Users can perform authentication of users through the OpenID Connect protocol, which uses OAuth 2.0 flows to communicate with an external authentication server. To allow this type of communication, users must configure both the Elipse Mobile application and the authentication server.
In the authentication server, a client must be created to connect with the Elipse Mobile application. In this client, the Elipse Mobile application redirect URL should be added. This URL is the application URL with the suffix "/api/oauth-callback". For example, if the application is located in the URL https://demo.elipsemobile.com/, the corresponding redirect URL will be "https://demo.elipsemobile.com/api/oauth-callback". A client secret should also be created to use in the Elipse Mobile application configuration.
NOTA |
O Elipse Mobile tries to automatically identify redirect URL protocol(http or https). However, there are cases in which the protocol can't be correctly identified, such as when Elipse Mobile is used together with nginx. In those cases, the server URL, with the correct protocol, should be added to the server_url property in the init.json file. |
The authentication server client information should be added to the OpenID configuration of the Elipse Mobile application, according to the following table:
Available options to configure authentication by OpenID Connect
Option |
Description |
|---|---|
Client ID |
Identifier of an client in the authentication server, sometimes called an application ID |
Client Secret |
Secret of an client in the authentication server, sometimes called an application password |
Authorization endpoint |
URL of the authorization endpoint in the authentication server. Examples: •Microsoft EntraID: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize •Google: https://accounts.google.com/o/oauth2/v2/auth |
Token endpoint |
URL of the authentication endpoint in the authentication server. Examples: •Microsoft EntraID: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token •Google: https://oauth2.googleapis.com/token |
Create new users |
Defines whether OpenID-type users are created if there is no OpenID-type user with the same e-mail of the user trying to perform an authentication. If this option is disabled and there is no OpenID-type user registered in Elipse Mobile, no user login is performed. If this option is enabled, the user is then created during the first login, with minimal permissions |
Overwrite user groups |
Defines whether the application functions sent by the authentication server are used as user's groups in Elipse Mobile. Application functions must be registered in the authentication server and their names must match the name of a group registered in Elipse Mobile |
Disabled |
Defines whether authentication by OpenID is deactivated |
After enabling the external authentication, a new button with the text "External authentication" will appear in the login page after refreshing the browser.
External authentication button
NOTE |
For more information about the OpenID Connect protocol, please check the website of the OpenID Foundation. |
NOTE |
For more information about the authentication server configuration, please check the documentation of the authentication server. For example, the Microsoft Entra ID help pages about registering applications and adding app roles to an application or the Google help pages about setting up OAuth 2.0. |