Docs
[IAM]

OAuth2

IAM in PLTFRMS uses OAuth2 as the core authorization framework for secure, token-based access across both the PLTFRMS platform and customer-owned environments (Realms).

While OpenID Connect is used for authentication (who you are), OAuth2 defines what you are allowed to access and do.

What is OAuth2?

OAuth2 is an authorization framework that enables secure delegated access to resources using access tokens.

In PLTFRMS, OAuth2 is used to:

  • Issue access tokens for APIs and services
  • Define and enforce access scopes and permissions
  • Enable service-to-service authentication
  • Support delegated access on behalf of users or systems

OAuth2 in customer realms

A key aspect of IAM is that OAuth2 is fully available inside customer-owned Realms.

This means each realm acts as its own authorization boundary, where customers can:

  • Define their own OAuth2 clients (applications)
  • Issue access tokens within their realm context
  • Configure scopes, roles, and permissions per application
  • Integrate external systems using their own IAM setup

Each realm effectively operates as an isolated OAuth2 authorization server within IAM.

Scopes, roles, and context

OAuth2 in PLTFRMS is extended with platform-aware authorization concepts.

Instead of only basic scopes, access control can include:

  • Roles (what a user or client can do)
  • Permissions (fine-grained actions)
  • Groups (logical user grouping)
  • Organisation context
  • Realm isolation boundaries

This allows authorization to remain both standard-based and deeply structured.

Access tokens

IAM issues OAuth2 access tokens that represent an authenticated and authorized session.

These tokens:

  • Are short-lived and securely signed
  • Contain scope and context information
  • Are validated on every request
  • Are usable across all PLTFRMS services and APIs

Each token is always tied to a specific realm and context.

Client types

OAuth2 in IAM supports multiple client types within both PLTFRMS and customer realms:

  • Web applications
  • Backend services (machine-to-machine)
  • Public clients (browser or mobile apps)
  • External integrations using customer-owned IAM setups

Each client type follows strict authentication and authorization rules.

Delegated access

OAuth2 enables controlled delegation of access, allowing:

  • Applications to act on behalf of users
  • Services to access resources within defined scopes
  • Cross-system integrations without sharing credentials

All delegated access is explicitly scoped and auditable.

Security model

The OAuth2 implementation in IAM is designed with strong security principles:

  • Strict token validation and signing
  • Short-lived access tokens
  • Separation of authentication (OpenID) and authorization (OAuth2)
  • Realm-based isolation of all access decisions
  • Fine-grained permission enforcement per request

Why OAuth2 matters

OAuth2 is a core part of IAM because it enables:

  • Secure API access across PLTFRMS
  • Fully isolated authorization per customer realm
  • Scalable integration with external systems
  • Fine-grained, policy-driven access control

Together with OpenID Connect, OAuth2 forms the foundation of identity and access management in PLTFRMS.