Skip to main content
Skip table of contents

OAuth 2.0 Common

Overview

Open Authorization 2.0 (OAuth 2.0) is an authentication and authorization framework that allows third-party applications limited access to HTTP services and authorization of third-party applications on behalf of consenting users, by means of various grants. In this article, we will go through everything you need to know to link AppsAnywhere to an OAuth 2.0 service for single sign-on.

AppsAnywhere uses the Authorization Code grant type, where an authorization code is exchanged for an access token once the user has provided consent. This access token will then typically contain the identity information required to authenticate the user and authorize them for use of AppsAnywhere.

AppsAnywhere currently supports OAuth 2.0 with two providers:

  • Microsoft Entra ID (formerly Azure Active Directory) (described by OAuth 2.0 Azure)

  • Active Directory Federation Services (described by OAuth 2.0 ADFS)

It is recommended you follow these guides first to ensure set up is complete on the provider side, and that you have the information necessary to then configure the SSO method within AppsAnywhere.

For most providers you will need to specify a return URL when configuring OAuth 2.0. As you will have not yet configured AppsAnywhere, it is a good idea to think of a "URL Identifier" ahead of time so you can provide the full and correct return URL during the set up.

For example if your site was located at https://myappsanywhere.com and you wanted your URL identifier to be my-oauth, then the resulting return URL would be https://myappsanywhere.com/sso/oauth2/my-oauth

Adding OAuth 2.0 Methods

If you are unfamiliar with the process for adding new SSO methods, steps for doing this and information about common settings associated with all SSO methods can be found on the Single Sign-On Settings page. When selecting which method to add however, be sure to pick from the OAuth 2.0 category, and select the one that corresponds to the provider you are planning to use.

For Microsoft Entra ID, select the following:

image-20240130-100334.png

Or for Active Directory Federation Services, select:

image-20240130-100417.png

OAuth 2.0 Specific Settings

In addition to the common settings mentioned on the Single Sign-On Settings page, OAuth 2.0 methods include the following:

Field Name

Description

Intended Value

Client ID

The OAuth 2.0 client ID that will either have been generated or supplied by you during the OAuth 2.0 set up of your selected provider.

If supplied by you, make sure it matches exactly.

If this is generated by the provider, just make sure you copy it across.

Client Secret

The OAuth 2.0 secret that will have been generated and given to you during the OAuth 2.0 set up of your selected provider.

Although this will not be visible to you when making future edits, it does not need to be supplied every time you save.

As this is generated by the provider, just make sure you copy it across.

Authentication URL

The base URL of your chosen provider, which paths are appended to when determining each full URL.

Example: https://myoauth2endpoint.com[paths-appended-here]

A standard well-formed URL, ideally with no trailing slash, e.g. https://myoauth2endpoint.com

For Microsoft Entra ID, this will typically not need changing from the default.

Login Path

The base path which will be appended to the authorization URL, forming the main URL used before appending the authentication or token paths.

Example: https://myoauth2endpoint.com/example

A URL-compliant URI, ideally with no trailing slash (unless only "/"), e.g. /example

This will typically not need changing from the default.

Authentication Path

The path which will be appended to the main URL (authentication + login), providing the endpoint where OAuth 2.0 authorization requests are sent to.

Example: https://myoauth2endpoint.com/example/oauth2/authorize

A URL-compliant URI, ideally with no trailing slash e.g. /oauth2/authorize

This will typically not need changing from the default.

Token Path

The path which will be appended to the main URL (authentication + login), providing the endpoint where OAuth 2.0 token requests are sent to.

Example: https://myoauth2endpoint.com/example/oauth2/token

A URL-compliant URI, ideally with no trailing slash e.g. /oauth2/token

This will typically not need changing from the default.

Provider

The selected provider is primarily used by AppsAnywhere to determine the means by which identity information for the authenticating user is retrieved and processed.

As OAuth 2.0 (without OpenID) provides standards only for the authentication and authorization of users, each provider is therefore tailor made for retrieving information about the user logging in.

This should match the system you are trying to link AppsAnywhere to, as described earlier.

Tenant

The tenant ID to use. Allows AppsAnywhere to use the tenant specific login URL rather than the /common URL.

This is required if using Microsoft Entra ID with an oAuth 2.0 application in single tenant mode.

If no value is provided AppsAnywhere will use multi-tenant mode.

Note: Microsoft Entra ID Single tenant vs. Multitenant

If Single tenant is selected for the App registration in Microsoft Entra ID, you MUST also enter the correct tenant ID in the ‘Tenent’ field when configurating the oAuth 2.0 connection on AppsAnywhere.

If Multitenant is selected for the App registration in Microsoft Entra ID you MUST NOT enter a value in the ‘Tenent’ field when configurating the oAuth 2.0 connection on AppsAnywhere.

For Microsoft Entra ID, this should contain the Entra tenant ID to use if the App registration in Microsoft Entra ID is set to single tenant

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.