Users can perform user authentication using the OpenID Connect protocol, which uses a workflow from OAuth 2.0 protocol to communicate with an external authentication server. To allow this type of communication, users must configure both the Elipse Mobile Application and the authentication server.
In the authentication server, a client must be created to connect with an Elipse Mobile Application. In this client, the redirecting URL of the Application must be added. This is the Application's URL plus the suffix "/api/oauth-callback". For example, an Application located in the address https://demo.elipsemobile.com/, the corresponding redirect URL is https://demo.elipsemobile.com/api/oauth-callback. In addition, a client's secret must be created to use in the Application's settings.
NOTE |
Elipse Mobile tries to automatically identify the protocol, HTTP or HTTPS, of the Application's redirecting URL. But there are cases in which the protocol cannot be correctly identified, such as when using an nginx server together with Elipse Mobile. In those cases, users must add the server's URL with the correct protocol in the server_url property in the init.json configuration file. |
Information on the client of the authentication server must be added to the OpenID configuration of the Elipse Mobile's Application, according to the next table.
Available options to configure authentication by OpenID Connect
Option |
Description |
|---|---|
Client ID |
Identifier of an client in the authentication server, also called an Application ID |
Client Secret |
Secret of an client in the authentication server, also called an Application password |
Authorization endpoint |
URL of the authorization endpoint in the authentication server, such as https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize (Microsoft EntraID) or https://accounts.google.com/o/oauth2/v2/auth (Google) |
Token endpoint |
URL of the authentication endpoint in the authentication server, such as https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token (Microsoft EntraID) or https://oauth2.googleapis.com/token (Google) |
Create new users |
Defines whether OpenID-type users are created if there is no OpenID-type user with the same e-mail of the user trying to perform an authentication. If this option is disabled and there is no OpenID-type user registered in Elipse Mobile, no user login is performed. If this option is enabled, the user is then created during the first login, with minimal permissions |
Overwrite user groups |
Defines whether Application functions sent by the authentication server are used as groups of the user in Elipse Mobile. Application functions must be registered in the authentication server and their names must match the name of a group registered in Elipse Mobile |
Disabled |
Defines whether authentication by OpenID is deactivated |
After enabling external authentication, an External authentication option is added to the login page after updating browser's page, according to the next figure.
External authentication option
NOTES |
•For more information about the OpenID Connect protocol, please check OpenID Foundation's website. •For more information about the configuration of an authentication server, please check the respective documentation. For a Microsoft EntraID server, please check the app registration and app roles configuration pages. For a Google Cloud server, please check the OAuth 2.0 configuration page. |