This document explains how to use GAM as an Identity Provider (IDP), using the OAuth 2.0 Authentication Type, for the cases when this solution has to be implemented.
Generally speaking, you need to define a GAM Application in the server, and configure the GAMRemote Authentication Type in the clients in order to use GAM as an OAuth 2.0 provider from GeneXus KBs using GAM.
However, another possibility is to use OAuth 2.0 Authentication Type in the clients.
The recommendation is to use GAM Remote authentication type, as its configuration should be much easier and there are some features that will not be covered when using the other solution. However, by using OAuth 2.0 you have the possibility to configure a different URL to get the user information, or the access token, that is not possible if you use GAM Remote.
Define the GAM Application in the server. Get the client ID and Client secret credentials. This step is the same as what is explained in Identity Provider Configuration for GAM Remote Authentication.
Note that in this case, the properties "Can get user roles" and "Private Encryption Key" will be ignored. Do not check "Private Encryption Key" because there is no way to send the information encrypted from the client.
Define a OAuth 2.0 Authentication Type in the client, as shown in the following images:
Configure the URL $Server/<Base_URL>/oauth/gam/signin?oauth=auth of the IDP.
Configure the URL $Server/<Base_URL>/ /oauth/gam/access_token service of the IDP.
Note the other configuration in the advanced configuration option.
Configure the URL $Server/<Base_URL>/oauth/gam/userinfo service of the IDP.
Note the other information required, in the advanced configuration section.
In order to get additional information of the user from the IDP, see HowTo: Get user's additional information from the GAM Identity Provider. In this case, you have to define the additional information as Custom User Attributes (as shown in the image above) so as the client application can receive it.
The received information will be saved as extended attributes of the user.
- The Attribute Name in the form above is the Id of the GAM extended user attribute, to be saved at the GAM database (you can retrieve the information by using that Id).
- The Attribute Tag is the service JSON response tag, that returns the user information. It's always "CustomInfo" when you use GAM as the OAuth 2.0 IDP.
See Userinfo service response to see the JSON response of the GAM service that returns the information of the user.