OAuth

OAuth authentication plugin allows to authenticate Web UI users via an external system supporting OAuth 2.0 protocol.

Once an OAuth provider is added and configured, web UI login page allows users to click on provider's name to initiate authentication via a third-party system.

OAuth is enabled and controlled through Service Providers table available in global settings of OAuth plugin. It has the following fields:

Provider. Unique user-defined ID of the service provider.
Description. Description of the providers that will be shown on the Web UI login page. Clicking on the provider description will initiate OAuth-backed authentication process via the selected provider.
Settings. Settings for this service provider:

Protected Resource URL	OAuth request URL, i.e. URL of provider's web page that contain information about the user being authenticated.
Client ID	Provider's client ID received from a third-party system.
Client Secret	Provider's client password received from a third-party system.
Use Open ID	OpenID is commonly used for Single Sign-On (SSO) scenarios, where a user can log in to one application (the OpenID provider) and then access multiple other applications (relying parties) without having to log in again.
Token Verification Keys	Settings used to verify access and refresh tokens.
Access Token Endpoint	URL of provider's web page that receives access token requests.
Authorization URL	URL of provider's web page to that a user will be redirected during the OAuth authorization process.
Refresh Token Endpoint	URL of provider's web page that receives token refresh requests.
Logout Endpoint	URL of provider's web page which allows Iotellect Server to notify the authorization server that a previously obtained refresh or access token is no longer needed.
Scope	OAuth scope that is only necessary in some APIs.
Callback URL	OAuth callback URL is the address to that the authorization server will redirect the user after successful authentication. It must include valid Iotellect Server's host name followed by `/webd?provider=`provider_id.
Identifying Token Parameter	Name of Identifying Token's parameter that will be compared to either: Iotellect Server user property pointed by User Identifying Field in order to find a local user account that will be authenticated, if the User Identifying Field is empty. The result of evaluating the User Identifying Expression, if the User Identifying Field if empty. If there is an exact match, the user is granted access, otherwise the user is not authenticated.
User Context Field Mapping	Each row in this table creates a mapping between a variable in the user context, and an identity element returned by the ID token: User Context Field. Platform user properties field whose value will be compared to the value of ID Token Field parameter to find a local user account that will be authenticated. If left blank, the result of the User Identifying Expression will be used instead. ID Token Field. A value of the Identifying Token Parameter that should match value of the User Context Field or value returned by the User Identifying Expression.
User Identifying Expression	Expression is evaluated for each user in Iotellect, with the user being evaluated as the default context. If the result of one of these evaluations is exactly equal to the value of the Identifying Token Parameter, the user is granted access.

DPF_EXPORT_V5.8.8 / TIME_1751832375 / 2025-07-06 20:06:15 / STRLEN_4890 / STRLEN_HTML_4680

{VERSION}

Was this page helpful?