OAuth 2.0/OpenID 1.0

Description

LogicNets integrates the OAUTH 2.0/OpenID connection authentication framework, which is widely adopted and supported by many identity providers. LogicNets supports all OAuth 2.0/OpenID identity providers (IdPs) that support the Authorization Code flow and sign their tokens with RS256 or ES256 algorithms. 

You can integrate OAUTH 2.0/OpenID Connect in your application by enabling authentication in your application and configuring your identity provider in our standard Logon module. The attached document shows an example of a company's configuration file, both for Google and a company's specific IdP.

For more information about OAUTH system integration, see the following:

• OAuth 2.0/OpenID 1.0 for LogicNets v7.4+ for specific details about integrating with LogicNets v7.4+.
• How to Use the OAuth 2.0 Client Credentials Flow Using RS256-signed JWT Bearer for more information about using RS256.

Interaction

The following sequence diagram illustrates the interaction between the browser, LogicNets, and the identity provider.

Configuring the Logon Package

Users can configure the LogicNets Logon package to authenticate users with external identity providers, including Google, Live, Office365, and others. To configure the Logon package, follow the steps detailed below.

1. Register your application with the identity provider. LogicNets has a generic registration for Office365, Google, or Windows Live. It is possible to use these if your LogicNets installation is hosted on a LogicNets server. If you want to use the generic registration continue with Step 4. Otherwise, start registering your application using the following links:

• Office365: https://msdn.microsoft.com/office/office365/howto/add-common-consent-manually#bk_RegisterServerApp or https://apps.dev.microsoft.com/#/appList
• Windows Live: https://dev.live.com
• Google: https://console.developers.google.com/ and https://developers.google.com/identity/protocols/OAuth2

2. The identity provider will ask for details like application name, logos, and a redirect URL. You should use your own installation redirect proxy (https://<your-host>/authentication.lns).

3. The identity provider will generate a client id and client secret. Store this data in a secure location, as some providers do not allow you to review this information at a later point in time.

4. Open the LogicNets configuration of your installation at dat/<company>/settings.cfg. 

• A quick note about settings:
  • If you add the IDP config to dat/settings.cfg then it will apply to all companies in the installation.
  • If you add the IDP config to dat/<company>/settings.cfg then that IDP configuration will only apply to that one company.
  • In general, company-level settings override system-level settings, but when a setting is not specified the system defaults to the system-level settings or even the software default settings.

5. Fill in the client_id, client_secret, and redirect_uri, e g. for Windows Live please adapt _session. AUTH.MODES.windows_live. You can also use another identity provider in addition to Windows Live, SMART Health IT, Office 365, and Google.

6. To enable one or more identity providers adapt OAUTH_MODES  in _context.

7. Add users to the company’s admin database or through the portal. Since users log in externally, you do not need to save passwords.