AdministrationIdentity and security

Adding OAuth account mappings

Enterprise

Enterprise-tier organizations can use their OAuth provider to manage API access using externally generated tokens. After configuring an OAuth provider, create account mappings to link AI Hub accounts to external identities. When an API request is made with an externally managed token, AI Hub validates the token, and extracts the subject claim to identify the account. The request is authorized based on the mapped account’s assigned roles and associated permissions.

Admins can add and manage OAuth account mappings.

Adding account mappings

Adding account mappings is similar for user and service accounts. Each mapping connects an AI Hub account to a unique external account identifier in your OAuth provider. Each account can have one mapping per configured OAuth provider.

Before you begin

Before adding account mappings, ensure you have:

  • Configured an OAuth provider for your organization.

  • Taken note of external account identifiers for each user or service account you want to map. This identifier must match the value passed in the issued token’s subject claim.

AI Hub looks for the subject in the sub claim, unless configured otherwise.

  1. In the header, click the initials icon and select Settings. Select the organization name tab.

  2. For user accounts, on the Members tab, select the user account to map. For service accounts, on the Service accounts tab, select the service account to map.

  3. In the OAuth account mappings section, click Add mapping.

  4. Add a display name to identify the mapping.

  5. Select an OAuth provider configuration.

  6. Enter the external account identifier.

  7. Click Add mapping.

Updating account mappings

You can update the display name of an account mapping.

The external account identifier and OAuth provider can’t be changed for existing mappings. To update these values, delete the mapping and create a new one.

  1. In the header, click the initials icon and select Settings. Select the organization name tab.

  2. Select the Members or Service accounts tab.

  3. Select the user or service account with the mapping you want to update.

  4. In the OAuth account mappings section, locate the mapping to update. Click the overflow icon Icon with three stacked vertical dots., then select Edit mapping.

  5. Make any changes, then click Update mapping.

Deleting account mappings

Deleting an account mapping immediately revokes the ability to use OAuth tokens associated with that external account identifier. Active tokens are invalidated on their next use.

  1. In the header, click the initials icon and select Settings. Select the organization name tab.

  2. Select the Members or Service accounts tab.

  3. Select the user or service account with the mapping you want to delete.

  4. In the OAuth account mappings section, locate the mapping to delete. Click the overflow icon Icon with three stacked vertical dots., then select Delete mapping.

  5. Enter the confirmation text, then click Delete to confirm.

To delete all mappings, navigate to the OAuth account mappings section of the account’s details page, then click More > Delete all mappings.
Was this page helpful?