenticate with the Pismo platform. To give a third party restricted access to your organization, you need to open a ticket with the Service Desk requesting that the security team provide access for a tenant that works only for specific endpoints. (Normally, you would specify the endpoints by specifying one or more access groups.)

πŸ“˜

Note that the third party needs to be able to generate JWTs, as described in Generate your JWT. Also, the JWT generated for this authentication must have a unique value for the aud claim. This is how the Pismo platform can tell that a request comes from a third party, not the direct client.

Once third party authentication is configured, your third party can access the specified endpoints using the procedure described in Authentication with OpenID Connect.

🚧

You should never allow two third parties to use the same tenant ID, even if they are accessing the same subset of endpoints. You should request a separate ID for each party. That way, you can always tell which party made a request.