Identity Broker technical reference

This page specifies the technical capabilities, constraints, and behaviour of the Identity Broker service. The Identity Broker supports any integration that can implement the OAuth 2.0 / OpenID Connect flow, including browser-based applications and native desktop applications.

Authentication protocol support

OpenID Connect: Identity layer built on top of OAuth 2.0, used to authenticate users via their identity provider.
OAuth 2.0: Authorisation framework used to obtain access and refresh tokens on behalf of the user.
Proof Key for Code Exchange (PKCE): Security extension to the OAuth 2.0 flow that protects against authorisation code interception attacks and cross-site request forgery.

Token behaviour

Access token: Short-lived token used by the integration to make requests on behalf of the user.
Refresh token: Used to obtain a new access token without requiring the user to sign in again.

Polling and timeout

The Identity Broker uses a polling mechanism to detect when authentication has been completed. Real-time token discovery via WebSocket is not supported.

If authentication is not completed within 5 minutes, the session times out and the integration returns to its original state.

Rate limits

Identity Broker endpoints are rate limited to 20 requests per minute.

Out of scope

The following are explicitly outside the scope of the Identity Broker:

Real-time token discovery via WebSocket.
UI success and error messages — these are handled by the identity provider during the authentication flow, and by the integrating application once authentication is complete.