Integrate to Topicus KeyHub password vault for retrieval of credentials to log in to start a session.

Hello,
Do you have the link?

Regards

Hi David,

I'm the lead developer of Topicus KeyHub. You can find the documentation of Topicus KeyHub at https://files.topicus-keyhub.com/manual/. Our OpenAPI-file can be found at https://demo.topicus-keyhub.com/keyhub/rest/v1/openapi.json. KeyHub is an on premise application and runs as a virtual appliance, you can download the virtual appliance from our website: https://topicus-keyhub.com/download-keyhub

When integrating with KeyHub, there are 3 sources of passwords to be considered:

• The personal password vault under: /keyhub/rest/v1/account/{id}/vault
• The shared password vaults under: /keyhub/rest/v1/group/{id}/vault
• The rotating password under: /keyhub/rest/v1/account/provisioning/tokenpwd

To access these resources, you'll need to acquire an access token first using the OAuth2 authorization code flow. This flow requires your application to open a URL in the browser and intercept a redirection (either by intercepting the redirection URI via the OS or by redirecting to a listener on your application). The flow starts with opening a URL like this:
https://tkh-server/login/oauth2/authorize
?client_id=<client-id>
&redirect_uri=<callback-uri>
&scope=profile access_vault provisioning
&response_type=code
&state=<random_state>
&authVault=access
This is a standard OAuth2 authorization request, with an addition of 'authVault=access'. This will instruct Topicus KeyHub to unlock the user's vault and bundle a vault session key with the OAuth2 token. After login, the user is redirected ot the given callback-uri with a code. This code can be exchanged from an access token at the token endpoint (/login/oauth2/token). This response also contains a 'vaultSession' attribute.

With the access token, you can already read the rotating password. You can also get a reference to the user's account via /keyhub/rest/v1/account/me and query groups at /keyhub/rest/v1/group?containsAccount={accountid}&hasVault=true (see the OpenAPI documation for more options). You can also request the vaults to be included in the responses directly for both requests by adding the query parameter 'additional=vault'. These queries should give you lists of vault records, which can then be read. You can only read the secrets of one vault record at a time via the URI returned in the responses. To read the secrets of, for example, a personal record, use: /keyhub/rest/v1/account/{id}/vault/record/{id}?additional=secret You'll need to add the header HTTP header topicus-Vault-session with the vault session returned with the access token.

This is just a quick overview of the API. We also provide other OAuth2 flows and more options on the REST API if needed. If you need more information, please let me know. I can also setup a test account for you on our test environment.

Best regards,
Emond Papegaaij

Hello Emond, Rob,

Thank you for the detailed explanation for how to use your API! It will be very useful when we start implementing Topicus KeyHub in RDM.
I've opened a ticket for the feature request. I can't give you an estimate on when we will have this in RDM, but we will update this thread once we are working on it.

Regards,

Hi David and Hubert,

Thanks for picking this up so quickly. As said before, if you need any help, don't hesitate to contact me.

Best regards,
Emond

Hello,

We have completed a first implementation of the Topicus KeyHub integration. It should be available starting from RDM 2020.3.0.0

Regards,

Hi Michael,

That's great news. Is there any chance we could get a nightly build to test this integration?

Best regards,
Emond

Hello Emond,

That's a good idea. We will send it to you through a private message.

Regards,