Token broker proxy
The token broker proxy is a service that acts as the bridge between mutual Transport Layer Security (mTLS) based authentication and OAuth2 for clients running in constrained environments, which prevents the direct use of OAuth2 flows, and therefore access to APIs hosted in Snow Atlas.
You must install this service in your environment to be able to use the Snow Atlas browser extension for SaaS. For more information, see Browser extension.
Technical description
The token broker proxy brokers authentication by issuing Bearer access tokens as a result of a successful client mTLS handshake against the token endpoint exposed by this service. The access token can be used by a client, for example, the browser extension, to access Snow Atlas APIs.
When a browser with the browser extension installed starts, the browser extension authenticates against the token broker proxy using mTLS. The token broker proxy accepts mTLS requests, and issues a unique JSON Web Token (JWT) for that client and request.
To enable communication between mTLS and OAuth2 based authentication, the service requires an mTLS certificate chain. For more information, see Certificates required.
Install as a Windows service
This Windows service is in beta.
To install a token broker proxy on your Windows server, you can use the Windows service provided. For more information, see Install token broker proxy.
Install using Helm
To install a token broker proxy in your cluster, you can use the Helm chart provided in the repository github.com/SnowSoftwareGlobal/helm-charts . For more information, see Install token broker proxy.
Security considerations
If you need to revoke the tokens issued by the token broker proxy, you can roll over the signing certificates used, reset the client secret or delete the token broker registration in Snow Atlas. For more information, see Manage token brokers.
To restrict access to your token broker proxy, if you choose to configure the token broker proxy behind a reverse proxy, configured with TLS passthrough, you can allowlist an IP range in the reverse proxy that you use.
Snow Software does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.