HowTo: Use GAM as an Oauth 2.0 provider

Official Content

In most general cases, in order to use GAM as an Oauth 2.0 provider from GeneXus KBs using GAM, you define a GAM Application in the server, and configure the GAM Remote Authentication Type in the clients.
However, another possibility is to use GAM Oauth 2.0 Authentication Type in the clients. 

The recommendation is to use GAM Remote authentication type, as its configuration should be much easier and there are some features that will not be covered when using the other solution. However, using Oauth 2.0 you have the possibility to configure a different URL to get the user information, or the access token, that it's not possible if you use GAM Remote.

This document explains how to use GAM as an Identity Provider (IDP), using the Oauth 2.0 Authentication Type, for the cases when this solution has to be implemented.

1. Define the GAM Application in the server. Get the client ID and Client secret credentials.
This step is the same as what is explained in Identity Provider Configuration for GAM Remote Authentication.

image_2020320131547_1_png

Note that in this case, the properties "Can get user roles" and "Private Encryption Key" will be ignored. Do not check "Private Encryption Key" because there is no way to send the information encrypted from the client.

2. In the client, define a GAM Oauth 2.0 Authentication Type, as shown in the following images:

General

image_2020320131729_1_png

Authorization

Configure the URL $Server/<Base_URL>/oauth/gam/signin?oauth=auth of the IDP.

AuthorizationSectionOauth20

Token

Configure the URL $Server/<Base_URL>/ /oauth/gam/access_token service of the IDP.

Note the other configuration in the advanced configuration option.

image_202032014505_1_png

image_2020320145031_1_png

User Information

Configure the URL $Server/<Base_URL>/oauth/gam/userinfo service of the IDP.

image_2020320132033_1_png

Note the other information required, in the advanced configuration section.

image_2020320145235_1_png

image_202032014548_1_png

image_2020320145433_1_png

Note

In order to get from the IDP additional information of the user, see HowTo: Get user's additional information from the GAM Identity Provider. In this case, to be received at the client application, you have to define the additional information as Custom User Attributes as shown in the image above.

This information received, will be saved as extended attributes of the user.

  • The Attribute Name in the form above is the Id of the GAM extended user attribute, to be saved at the GAM database (you can retrieve the information by using that Id).
  • The Attribute Tag is the service JSON response tag, that returns the user information. It's always "CustomInfo" when you use GAM as a the Oauth 2.0 IDP.
    See Userinfo service response to see the JSON response of the GAM service that returns the information of the user.