# OAuth authentication OAuth is a secure authentication method that uses an authentication token instead of a password to connect your application to your user account. Using OAuth, resource owners can configure permissions separately for each client requesting access to the same resource and can also modify/revoke the access at any point of time. - [Requirements for Configuring OAuth provider](https://www.manageengine.com/network-configuration-manager/help/oauth-authentication.html#req) - [OAuth Provider Configuration](https://www.manageengine.com/network-configuration-manager/help/oauth-authentication.html#config) - [Configuring OAuth with Microsoft](https://www.manageengine.com/network-configuration-manager/help/oauth-authentication.html#microsoft) - [Configuration of OAuth with Google](https://www.manageengine.com/network-configuration-manager/help/oauth-authentication.html#google) ### Requirements for Configuring OAuth provider 1. Creating/registering an App with the respective provider. 2. The following details are required to configure OAuth: - Client ID - Client Secret - Scope - Authentication URL - Token URL 3. Adding and Updating actions should be authenticated in the respective OAuth provider. ## OAuth Provider Configuration 1. Go to **Settings > General Settings > OAuth Provider - Add OAuth Provider** ![Add OAuth provider](https://www.manageengine.com/network-configuration-manager/help/images/OAuth.png) 2. Provide the following details: - Profile Name - A unique profile name for each profile. - Description - Description about the OAuth profile. - Authentication Provider - OAuth provider's name - Google/Microsoft. - Timeout - Time required to connect with the provider. Range: 10-300 sec. - Client ID - Generated by the provider after registering Network Configuration Manager with the provider. - Client Secret - Generated by the provider after registering Network Configuration Manager with the provider. - Authentication URL - Generated by the provider after registering Network Configuration Manager with the provider. - Token URL - Generated by the provider after registering Network Configuration Manager with the provider. - Scope - Generated by the provider after registering Network Configuration Manager with the provider. 3. After providing the above details, save it. You will be redirected to Google/Microsoft authentication based on the OAuth provider. Authenticate it to proceed further. ![Authentication](https://www.manageengine.com/network-monitoring/help/images/Oauth-help-2.jpg) ## Configuring OAuth with Microsoft: 1. Go to [Microsoft Azure home page.](https://portal.azure.com/#home) 2. In Azure services, go to **App registrations**. ![App registration](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-1.jpg) 3. Click **New registration**. ![New registration](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-2.jpg) 4. Follow the below steps to register an application. ![Register an application](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-3.jpg) - Enter the name of the application. - Choose the supported account type as **Single tenant or Multitenant** based on the requirement. - For **Redirect URL**, choose type as **Web** and use " ![Add OAuth provider](https://www.manageengine.com/network-monitoring/help/images/oauth-help-3.PNG) - Then click **Register**, to create an application. - After registering the application, you will be redirected to the Application home page. Use **Application ID** as **Client ID**. ![Application home page](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-4.jpg) - Click "Add a certificate or secret" to enter the Client Secret. Then follow the below steps: - Click "New client secret". ![New client secret](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-5.jpg) - Provide the **Description & Expires time** for the client secret, and click Add. ![Add a client secret](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-6.jpg) - Copy the value, this will be the Client Secret. (Save this value for future use, this will become unreadable after some time.) ![Client secret](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-7.jpg) - If the value goes unreadable, and you are in need of client secret, you can create a new client secret and use the value. - This client secret will expire depending on the duration you provide. Once it has expired create a new client secret and use the value. - To configure the **Scope**, go to API permissions and click **Add a permission** to add an API/Permission. **NOTE:** Kindly make sure that the following permissions are given, to integrate Network Configuration Manager with Microsoft Teams. | Scope | Purpose | |---|---| | Channels.ReadBasic.All | To fetch the channels list | | Teams.ReadBasic.All | To fetch the teams list | | ChannelMessage.Send | To send messages to channels | ![Request API permissions](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-8.jpg) - For **Authentication URL** and **Token URL**, go to the Application home page (Overview) and click **Endpoints**, there enter **"OAuth 2.0 authorization endpoint (v2)"** as Authentication URL and **"OAuth 2.0 token endpoint (v2)"** as Token URL. ![Endpoints](https://www.manageengine.com/network-monitoring/help/images/oauth-ms-9.jpg) ### Recommended Scopes for configuring Mail server with OAuth We can use the default SMTP scope of Microsoft Azure https://outlook.office.com/SMTP.Send. But, for offline access, this scope should be appended with `offline_access`. The scope should be: offline_access https://outlook.office.com/SMTP.Send (No additional changes are to be done for this, it will be added by default.) ## Configuration of OAuth with Google 1. Go to [Google console dashboard.](https://console.cloud.google.com/apis/dashboard) 2. Click **Create project**, to create a new project. ![OAuth Google](https://www.manageengine.com/network-monitoring/help/images/oauth-google-1.jpg) 3. Provide a name for the application and click **Create**, it will redirect to the Project home page. ![New project](https://www.manageengine.com/network-monitoring/help/images/oauth-google-2.jpg) 4. Then go to Library and search for the required **API/Services**. Then Enable the API/Services. ![Enable APIs and services](https://www.manageengine.com/network-monitoring/help/images/oauth-google-3.jpg) 5. Go to the OAuth consent screen, select the "External" user type and click **Create**. ![OAuth consent screen](https://www.manageengine.com/network-monitoring/help/images/oauth-google-4.jpg) - In App information, provide **App name, User support email, Developer contact information** (Mandatory fields) and other necessary fields and click Save and continue. ![Edit App registration](https://www.manageengine.com/network-monitoring/help/images/oauth-google-5.jpg) - To configure the [Scope](https://www.manageengine.com/network-configuration-manager/help/oauth-authentication.html#oauthscope), click "Add or Remove Scopes". Add the required scopes and click Update, then Save and Continue. If any specific scope is not available in the list, go to Library search for the specific API and enable it and then try to add the scope. ![Add or remove scopes](https://www.manageengine.com/network-monitoring/help/images/oauth-google-6.jpg) - To add users who can authenticate through this application, click the "Add users" button and add the users. ![Add users](https://www.manageengine.com/network-monitoring/help/images/oauth-google-7.jpg) - Then click **Save and Continue**, it will show the summary of the created application. - After adding the application details, go to **Credentials** and create a new **OAuth client ID**. ![Create credentials](https://www.manageengine.com/network-monitoring/help/images/oauth-google-8.jpg) - Select Application type as "Web application" and provide a name for it. ![Create a new OAuth client ID](https://www.manageengine.com/network-monitoring/help/images/oauth-google-9.jpg) - Then add **redirect URL** as "https://www.manageengine.com/itom/OAuthAuthorization.html", and click **Create**. You can copy the Redirect URL from the OAuth provider page as well. ![Create a new OAuth client ID](https://www.manageengine.com/network-monitoring/help/images/oauth-google-10.jpg) - Once the credentials have been created, **Client ID and Client secret** will be shown in the dialog box. ![Created a new OAuth client ID](https://www.manageengine.com/network-monitoring/help/images/oauth-google-11.jpg) - Download the **JSON**, in that we can find Authentication URL and Token URL as auth_url and token_url respectively. ### Recommended Scope for Configuring Mail server with OAuth - In the API Library (step 4), search for Gmail API & Enable it. ![Configure mail server](https://www.manageengine.com/network-monitoring/help/images/oauth-google-12.jpg) - While adding scope, add and use the scope "https://mail/google.com/" under Gmail API. ![Enable Gmail API](https://www.manageengine.com/network-monitoring/help/images/oauth-google-13.jpg)