If you use FusionAuth to authenticate your users, you can use the same authentication to log users into Xkit to connect other apps to yours.
Scopes not supported
Xkit's token authentication does not validate the
scopesfield, so any valid token, regardless of scopes will be accepted.
To set up FusionAuth with Xkit, use the following steps:
- Log in to your FusionAuth admin screen.
- If you haven’t set up an RSA signing key, go to “Key Master” and generate a new RSA key.
- Go to “Tenants” and edit the tenant you wish to use with xkit.
- Navigate to the “JWT” tab and update the “Access Token signing key” and “ID Token signing key” to be the RSA key you just created (or an existing one).
- Navigate to the “General” tab and update or note the “Issuer” value. This is your “iss” claim.
- Navigate to the “Applications” section.
- Create a new application, if needed.
- Note the application id. This is your “aud” claim.
- Click on Settings in the left sidebar of the Xkit dashboard and scroll down to "User Tokens".
- Click "Add Custom Issuer".
- For the "iss Claim", use the value you found in #5 (for example: example.com).
- For the "aud Claim", use the API Identifier you noted in #8.
- For the "User ID Claim", keep it as sub to use the standard FusionAuth identifier, or if you have included your User ID as a separate, custom claim, input that field here.
- For the "JSON Web Key Set URL", use the value https://<YOUR_DOMAIN>/.well-known/jwks.json where <YOUR_DOMAIN> is the hostname of your FusionAuth instance.
- Click "Save".
Your Xkit installation will now be able to use your FusionAuth ID tokens to login to Xkit.
To take advantage of the User Groups feature, you'll need add a custom claim to your FusionAuth tokens indicating the group that your user belongs to. You can then supply that claim as the "Group ID Claim".
Updated about a month ago