Red Hat SummitConfigure access to external applications with tokens
Token-based authentication permits authentication of third-party tools and services with the platform through integrated OAuth 2 token support. Ansible Automation Platform utilizes both OAuth Tokens and Personal Access Tokens (PATs).
- OAuth Tokens
- OAuth Tokens are tied to specific applications and allow applications to access data without disclosing user login information.
- Personal Access Tokens
- PATs are personal to a user and not tied to a specific application. They are created directly by a user for their own use.
The default expiration for access tokens has been updated from 1000 years to 1 year. This change ensures frequent token rotation for increased credential security.
Access tokens in controller 2.4 and previous versions of the platform gateway were valid for 1000 years. Any existing tokens created before the 2.5.20250604 patch release will retain a 1000 year expiration.
You can customize this setting to meet your specific requirements by modifying the expiration time in your settings.py file as follows:
OAUTH2_PROVIDER__ACCESS_TOKEN_EXPIRE_SECONDS = 31536000Manage OAuth applications
Create and configure token-based authentication for external applications such as ServiceNow and Jenkins. With token-based authentication, external applications can easily integrate with Ansible Automation Platform.
Automation controller OAuth applications on the platform UI are not supported for 2.4 to 2.5 migration.
As a platform administrator, you can configure a custom external application URL within the platform, providing seamless integration with external services. This functionality is currently available as a Technology Preview. Once configured, the external application URL is displayed in the platform UI navigation panel, providing users with easy access to the application. This feature streamlines workflows by ensuring quick access to external services from within the platform UI.
Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
With OAuth 2 you can use tokens to share data with an application without disclosing login information. You can configure these tokens as read-only.
You can create an application that is representative of the external application you are integrating with, then use it to create tokens for the application to use on behalf of its users.
Associate these tokens with an application resource to manage all tokens issued for a particular application. By separating the issue of tokens under OAuth Applications, you can revoke all tokens based on the application without having to revoke all tokens in the system.
Get started with OAuth Applications
You can access the OAuth Applications page from the navigation panel by selecting . From there you can view, create, sort and search for applications currently managed by Ansible Automation Platform and automation controller.
If no applications exist, you can create one by clicking .
Application functions
Several OAuth 2 utilities are available for authorization, token refresh, and revoke. You can specify the following grant types when creating an application:
- Password
- This grant type is ideal for users who have native access to the web application and must be used when the client is the resource owner.
- Authorization code
- This grant type should be used when access tokens must be issued directly to an external application or service.
You can only use the authorization code type to acquire an access token when using an application. When integrating an external web application with Ansible Automation Platform, that web application might need to create OAuth2 tokens on behalf of users in that other web application. Creating an application in the platform with the authorization code grant type is the preferred way to do this because:
- This allows an external application to obtain a token from Ansible Automation Platform for a user, using their credentials.
- Compartmentalized tokens issued for a particular application enables those tokens to be easily managed. For example, revoking all tokens associated with that application without having to revoke all tokens in the system.
Request an access token after expiration
The default expiration for access tokens is 1 year.
The best way to set up application integrations by using the Authorization code grant type is to allowlist the origins for those cross-site requests. More generally, you must allowlist the service or application you are integrating with the platform, for which you want to provide access tokens.
To do this, have your administrator add this allowlist to their local Ansible Automation Platform settings file:
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOWED_ORIGIN_REGEXES = [
r"http://django-oauth-toolkit.herokuapp.com*",
r"http://www.example.com*"
]Where http://django-oauth-toolkit.herokuapp.com and http://www.example.com are applications requiring tokens with which to access the platform.
OAuth2 application and token migration (2.4 to 2.6)
During the upgrade from Ansible Automation Platform 2.4 to 2.6, there are important changes to how OAuth2 applications and tokens are managed. Ansible Automation Platform now uses platform gateway OAuth applications and deprecates automation controller OAuth applications.
- Automation controller OAuth applications: You can view and edit existing automation controller applications, but new ones can no longer be created. These legacy applications continue to function, but they might be removed in a future release. Plan to migrate to platform gateway OAuth applications.
- Automation controller tokens: Automation controller personal access tokens (PATs), are also deprecated. Guide users to move to platform gateway PATs.
- Platform gateway OAuth applications and tokens: Platform applications and tokens offer an updated interface and are the standard for future use. Move to these applications and tokens.
Manage OAUTH2_PROVIDER settings
The OAUTH2_PROVIDER settings from automation controller are managed by platform gateway after upgrading from 2.4. to 2.6. The default token expiration values might differ between automation controller and platform gateway.
- The default access token expiration is updated from 1,000 years to 1 year. This change increases credential security through more frequent token rotation.
- Platform gateway’s default OAUTH2_PROVIDER settings are:
{ "ACCESS_TOKEN_EXPIRE_SECONDS": 31536000000, "REFRESH_TOKEN_EXPIRE_SECONDS": 2628000, "AUTHORIZATION_CODE_EXPIRE_SECONDS": 600 }If you previously set a token expiration shorter than one year, you must manually update the platform gateway settings to match your required configuration.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}