ImmPort Auth Service
ImmPort delegates sign-in, token management, and sign-out to a dedicated ImmPort Auth Service, built on OAuth 2.0 and OpenID Connect 1.0 (OIDC). It authenticates users, issues signed JWT access tokens, and enforces access policies across all ImmPort applications and APIs.
OAuth 2.0 / OpenID Connect Endpoints
The OpenID Connect discovery document is available at:
https://www.dev.immport.org/auth/.well-known/openid-configuration
It lists all supported endpoints, scopes, and signing algorithms. Key endpoints are summarised below:
| Endpoint | URL |
|---|---|
| OpenID Configuration (discovery) | https://www.dev.immport.org/auth/.well-known/openid-configuration |
| Issuer | https://www.dev.immport.org/auth |
Authorization (/oauth2/authorize) |
https://www.dev.immport.org/auth/oauth2/authorize |
Token (/oauth2/token) |
https://www.dev.immport.org/auth/oauth2/token |
UserInfo (/userinfo) |
https://www.dev.immport.org/auth/userinfo |
| JWKS (public keys) | https://www.dev.immport.org/auth/oauth2/jwks |
| API Keys UI | https://www.dev.immport.org/auth/api/keys |
user-name-attribute:sub
Supported Flows
| Flow | Use Case |
|---|---|
| Authorization Code + PKCE | Browser-based / SPA login via ImmPort web applications |
| Client Credentials | Server-to-server / machine-to-machine API access |
| API Key (Bearer token) | Recommended for scripted and programmatic access — see API Keys |
Access Tokens
Tokens issued by the Auth Service are signed JWTs. They contain:
- User identity (
sub,username) - Granted authorities / roles
- Expiry (
exp) and issuer (iss) claims
Include the token in all API requests using the Authorization header:
Authorization: Bearer <access_token_or_api_key>
Token signatures can be verified using the public keys published at the JWKS endpoint above.
API Keys
For scripted and automated access, ImmPort recommends using scoped API keys rather than short-lived OAuth tokens. API keys are long-lived, scoped to specific permissions, and managed through the Auth Service UI.
See the API Keys documentation for full instructions on creating and using API keys.