OpenID Connect (OIDC) authentication

OpenID Connect (OIDC) ↗, also known as OIDC, is an open authentication protocol that allows you to authenticate to external source resources without the use of static credentials.

When using OIDC, you do not need to configure credentials for a source system in Foundry. Because of this, you can avoid duplicating source system credentials as long-lived secrets in Foundry. Instead, you will configure a trust relationship between Foundry and the source system. Foundry acts as the OIDC identity provider; every time a workflow in Foundry is required to authenticate with the source system (for example, a Data Connection sync), Foundry will issue an OIDC token with claims that identify the Data Connection source being used. The source system is able to validate those claims and provide a short-lived access token that can be used for subsequent interactions with the source system. The scope of that access token, such as the resources it is allowed to access, is managed entirely in the source system using the native authentication and authorization tools available. When configuring the trust relationship, you can add conditions to filter the incoming requests. Untrusted Foundry sources cannot request access tokens to resources in the source system they should not have access to.

Supported sources

The following sources support OIDC authentication. Refer to individual source documentation for more details on how to set up the trust relationship between OIDC and Palantir.

OIDC identity token

The following is an example OIDC token generated by Foundry:

{
  "iss": "https://pltroidcpublicexample.blob.store.com/foundry",
  "sub": "ri.magritte..source.7f3b8e21-4d9a-6c2e-1b7d-8a5f3c9e0b4f",
  "aud": "your-source-system-audience",
  "iat": <issued-at>,
  "nbf": <not-before>,
  "exp": <expiry>,
  "jti": "<token-unique-identifier>",
  "scp": "<additonal-scope>",
}
ClaimClaim typeDescription
ississuer urlThe URL that identifies Foundry as an OIDC identity provider.
subsubjectThe source RID of the Foundry source that is connecting to your source system.
audaudienceThe configured audience that identifies your source system.

The source-rid should be used to filter incoming requests so untrusted Foundry sources cannot access your resources.

OIDC tokens generated by Foundry expire after one hour.