Skip to content

Instance 'Integrations'

A Platform 6 instance will, in most use cases, require access to the P6 Authentication and Authorization services (known as P6 Auth) for User and Organisation data.

This is essential if using the Platform 6 workflow service; workflow steps are defined in terms of both user permissions and their positions held within an organisational tree.

P6 Auth is a secure services server and requires both authentication and authorization before an instance can access its data.

All P6 Auth services require an access token that is issued to an instance when it authenticates itself. Technically this is achieved using OAuth2 and a grant_type of client_credentials.

To make authentication setup both straightforward and secure, we have provided a configuration panel accessible via P6 Portal.

The panel is labeled Integrations and is accessed via the User Administration menu entry.

Integrations

Integrations are configurations allowing authentication of external systems without user interaction (i.e. no username/password exchange via a login screen).

While a Platform 6 instance is the most common and obvious external system requiring authentication, integrations may also be required for other external systems that use Platform 6 services such as an IOT server pushing notifications.

In summary, an integration configuration is required for each and every external system that requires an access_token and the external system connects in an automated and unattended manner.

The Integration credentials used by external systems are:

  • Application ID
  • App Secret
  • Redirect URI

Warning

These three credential attributes are used by an external system to generate an access_token/refresh_token pair This means these attributes are typically stored in an external systems application configuration. It is therefore essential that the attribute values are protected and also that the permissions assigned to a system acquiring an access_token using this method are restricted.

Other attributes of an Integration are:

  • Name
  • Refresh token(s) valid until revoked
  • Enabled
  • Permission set list
Refresh token(s) valid until revoked

All access_token(s) expire and an external system must use a refresh_token to regenerate a valid access_token. A refresh_token will normally expire after 28 days. This attribute will stop the refresh_token expiring.

Permission set list

A list of permissions associated with the issued access_token/refresh token. For security reasons, it is advised that the permissions granted are a minimal set only - i.e. fine grained permissions, sufficient only for a small number of operations performed by an external system.

Integration Configuration for a Platform 6 Instance

Each Platform 6 instance should be configured as an Integration.

This is automatically handled when you create your instance in your P6 Console account, then install it following the P6 Install Guide. So you don’t need to read the rest of this section.

Otherwise, it is strongly recommended that the attributes:

  • Application ID
  • App Secret

are complex, long and unique identifiers. (use the generate button on the UI to help with this).

Example Platform 6 Integration

Note

Only two permissions are currently required by a typical Platform 6 instance :orgs=read and [instance]:users=read(“./”)

Once the Integration is created, the Application ID, App Secret and Redirect URI values need to be added to the instance configuration file: application.conf

p6auth {
    client {
      id: "73705350-8de1-11e9-b4f3-5303f388dd00"
      secret: "74686ef0-8de1-11e9-b4f3-5303f388dd00"
    }
}

Once this file has been updated, the instance will need to be restarted.