OAuth authentication
OAuth is a secure authentication method that uses an authentication token instead of a password to connect your application to your user account. Using OAuth, resource owners can configure permissions separately for each client requesting access to the same resource and can also modify/revoke the access at any point of time.
Requirements for Configuring OAuth provider
- Creating/registering an App with the respective provider.
- The following details are required to configure OAuth:
- Client ID
- Client Secret
- Scope
- Authentication URL
- Token URL
- Adding and Updating actions should be authenticated in the respective OAuth provider.
OAuth Provider Configuration
- Go to Settings > General Settings > OAuth Provider - Add OAuth Provider
- Provide the following details,
- Profile Name - A unique profile name for each profile.
- Description - Description about the OAuth profile.
- Authentication Provider - OAuth provider's name - Google/Microsoft.
- Timeout - Time required to connect with the provider. Range: 10-300 sec.
- Client ID - Generated by the provider after registering OpManager with the provider.
- Client Secret - Generated by the provider after registering OpManager with the provider.
- Authentication URL - Generated by the provider after registering OpManager with the provider.
- Token URL - Generated by the provider after registering OpManager with the provider.
- Scope - Generated by the provider after registering OpManager with the provider.
- After providing the above details, save it. You will be redirected to Google/Microsoft authentication based on the OAuth provider. Authenticate it to proceed further.
Configuring OAuth with Microsoft:
- Go to Microsoft Azure home page.
- In Azure services, go to App registrations,
- Click New registration,
- Follow the below steps to register an application
- Enter the name of the application.
- Choose the supported account type as Single tenant or Multitenant based on the requirement.
- For Redirect URL, choose type as Web and use <https://www.manageengine.com/itom/OAuthAuthorization.html> as redirecting URI. You can copy the Redirect URL from OAuth provider page as well.
- Then click Register, to create an application.
- After registering the application, you will be redirected to the Application home page. Use Application ID as Client ID.
- Click "Add a certificate or secret" to enter the Client Secret. Then follow the below steps,
- Click "New client secret".
- Provide the Description & Expires time for the client secret, and click Add.
- Copy the value, this will be the Client Secret. (Save this value for future use, this will become unreadable after some time.)
- If the value goes unreadable, and you are in need of client secret, you can create a new client secret and use the value.
- This client secret will expire depending on the duration you provide. Once it has expired create a new client secret and use the value.
- To configure the Scope.
- To configure OAuth for Mail Server,
If the OAuth configuration is done for Mail Server, the scope should be https://outlook.office.com/SMTP.Send
But, for offline access, this scope should be appended with 'offline_access'. The scope should be "offline_access https://outlook.office.com/SMTP.Send. (No additional changes are to be done for this, it will be added by default.)
- To integrate OpManager with Microsoft Teams, the following scopes are recommended,
| Scope |
Purpose |
| Channels.ReadBasic.All |
To fetch the channels list |
| Teams.ReadBasic.All |
To fetch the teams list |
| ChannelMessage.Send |
To send messages to channels |
- To integrate OpManager with Microsoft Teams,, API permission is needed. To add an API permission go to API permissions and click Add a permission, and select Microsoft Graph, and choose Delegated permission.
- For Authentication URL and Token URL, go to the Application home page (Overview) and click Endpoints, there enter "OAuth 2.0 authorization endpoint (v2)" as Authentication URL and "OAuth 2.0 token endpoint (v2)" as Token URL.
Configuration of OAuth with Google
- Go to Google console dashboard.
- Click Create project, to create a new project.
- Provide a name for the application and click Create, it will redirect to the Project home page.
- Then go to Library and search for the required API/Services. Then Enable the API/Services.
- Go to the OAuth consent screen, select the "External" user type and click Create.
- In App information, provide App name, User support email, Developer contact information (Mandatory fields) and other necessary fields and click Save and continue.
- To configure the Scope, click "Add or Remove Scopes". Add the required scopes and click Update, then Save and Continue. If any specific scope is not available in the list, go to Library search for the specific API and enable it and then try to add the scope.
- To add users who can authenticate through this application, click the "Add users" button and add the users.
- Then click Save and Continue, it will show the summary of the created application.
- After adding the application details, go to Credentials and create a new OAuth client ID.
- Select Application type as "Web application" and provide a name for it.
- Then add redirect URL as "https://www.manageengine.com/itom/OAuthAuthorization.html", and click Create. You can copy the Redirect URL from the OAuth provider page as well.
- Once the credentials have been created, Client ID and Client secret will be shown in the dialog box.
- Download the JSON, in that we can find Authentication URL and Token URL as auth_url and token_url respectively.
Recommended Scope for Configuring Mail server with OAuth
- In the API Library (step 4), search for Gmail API & Enable it.
- While adding scope, add and use the scope "https://mail.google.com" under Gmail API.
Thank you for your feedback!
