HowTo: Use GAM as an OAuth 2.0 provider

Official Content
This documentation is valid for:

In most general cases, in order to use GAM as an OAuth 2.0 provider from GeneXus KBs using GAM, you define a GAM Application in the server, and configure the GAMRemote Authentication Type in the clients.
However, another possibility is to use OAuth 2.0 Authentication Type in the clients. 

The recommendation is to use GAM Remote authentication type, as its configuration should be much easier and there are some features that will not be covered when using the other solution. However, using OAuth 2.0 you have the possibility to configure a different URL to get the user information, or the access token, that it's not possible if you use GAM Remote.

This document explains how to use GAM as an Identity Provider (IDP), using the OAuth 2.0 Authentication Type, for the cases when this solution has to be implemented.

1. Define the GAM Application in the server. Get the client ID and Client secret credentials.
This step is the same as what is explained in Identity Provider Configuration for GAM Remote Authentication.


Note that in this case, the properties "Can get user roles" and "Private Encryption Key" will be ignored. Do not check "Private Encryption Key" because there is no way to send the information encrypted from the client.

2. In the client, define a OAuth 2.0 Authentication Type, as shown in the following images:




Configure the URL $Server/<Base_URL>/oauth/gam/signin?oauth=auth of the IDP.



Configure the URL $Server/<Base_URL>/ /oauth/gam/access_token service of the IDP.

Note the other configuration in the advanced configuration option.



User Information

Configure the URL $Server/<Base_URL>/oauth/gam/userinfo service of the IDP.


Note the other information required, in the advanced configuration section.





In order to get from the IDP additional information of the user, see HowTo: Get user's additional information from the GAM Identity Provider. In this case, to be received at the client application, you have to define the additional information as Custom User Attributes as shown in the image above.

This information received, will be saved as extended attributes of the user.

  • The Attribute Name in the form above is the Id of the GAM extended user attribute, to be saved at the GAM database (you can retrieve the information by using that Id).
  • The Attribute Tag is the service JSON response tag, that returns the user information. It's always "CustomInfo" when you use GAM as the OAuth 2.0 IDP.
    See Userinfo service response to see the JSON response of the GAM service that returns the information of the user.