ImportOAuth

The ImportOAuth command registers endpoints provided by an identity provider using OAuth2 Single sign-on.

Set the environment

Before executing the command, set the environment using the envoidc script, found in $FGLDIR/web_utilities/services/openid-connect. On Microsoft® Windows, the script is named envoidc.bat.

The ImportOAuth.4gl source code is provided in $FGLDIR/web_utilities/services/openid-connect/src/. The compiled version is in the bin directory.

Syntax

fglrun ImportOAuth [ options ] IdP
  1. options are described in Table 1.
  2. IdP is the URL of an OAuth2 identity provider (IdP).

The ImportOAuth command line tool follows the convention of other Genero command line tools for both short and long versions of options.

Table 1. ImportOAuth options
Option Description Usage example
-h, --help Display help with the command. fglrun ImportOAuth -h
-l, --list List all imported IdPs stored in the database. fglrun ImportOAuth -l
-s, --show IdP_URL Show details for a specified IdP stored in the database. fglrun ImportOAuth -s https://www.instagram.com For an example, go to Show IdP metadata
-r, --remove Remove the OAuth2 entry for the specified IdP from the database. fglrun ImportOAuth -r https://www.instagram.com
-i, --import Import the IdP endpoints and register them in the database for OAuth2. For an example, go to Import IdP metadata as OAuth2
-d, --discover IdP_URL Discover if the IdP supports OpenID Connect, and if so, import its endpoints and register them in the database. This option must be used in combination with --import. If options to specify OAuth endpoints (--authz, --token, --profile, --logout, --keys) are used, they will be ignored. fglrun ImportOAuth --import --discover https://accounts.google.com For an example, go to Import IdP metadata as OpenID Connect
-a, --authz IdP_endpoint OAuth2 authorization end point URL (mandatory). See Import IdP metadata as OAuth2
-t, --token IdP_endpoint OAuth2 token end point URL (mandatory). See Import IdP metadata as OAuth2
-p, --profile IdP_endpoint OAuth2 user profile end point URL (optional). See Import IdP metadata as OAuth2
-o, --logout IdP_endpoint OAuth2 logout end point URL (optional). See Import IdP metadata as OAuth2
-m, --parameter custom_param Additional parameter (optional). If an IdP registered in the database needs an extra parameter for authentication, such as a federated endpoint, the custom parameter can be configured. This custom parameter can be any string not starting with the equals symbol "=", that will be added as is to the request sent to the IdP. For an example, go to Import IdP metadata as OAuth2
-k, --keys IdP_endpoint OAuth2 public JWK keys URL (recommended).

Not all OAuth providers have public keys; however, if an IdP public keys URL is available, provide it to get the ID token signature validated.

See Import IdP metadata as OAuth2

Usage

When implementing Single sign-on for an application or web service with an OAuth2 identity provider, you need to use the ImportOAuth command to register the IdP endpoints in the GAS because OAuth2 does not have a metadata feature that enables the GAS to automatically find the required IdP endpoints.

With the ImportOAuth command, you can:
  • Import the endpoints and register a new OAuth2 IdP in the database. For an example, go to Import IdP metadata as OAuth2
  • Import the endpoints and register a new OpenID Connect IdP in the database. For an example, go to Import IdP metadata as OpenID Connect
  • List all registered OAuth2 IdPs stored in the database.
  • Show the endpoints for a given OAuth2 IdP registered in the database.
  • Remove an OAuth2 IdP identified by its URI from the database.
Important:

If the IdP is using the OpenID Connect protocol, there is no need to use the ImportOAuth program as OpenID Connect has the metadata feature that allows Genero's OpenID Connect service to automatically fetch the metadata, including all the endpoint URLs, from the IdP. For more information on SSO implementation with OpenID Connect and OAuth2, see OpenID Connect/OAuth2 SSO.