Manage OAuth credential providers
After you create an OAuth credential provider, Agent Identity retrieves OAuth access tokens for the agent from the OAuth provider and securely stores them in Token Vault. This eliminates the need for the agent to handle OAuth token request logic, such as token caching, or store client secret information in its code.
Prerequisites
We recommend that you assign the Agent Identity administrator permission AliyunAgentIdentityFullAccess to the operator.
Create an OAuth credential provider
-
Log on to the Agent Identity console. In the navigation pane on the left, choose .
-
On the Credential Providers page, click the OAuth2 tab.
-
Click Create Credential Provider.
-
On the Create Credential Provider page, configure the basic information:
-
Credential Provider Name: The name of the OAuth credential provider.
-
Description (Optional): The description of the credential provider.
-
-
In the Configuration Information section of the Create Credential Provider page, configure the provider. If the pre-configured list includes your provider, such as Alibaba Cloud, select it to simplify the configuration. Otherwise, select Custom and configure the settings as described below.
Discovery URL (Recommended)
If the OAuth credential provider supports a discovery URL, we recommend that you use this method. A discovery URL is an OpenID Connect (OIDC) metadata address that typically ends with
/.well-known/openid-configuration. Agent Identity can use the discovery URL to automatically retrieve information such as the issuer (issuer), authorization endpoint (authorization_endpoint), and token endpoint (token_endpoint).Configure the following parameters:
-
Client ID: The ID of the OAuth application registered with the provider. Agent Identity uses this ID to request access tokens from the OAuth provider on behalf of the agent.
-
Client Secret: The key created when you register the OAuth application (usually a Web or Server application type) with the provider. Agent Identity uses this key to authenticate with the OAuth provider's token endpoint.
-
Discovery URL: The OIDC discovery URL of the OAuth provider.
Manual configuration
Use this method when the provider does not support a discovery URL, or when the discovery URL is not accessible over the public network.
Configure the following parameters:
-
Client ID: The ID of the OAuth application registered with the provider. Agent Identity uses this ID to request access tokens from the OAuth provider on behalf of the agent.
-
Client Secret: The key created when you register the OAuth application (usually a Web or Server application type) with the provider. Agent Identity uses this key to authenticate with the OAuth provider's token endpoint.
-
Issuer: The unique identity of the provider's OAuth authorization service, which is typically a URL. This parameter declares the source of the access token.
-
Authorization Endpoint: The address of the provider's OAuth authorization endpoint. Agent Identity uses this address to generate an OAuth request to obtain an authorization code.
-
Token Endpoint: The address of the provider's OAuth token endpoint. Agent Identity uses this address to generate an OAuth request to obtain an access token.
-
Enable PKCE: If the provider supports Proof Key for Code Exchange (PKCE), enable this option to improve security and prevent authorization code theft.
-
-
Click Create Credential Provider.
Delete an OAuth credential provider
-
Log on to the Agent Identity console. In the navigation pane on the left, choose .
-
On the Credential Providers page, click the OAuth2 tab.
-
In the list of credential providers, find the target credential provider, and click Delete Credential Provider in the Actions column.
-
In the Delete Credential Provider dialog box, enter the name of the credential provider, and then click Delete Credential Provider.