External web applications can log in to Synapse and access users’ identity and resources with their consent and with a select, limited scope. This is accomplished using a secure and industry-standard protocol called OpenID Connect (OIDC), which is an extension of OAuth 2.0.
Registering and linking an OAuth 2.0
...
client
The details of the Synapse Open ID Connect implementation are published on the web in a standard Open ID Configuration document (aka the “discovery document”). The document includes the web endpoints for registration, authorization, and token generation, as well as the scope of resources that can be requested, and the formats in which Synapse will return information.
...
Your name
The ID of the client to be verified (see below on how to obtain the client ID)
A description of your application
Create an OAuth 2.0
...
client
An external application can be registered with Synapse as a “client” application by following the steps below. The API reference documents are here, and the following instructions show how to invoke them from the Python and R clients:
...
The ID token is a signed JSON Web Token. The public key(s) used to verify the token signatures are available at the JSON Web Key Set (jwks) URL listed in the OpenID Configuration document. The ID Token contains the requested user identity information. The access token can be used to authorize future requests.
Making
...
authorized requests
Access tokens authorize requests to Synapse services. For example, to get an entity’s metadata:
...
If the 'userinfo_signed_response_alg': 'RS256' option was included in the client registration, then the result will be returned as a signed JSON Web Token, otherwise a simple JSON object will be returned.
Refresh
...
tokens
Access tokens last for 24 hours, after which the client must either repeat the authorization process or use the refresh token to get a new access token. To do the latter, send a request to the refresh token endpoint:
...