Skip to main content

Create an OAuth2 application in XFA

XFA acts as an OAuth2 proxy between your application and your identity provider to verify device security on every login.

How it works

Once configured, when a user signs in to an application using OAuth2:

  1. Application → Identity Provider: The application redirects the user to your identity provider (e.g. Google Workspace, Okta) to authenticate. Because the redirect_uri has been set to XFA's endpoint (see step 4 below), the identity provider will return the user to XFA after authentication.
  2. Identity Provider → XFA: After authentication, the identity provider redirects the user back to XFA's redirect URL along with the authorization code.
  3. XFA verifies the device: XFA checks the security posture of the device against your policy. If the device does not meet your policy, access is denied.
  4. Token exchange — Application → XFA → Identity Provider: If the device passes, XFA redirects the user back to the application with the authorization code. The application then exchanges the code for an access token by calling XFA's token endpoint; XFA transparently proxies this request to your identity provider's token endpoint. XFA uses this exchange to link the authenticated user to their device. The token returned to the application is unchanged — XFA does not modify it.

What to configure where

WhereWhat to configure
Application (OAuth2 settings)Replace the redirect_uri with the XFA Redirect URL
XFAIntegration Name, your application's original Redirect URL, and the Identity Provider's Token Endpoint

Note: This article assumes that you have an account set up with XFA for your organization and you are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.

1. Login to the XFA dashboard

2. Create a new application under Enforcement > New > OAuth2 Integration

Create new application

3. Fill in the OAuth2 settings

Settings in XFA

Integration Name: A descriptive name for this integration
Redirect URL: The original redirect URL of your application — this is where XFA will forward the user after device verification
Token Endpoint: The OAuth2 token endpoint of your identity provider — XFA uses this to exchange the authorization code for an access token (e.g. https://accounts.google.com/o/oauth2/token for Google Workspace, or https://<your-domain>/oauth2/v1/token for Okta)

Click Save to save your integration.

Fill in the OAuth2 settings

4. Update your application's OAuth2 settings

After saving, copy the XFA Redirect URL shown in the integration details. In your application's OAuth2 configuration, replace the existing redirect_uri with this XFA Redirect URL. This ensures that after authentication, the identity provider returns the user to XFA for device verification instead of directly to the application.

5. Test the connection

Test the login flow by signing in through the application. The browser should be redirected to your identity provider to authenticate, then to XFA for device verification, before being forwarded back to the application.