0

OAUTH2.0 / OpenID 1.0

Description

LogicNets integrates the OAUTH 2.0 authentication framework, which is widely adopted and supported by many identity providers. You can integrate OAUTH2/OpenID 1.0 in your application with the LogicNets oauth_form part, which requires several parameters that are unique for specific identity providers. You can configure these parameters in the LogicNets configuration file (/system/lib/sys/settings.cfg), in the company's configuration file (/dat/bnt/<company>/settings.cfg), or directly in the node that includes this part.

In the attached example of an company's configuration file, both Google and a company's specific IdP are configured.

Configuration

The following is a list of configuration parameters for this part.

Parameter

Description/Use

Type

Input/Output

path

This is the result, including all authentication information, that the system will store in the data object specified in this parameter, for example, access_info.

Data Object

Output

config

  • Preset – Use the OAUTH parameters stored in the LogicNets configuration file based on the selected mode.
  • Custom – Use the OAuth parameters stored in the parameters parameter.

Preset | Custom

Input

mode (only when config = preset)

This specifies which of the configured modes must be used. Check settings.cfg for the available modes.

Google | Office365 | Other

Input

parameter (only when config = custom)

If the parameter type is a string the system will interpret it as a path to a data object that contains the OAuth parameters. Otherwise, the parameters are specified directly.

Variable | Container

Input

parameter.auth_uri

This is the authentication URL; for example, https://accounts.google.com/o/oauth2/auth.

String

Input

parameter.token_uri

This is the token URL; for example, https://accounts.google.com/o/oauth2/token.

String

Input

parameter.scope

This is a space-separated list of OAuth scopes that indicate which parts of the user's account you would like your application to be able to access; for example, openid email.

String

Input

parameter.redirect_uri

This is the URL that is opened by the identity provider when the authentication is finished.

Normally, this is your application URL, including session id. LogicNets provides a generic authentication proxy redirect URL, because all LogicNets applications must include in their URL a session id that changes with every run and some identity providers do not allow flexible redirect URLs.

In every LogicNets installation the following authentication proxy is available: https:///auth.logicnets.com/authentication.lns.

If you leave the parameter empty the system automatically uses the authentication.lns proxy of the current instance.

You must register the redirect URI also at the identity provider. Check the documentation of your identity provider for more information.

If the identity provider is a LogicNets instance you can configure the redirect URI at the LogicNets identity provider instance by going to the System Configuration module, clicking on the Security tab, and entering your redirect URI in the Approved redirect-uri field.

The real redirect URL, including the session id, will be base64 encoded and sent with the authentication URL using the OAuth-state parameter. The authentication proxy will decode this state parameter and redirect the browser to the real URL.

String

Input

parameter.client_id

This is the public client id generated by your identity provider.

String

Input

parameter.client_secret

This is the private client secret generated by your identity provider.

String

Input

The oauth_form part must be placed in a form node. This part handles all redirects and retrieving of the access tokens. Based on the result of these actions this part has two node outputs: succeeded and failed, and the system stores the result in the data object specified in the path parameter. The resulting data object is a container that can have the following items:

Parameter

Description/Use

Type

Input/Output

error

This is the OAuth error code.

String

Output

error_description

This is the error description.

String

Output

token

This is the received token.

Container

Output

parameters

These are the OAuth parameters specified as input.

Container

Input

jwt

This is the decoded JSON web token (JWT) (http://openid.net/specs/openid-connect-core-1_0.html).

Container

Output

user_email

This is the user email address extracted from the JWT. Since not all providers returns the same JWT claims, the user email address is the value of one of the following claims: preferred_username, upn, unique_name, or email.

String

Output

user_id

See user_email above.

String

Output

user_name

This is extracted from JWT claims: name or email.

String

Output

The following sequence diagram illustrates the interaction between the browser, LogicNets, and the identity provider.

 

Users can also configure the LogicNets Logon package to authenticate users with external identity providers, including Google, Live, Office365, and others. To configure the Logon package, follow the steps detailed below.

 

Configure the Logon Package

1. Register your application with the identity provider. LogicNets has a generic registration for Office365, Google, or Windows Live. It is possible to use these if your LogicNets installation is hosted on a LogicNets server. If you want to use the generic registration continue with Step 4. Otherwise, start registering your application using the following links:

2. The identity provider will ask for details like application name, logos, and a redirect URL. You can use LogicNets' default redirect proxy (https://auth.logicnets.com/authentication.lns) as your redirect URL or one of your own installation (https:///authentication.lns).

3. The identity provider will generate a client id and client secret. Store this data in a secure location, as some providers do not allow you to review this information at a later point in time.

4. Open the logicnets configuration of your installation at /system/lib/sys/settings.cfg

  • A quick note about settings:
    • If you add the IDP config to dat/settings.cfg then it will apply to all companies in the installation.
    • If you add the IDP config to dat/<company>/settings.cfg then that IDP configuration will only apply to that one company.

      In general, company-level settings override system-level settings, but when a setting is not specified it will default the system-level settings or even the software default settings.

5. Fill in the client_id, client_secret, and redirect_uri, e g. for Windows Live please adapt _session. AUTH.MODES.windows_live. You can also use another identity provider in addition to Windows Live, SMART Health IT, Office 365, and Google.

6. To enable one or more identity providers adapt OAUTH_MODES  in _context.

7. Add users to the company’s admin database or through the portal. Since users log in externally, you do not need to save passwords.

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • In step 4, should the settings.cfg file that is edited be the one located at /dat/settings.cfg or /dat/bnt/<company>/settings.cfg?

    Like
    • Katie Sieg - Thank you for your question. 

      If the IDP config is added to dat/settings.cfg then it will apply to all companies in the installation

      If the IDP config is added to dat/<company>/settings.cfg  then that IDP configuration will only apply to that one company.

       

      This is a general mechanism that applies to all settings. Company level settings override System level settings, but when a setting is not specified it will default the system level settings or even the software default settings. 

      We will update the document with this additional information.

      Like
Like Follow
  • 3 wk agoLast active
  • 2Replies
  • 38Views
  • 5 Following

Home