How to set up gmail account sso for OAuth2

The administration platform allows you to use the Google account for OAuth2 authentication. The corresponding procedure is detailed in this document.

Prerequisites

• A public URL that can be accessed from the web is required for update 9 of the web server to enable creating Google credentials. For example, the URL is: http://www.my_server.com.

• A Google account that will be used to administrate the service. This can be done by selecting the following link:
  https://accounts.google.com/SignUp?continue=https%3A%2F%2Faccounts.google.com%2FManageAccount to set up an account.
  For example, the account used is: my_admin_account@gmail.com.

• A name must be chosen which will be used as service name. This name must start with a letter (A-Z or a-z) followed by letters (A-Z or a-z), digits and underscores. In the following example, the name MyOauth2 is used.

• oauth2 must be mentioned as a valid authentication method in nodelocal.js

First step: Create a client ID

This operation is done by a gmail user that will administer the authentication service from the Google page: https://console.developers.google.com. If you do not want to use your own account, you can create an administrative user in a preliminary step.

You have to authenticate with the corresponding Google account, and then you can create a project. In the example below, the project name is SageERPX3.

In this project, you must create credentials; under the APIs & auth section on the left list.
By using the Create a new Client ID option, the following page appears where you must define the following:

The application type should be a web application. The origin URL called. In the example above, it is: https://www.my_server.com It can be a URL using http or https protocol, depending on the web server setup. The redirect URL. It starts as the origin URL, followed by: /auth/oauth2/NAME/redirect , where NAME is the name of the service which has been chosen above in the prerequisites (here MyOauth2), and not by: /oauth2/callback as proposed by default.

When you click Create Client ID, the page appears as follows:

It includes:
* A client ID
* A client secret
* The previously entered URL

This page defines the authentication service that will be used by the update 9 web server.

When you connect as my_admin_account@gmail.com on the following URL: https://security.google.com/settings/security/permissions, you will find the access right for this user to the basic account information as shown in the following screen:

Second step: Create an Oauth2 setup for the update 9 web server

This step is done by using the Oauth2 service definition. A dedicated record must be created with the following information as defined in the screen above:

• The name must be exactly the service name as chosen in the prerequisites. The display name can be chosen freely.
• The information in the red frames (Oauth2 server URL without path, Path for authorization, Path to get access token, Scope for Oauth2 requests, URL for requesting user data, and User field in user name answer) have constant values for Oauth2 google authentication. They must be filled exactly as the picture shows it.
• The information in the green frame (Redirect URI for Oauth2 server) depends on the update 9 web server and the service name as chosen in the prerequisites. If it is editable, it must be the web server address followed by the /auth/oauth2/NAME/loginCallback segment (where NAME is the service name).
• The information in blue (Oauth2 client ID and Oauth2 client secret) corresponds to the client ID and the client secret returned from the "Client ID for web application" section in the page that shows the client ID.

Third step: Link your users to their google account

For every user who needs to get connected to Sage X3 People, you have to:
* Assign Oauth2 as the authentication method.
* Select the right Oauth2 service that has been defined.
* Set the gmail address used for authentication in the Email field.

If you return to the Oauth2 setup definition, you will notice that the users using this authentication method are now listed.

How does the user connect?

The login screen contains buttons for different authentication methods. The user must click on the button which shows the name of the service (as defined in the prerequisites above) IN CAPITAL LETTERS. There may be several buttons below the headline "External Accounts". Example:

A direct link can also be typed and set in your browser favorites:
http://www.my_server.com/auth/oauth2/MyOauth2/loginStart.

When this is done, you are redirected to the Google site to authenticate on your Google account if this has not already been done. Any email address for a user defined as using this authentication mode will be accepted if the password is correct. The page appears as follows:

The first time you log in with Google, you will be prompted by Google whether the Sage X3 People application may get access to the email address of that Google account. If you answer yes, you are able to login. The Sage X3 People application will then be contained in the settings of that Google account, and this question will no more be asked until you decide to revoke it. The screen of a normal user having access to several applications looks like this one:

Note that you need to log in with Google only once until you log out of Google or delete the browser cookies. Therefore, the Google login screen may not appear next time.