Minimum identity provider (IdP) requirements¶

At a minimum, your identity provider (IdP) must meet the requirements below to manage access to Cognite Data Fusion (CDF) data securely.

The IdP must issue access tokens that the CDF API can validate. The access tokens must be a valid JWT, signed using RS256, with a public key at the location specified by the JWKS URL. Also, the IdP must have a JWKS URL that's reachable by the CDF API, and respond to requests for the JWKS end or the token endpoint within 1 second, as measured from the CDF API. Contact Cognite to have the JWKS URL added to the list of allowed JWKS URLs.

The IdP must support the following OAuth 2.0 flows:

Tokens and claims¶

Within a token, there are multiple claims used to assert pieces of information about a subject. Tokens issued to authenticate and authorize a subject to access CDF should contain the following claims, some are reserved, and the others are custom configured. See this article for more information about tokens and claims.

The table below shows the minimum claims required in a token for CDF to authenticate and authorize the subject, if you are using Microsoft Entra ID as your IdP.

Claim	Required?	Description	Expected value
`aud`	Must	Audience of the JWT (intended recipient).	URI of the service requiring authentication.
`exp`	Must	Expiration time of the JWT.	Datetime stamp.
`iat`	Must	Issued at Time of the JWT.	Datetime stamp.
`iss`	Must	Issuer of the JWT.	URI and path from the IdP from which the JWT was issued.
`sub`	Must	Subject of the JWT (the user).	User name from IdP.
`kid`	Should	Key identifier.	RS256
`nbf`	Should	Not Before Time of the JWT (before which the token shouldn't be accepted).	Datetime stamp.
`scp`	Should (strongly recommended)	Scope of the JWT (attribute inherited from the scopes defined for the subject in the IdP).	Text field.
`groups`	Should (strongly recommended)	Groups of the JWT (attribute inherited from the groups defined for the subject in the IdP).	Object ID of a security group.