Question
How can I use the OIDC login for an external website to, in the background, also log the user into Foundry so that an iFramed Workshop application doesn’t require a secondary login?
Context
We already have the OIDC authentication provider setup for access to Foundry which is the same OIDC provider for the external website. If we go with the standard authentication re-direct and authenticate we are able to see the iFrame in the external website so CSP and everything isn’t the problem.
We had the same question a long time ago. AFAIK, it boils down to whether the Foundry authorization server is aware of the issued token with which you access resources through the APIs - it’s type, resource access and scopes etc.
So yeah, authentication is only half of the story. Authorization is the other half…
I’d be interested though if I am mistaken here and would be happy to learn otherwise.
Best
Florian
To my knowledge there is currently no way to create a trust relationship to an external OIDC Provider, not for individual users/TPA Users or for all unsers of an Org.
I have requested this feature especially for TPA User so we could make api calls to foundry without storing any credentials on the hyperscaler.
For context, Snowflake offers this feature („external oAuth“) and in fact Foundry leverages it to connect to it. Databricks offers something similar for Service Principals. Azure Entra AD offers OIDC Trusts as well. In GCP it’s called workload identity.