Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Contents

How to add an OAuth App

miniOrange supports Single Sign-on into your apps, to securely login for admins and users. miniOrange supports several different protocols for your applications, such as SAML, WS-FED, OAuth, OIDC, JWT, RADIUS, etc. Using Single Sign-on, users can use one set of credentials to login to multiple applications. This improves security, as it reduces avenues for phishing attacks, and also improves access to your application.

OAuth (Open Authorization) is an open standard for token-based authentication and authorization. OAuth allows an end-user's account information to be used by third-party services, such as Facebook, without exposing the user's password. It acts as an intermediary on behalf of the end-user, providing the service with an access token that authorizes specific account information to be shared. miniOrange provides a solution to perform single sign-on(SSO) for applications supporting OAuth protocol, like Salesforce, WordPress, Joomla, Atlassian, Azure AD, Reddit, Spotify, Paypal, WHMCS, Slack, Discord, etc.


Configure Single Sign-On (SSO) Settings for OAuth Apps:


  • Login into miniOrange Admin Console.
    • miniOrange Identity Platform Admin Handbook: Dashboard applications

  • Click on Apps. It shows a list of all configured applications and option to modify them. Click on Add Application.
    • miniOrange Identity Platform Admin Handbook: Add Application

  • Under Choose Application, select OAuth/OpenID from the All Apps dropdown.
    • miniOrange Identity Platform Admin Handbook: OAuth App type

  • Search for your application from the list, if your application is not found. Search for oauth and you can set up your app via OAuth2/OpenID Connect.
    • miniOrange Identity Platform Admin Handbook: Search OAuth custom app

  • In the Basic tab, enter the following details:
    Display Name Enter the Display Name (i.e., the name for this application).
    Redirect URL Enter the Redirect URL. Make sure it follows this format: https://<mycompany.domain-name.com>
    Client ID Auto-generated. Click the copy icon to use it in your application.
    Client Secret Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it.
    Subject (Optional) Select an attribute from the dropdown list.
    Description (Optional) Add a description if required.
    Upload App Logo (Optional) Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.
  • Click on Save.
    • miniOrange Identity Platform Admin Handbook: OAuth app details

  • You’ll be taken to the Policies section. Click Add Policy to proceed.
    • miniOrange Identity Platform Admin Handbook: Go to Policies and Add Policy

  • Enter the required details in the dialog box that appears.
    Group Name Select the group for which you wish to add a this policy. For multiple groups, you can click here to add a multiple/separate policies for each group.
    Policy Name You can give a name for the authentication policy.
    First Factor Select the login method as Password and Password-less. You can enable 2-Factor Authentication (MFA), Adaptive Authentication and Force MFA On Each Login Attempt if required.
    • miniOrange Identity Platform Admin Handbook: Enter the Login Policy details

  • Click Submit to add the policy.
  • You’ll see it listed once added.
    • miniOrange Identity Platform Admin Handbook: Policy was successfully added

  • You can go to the Advanced tab to change other settings, such as the expiry time for Access, JWT, and Refresh tokens.
    1. Access Token Expiry: For how long the provided access token should be valid from creation. [In Hours] A new access token has to be generated after the expiry.
    2. JWT Token Expiry: For how long the generated JWT token should be valid. [ In Hours ]
    3. Refresh Token Expiry:For how long the generated refresh token should be valid. [In Days] You will have to generate a new refresh token after the mentioned no. of days.
    miniOrange Identity Platform Admin Handbook: Go to the Advanced tab to set token expiry times.

  • Switch to the Authentication tab.
    Primary Identity Provider Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
    SSO FLows Select the desired SSO flow from the dropdown, such as miniOrange as IDP, miniOrange as Broker, or miniOrange as Broker with Discovery Flow.
    Show on Enduser Dashboard Enable this option if you want to show this app in the end-user dashboard.
    Force Authentication If you enable this option, users will have to log in every time, even if their session already exists.
    Allowed Logout URIs Click the Allowed Logout URIs link to add a list of post-logout redirect URIs. Users will be redirected to one of these URIs after a successful logout from miniOrange.
    Single Logout Enabled Enable this option to send logout requests to other applications when logging out from this app.
    Sign in URL

    You can include user attributes in the sign-in URL using placeholders like {{username}}, {{primaryEmail}}, {{customAttribute1}}, etc. These placeholders will be dynamically replaced with the actual user values during the IdP-initiated SSO flow.

    You can generate url using following attributes: username, primaryEmail, alternateEmail, fname, lname, primaryPhone and customAttribute1.

    The url could be like this login.com/{{username}}/?primaryEmail={{primaryEmail}}

  • Query Parameter Format: https://<sso-url>>?username={{username}} https://<sso-url>>?username={{username}}&email={{primaryEmail}}
  • Path Parameter Format: https://<sso-url>>/{{customAttribute1}}/{{customAttribute2}}/?username={{username}}
    		•
    • miniOrange Identity Platform Admin Handbook: Navigate to Authentication tab

  • Getting Required App Details / Updating App Information::
  • Go to the Apps section from the side menu. From the list of configured apps, locate the app you created. Click the three-dot icon next to the app and select the Edit option.
    • miniOrange Identity Platform Admin Handbook: Edit Application

  • You can edit any of the above-mentioned details in case you want to change them.
    • miniOrange Identity Platform Admin Handbook: OAuth Endpoints

  • OAuth Endpoints:
    • Authorization Endpoint [ https://<your-company-name>.xecurify.com/moas/idp/openidsso ]:
      • This endpoint is used to authenticate the end user with their miniOrange credentials. This authenticates the users and returns a response back to the redirect_url based on the parameters passed in the request. [Mainly the authorization code]
      • This endpoint takes the following parameters :
        • Client_id : client_id of the application as configured in the previous steps
        • Redirect_uri : The callback URL where you want to return the response
        • scope : scope of authorization or level of access, you can send a single or multiple scopes separated by ‘+’. e.g “email+openid”. We support the following scopes :
          • Email : returns the email address of the user in the response
          • Profile : returns user profile information in the response
          • OpenID : returns the id_token containing user profile details.
      • This returns the authorization code and the state parameters in the response.
    • Token Endpoint [ https://<your-company-name>.xecurify.com/moas/rest/oauth/token ] :
      • This endpoint returns the following :
      • Id_token ​Contains user attributes and signatures which you have to validate with provided public certificate.
        • iss https URI that indicates the issuer
        sub identifier of the user at the issuer
        aud client_id of the requesting client
        nonce the nonce parameter value received from the client
        exp expiration time of this token
        iat time when this token was issued
        auth_time time the authentication happened
        at_hash the first half of a hash of the access token
      • Access_token : Valid for 1 hour and can be used to access user info or other endpoints until it is expired.
      • This endpoint takes the following parameters in the request:
        • Client_id : client_id of the application as configured in the previous steps.
        • Client_secret : client_secret of the application as configured in the previous step.
        • Redirect_url : The callback url where the response should be posted.
        • Code : The authorization code received from the authorization endpoint.
        • Grant_type : The OAuth grant you want to use for the request.
    • User Info Endpoint [ https://<your-domain>.xecurify.com/moas/api/oauth/getuserinfo ] : [Required in case of OAuth Only]
      • This API can be used to fetch user profile information with an access token that was assigned to the user. A GET request is sent to the user info endpoint.
      • You need to send the access token in the authorization header to receive the user details.
    • OpenID Single Logout Endpoint : [ https://<your-domain>.xecurify.com/moas/idp/oidc/logout?post_logout_redirect_uri ] :
      • This endpoint removes the active user session from the miniOrange IDP and redirects the user to the URL mentioned in the post_logout_url parameter.
    miniOrange Identity Platform Admin Handbook: View OAuth Endpoints

  • Click here for a detailed setup guide if you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, etc. or any other custom IDPs.