Oauth2
| Administration Page | Application/Contract | Syracuse/Collaboration | class | oauth2s | Representation | oauth2 |
|---|
When a user starts the application, the user's identity must be known to the application in order to grant him access to the application functionalities or not. Usually the application handles authentication on its own, e. g. using a database or an LDAP server. For OAuth2, authentication is done using an external authentication server, and the application will grant access when authentication with the authentication server has been successful.
| Principles of OAuth2 authentication | Restrictions | OAuth2 server definition | Batch authentication for Web services | OAuth2 configuration |
This authentication is different from database or LDAP authentication methods. It is a method where an application can be granted confidential information about a user.
Before this authentication can be used, the application must have been registered with the OAuth2 server to obtain access. This must be done only once. For the registration, a so-called redirect URI (see below) and the data which the application will obtain from the server, must be provided. The OAuth2 server will give a client ID and a client secret.
Assuming that the application has been registered, when the user logs in, the following process is followed:
The application redirects the user to the OAuth2 server first and provides the client ID from the above registration.
The OAuth2 authorization server asks the user to log in unless the user is already logged in with the OAuth2 server.
The OAuth2 authorization server asks whether the application may obtain the data which has been mentioned in the above registration procedure.
If the user approves, the OAuth2 authorization server sends an authorization code to the redirect URI, which has been registered above. The OAuth2 authorization server tells the application that the user is OK and is willing to provide the data.
The application has to authenticate with the OAuth2 authorization server by sending the authorization code together with the client ID and client secret (obtained from above registration) to the OAuth2 authorization server.
If the data is correct, the OAuth2 authorization server answers with an access token (this part is totally invisible to the user). The access token entitles the application to obtain confidential data - for example the user name (and some other data in the future).
There must be an instance of the user entity for this user, and the user must be marked for OAuth2 authentication with this particular server. Then the user can use the application.
The following global configuration is necessary for this authentication.
When you want to do OAuth2 authentication with a Google account, this will only work if the server has a public IP address (and not a local IP address of a local area network).
Name
The name used to reference the OAuth2 setup.
Display name
A user-friendly description.
Active
If the check box is cleared, the server is considered "inactive" and no additional login is possible using this setup.
Oauth2 server URL without path
Defines the protocol, server name, and port of the OAuth2 authorization server, for example,
https://accounts.google.com. This is the base name that will prefix the next paths.Path for authorization
This is the path (relative path based on the Oauth2 server path defined above) used for redirection to the OAuth2 authorization server to allow the user to log in. Default value is
/oauth/authorize.Path to get access token
This is the path (relative path based on the Oauth2 server path defined above) used to contact the OAuth2 server to get the access token.
OAuth2 Client Id
This is the client ID obtained from registration of the application.
OAuth2 Client secret
This is the client secret obtained from registration of the application.
Scope for Oauth2 requests
This information is about data that the application wants to obtain from the OAuth2 server (known from above registration).
Batch authentication
see below Batch authentication for Web services.
Path for redirect URI for Oauth2 server
A URL with this path must be registered with the OAuth2 server. Note that it contains the name of the OAuth2 server in its path. The OAuth2 server uses the redirect URI to send the authorization code to the application server.
URL for requesting user data
This is the URL (relative path based on the Oauth2 server path defined above) used to ask for the data from the OAuth2 resource server using the access token.
User field in user name answer
If the answer for the user data requesting URL is JSON, this is the name of the field within the JSON structure that contains the user name. Default value is "user". The
loginattribute or (authentication nameattribute).
When a Web service should do OAuth2 authentication, no interaction is possible. The Web service can send an access token directly in the Authorize header of the request (Example for value of header: Bearer xyzabc123456). Since there is no information at all about which OAuth2 server should be used, one server must have the flag batch authentication set. This server will be given the access token. Note that there must not be more than one OAuth2 server with the flag set and that the configuration file nodelocal.js must auth field of the session section must contain authentication method "bearer". There will be an error when the access token has expired.
When the OAuth2 server instance is only necessary for batch authentication (e. g. SageId server), only the following data are relevant (the other can be arbitrary):
* URL for requesting user data
* User field in user name answer
In most cases, all users authenticate in the same way. There is a global settings function giving the type of standard authentication:
For each user, the authentication rule can be specified as an exception (in the users definition), and the Authentication field can have the following values:
In any case, the user has to select the correct authentication method from the login screen.
See also the following document that explains the configuration with Oauth2.