Integrating Additional Services

The Enterprise server exposes a built-in OAuth 2.0 authorization service so additional tools in your deployment can delegate authentication to it. This is how additional official services, like WARP, are set up by default (if you have them configured for deployment). The supported flow is Authorization Code with PKCE alongside refresh tokens.

1. Sign in to the Django admin interface and open Applications under OAuth2 Provider.
2. Create a new application for each downstream service, selecting Confidential as the client type and Authorization Code as the grant type.
3. Enter one or more redirect URIs and (optionally) a default scope. Scopes map to the descriptions configured in settings.OAUTH2_PROVIDER['SCOPES'].
4. Provide the generated client ID and secret to the consuming service.

Discovery metadata is available at https://<your-server>/.well-known/oauth-authorization-server. Standard endpoints are:

• Authorization: /oauth/authorize/
• Token: /oauth/token/
• Introspection: /oauth/introspect/
• Revocation: /oauth/revoke_token/

All downstream services should request the profile scope at minimum. Additional scopes can be introduced as new features require them.