Add OAuth2 SSO to web application

Add OAuth2 SSO to a Genero web application.

This task must be performed in the application configuration file (.xcf).

Before you begin, you must have an account with an OAuth2 identity provider (such as Facebook or Instagram) that will provide authentication services for you before you can configure applications for Single Sign On.

Ensure the IdP uses the OAuth2 protocol, see Identify the protocol in use by IdP.

  1. Add the DELEGATE element to the application configuration file (.xcf) of the Genero web application requiring SSO.
  2. Set the SSO parameters for the IdP, and set the service attribute to the Genero OpenIDConnect service: <DELEGATE service="OpenIDConnectServiceProvider">.

    This example shows the application configuration for delegation. Within the DELEGATE element, some parameters are mandatory:

    • OAUTH (mandatory). Set the OAUTH element with the URL of the IdP.
    • SCOPE: (optional) the OAuth2 attributes you want to get from the user at time of authentication (for example, email, phone, address).
    • CLIENT_PUBLIC_ID: (mandatory) the OAuth2 public ID provided by the IdP
    • CLIENT_SECRET_ID: (mandatory) the OAuth2 shared secret ID provided by the IdP.
      Important:

      Ensure the secret you configure here is what the IdP requires; some IdPs need the "client secret ID value", not the client secret ID.

    <?xml version="1.0"?>
<APPLICATION Parent="defaultgwc">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
      <DELEGATE service="OpenIDConnectServiceProvider"> 
          <OAUTH>https://accounts.myOAUTHIdp.com</OAUTH>
          <SCOPE>email</SCOPE>        
          <CLIENT_PUBLIC_ID>XXXXXXXX.apps.myOAUTHIdpusercontent.com</CLIENT_PUBLIC_ID>
          <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>        
      </DELEGATE>
  </EXECUTION>
</APPLICATION>

    With the above configuration and the default GAS configuration, the delegation points to the delegation REST Web service in the $FGLDIR.

The JGAS will handle the OAuth2 protocol and start the web application only when the user has been authenticated, otherwise an HTML error page is returned.

Deploy your application on the JGAS

For details of deploying applications with the JGAS, Launch OpenID Connect/OAuth2 SSO app in JGAS.