<workflowgen url>
with the domain and path to your WorkflowGen instance; for example, localhost/wfgen
or www.mycompany.com/wfgen
.WorkflowGen Web app
Account in this organizational directory only (Single tenant)
Web
https://<workflowgen url>/auth/callback
https://mycompany.com/wfgen/auth/callback
WorkflowGen Web app
application registration's Overview page.My secret
, or something to know that this is the client secret.
ApplicationSecurityAuthClientSecret
key).WorkflowGen Web app
application registration.https://<workflowgen url>/auth/logout/return
📌 Example: https://mycompany.com/wfgen/auth/logout/return
✏️ Note: You should also see https://<workflowgen url>/auth/callback
in this list.
WorkflowGen GraphQL API
Account in this organizational directory only (Single tenant)
WorkflowGen GraphQL API
application in Azure AD.https://<workflowgen url>/graphql
📌 Example: https://mycompany.com/wfgen/graphql
default
Admins and users
Default access to the WorkflowGen GraphQL API
Allows the application to get access to WorkflowGen GraphQL API.
Default access to the WorkflowGen GraphQL API
Allows the application to get access to WorkflowGen GraphQL API.
https://<workflowgen url>/graphql/default
).WorkflowGen Web app
application registration page, click API permissions.
WorkflowGen GraphQL API
application in the list.
default
under the Permission column.
WorkflowGen Web app
application registration in Azure AD. You can find it on its Overview page.
WorkflowGen Web app
.
Application ID URI
property (e.g. https://<workflowgen url>/graphql
) in the Expose an API section of the WorkflowGen GraphQL API
application registration.
Tenant ID
value.
<Tenant ID>
with your Tenant ID as follows:
For Microsoft Identity Platform v2.0 (recommended):web.config
web.config
file and add and/or update the following properties under <appSettings>
.
For Microsoft Identity Platform v2.0 (recommended):ApplicationSecurityAuthCheckSessionUrl
) is not supported in Microsoft Identity Platform v2.0.
<CLIENT ID>
with the WorkflowGen Web app
application (client) ID from Azure.
<CLIENT SECRET>
with the WorkflowGen Web app
application registration's generated secret from Azure.
<METADATA URL>
with the metadata endpoint URL that you built earlier from the Tenant ID
value of your Azure Active Directory.
<workflowgen url>
with your WorkflowGen URL in the value of the ApplicationSecurityAuthAdditionalScopes
key (e.g. https://mycompany.com/wfgen/graphql/default
) if you have configured the WorkflowGen GraphQL API
application registration (steps 4 through 6). Otherwise, remove the ApplicationSecurityAuthAdditionalScopes
key completely.<CHECK SESSION URL>
(which is usually https://login.microsoftonline.com/<Tenant ID>/oauth2/checksession
) with the value of the metadata endpoint's check_session_iframe
property. To do this, you'll have to make an HTTP GET request to your metadata endpoint URL (e.g. https://login.microsoftonline.com/<Tenant ID>/.well-known/openid-configuration
), then copy and paste the value. See the examples below on how to request the metadata endpoint.
| python -m json.tool
if you don't have Python; this is for pretty printing.
web.config
optionsApplicationSecurityAuthProvider
azure-v1
, ms-identity-v2
,auth0
, adfs
, orokta
ApplicationSecurityAuthClientId
WorkflowGen Web app
application in Azure.ApplicationSecurityAuthClientSecret
ApplicationSecurityAuthMetadataUrl
web.config
. Take note that the metadata endpoint URL is different for Microsoft Identity Platform v2.0 and Azure v1.ApplicationSecurityAuthAppIdClaim
ApplicationSecurityAuthUsernameClaim
ApplicationSecurityAuthAccessTokenUsernameClaim
ApplicationSecurityAuthClockTolerance
ApplicationSecurityAuthSessionRefreshEnableIFrame
Y
), this option activates the session auto-refresh feature using an invisible <iframe>
. This allows users to enter their password less often by refreshing their session in the background while they're working. web.config
.web.config
file and add and/or update the following property under <appSettings>
:<SECRET>
with a custom value that can't be guessed, such as a UUID or a complex password.web.config
files of sub-applicationsAdvantys.Security.JWTAuthenticationModule
WorkflowGen authentication module, but certain other sub-applications (such as /wfgen/auth
, /wfgen/hooks
and /wfgen/scim
) should not because they are either public or aren't part of the global authentication system.web.config
file:\bin
folders, you have to copy the following .NET assemblies and dependency libraries from \wfgen\bin
to each custom web form's \bin
folder (\wfgen\wfapps\webforms\<custom webform>\bin
):
Advantys.My.dll
Advantys.Security.dll
Newtonsoft.Json.dll
jose-jwt.dll
ms-identity-v2
).
WorkflowGen GraphQL API
application. This means that the access token can only be used to send queries to the GraphQL API only. In order to use the same access token to call your own APIs from WorkflowGen (e.g. web forms), you will need to perform the following steps in your Azure portal, and then modify the WorkflowGen web.config
file.My APIs
Account in this organizational directory only (Single tenant)
✏️ Note: Depending on the context, you should choose the right option for your use case for the Supported account type value.
api://my-apis
.wfgen-graphql-full-access
Admins and users
Full access to the WorkflowGen GraphQL API
Allows the application to get access to WorkflowGen GraphQL API.
Full access to the WorkflowGen GraphQL API
Allows the application to get access to WorkflowGen GraphQL API.
appRoles
JSON property and add the following JSON object to the JSON array:<NEW ID>
with the value generated by the [guid]::NewGuid().ToString()
PowerShell command or use any GUID generators.My APIs
applicationWorkflowGen Web app
application registration page, click API permissions.My APIs
application in the list.
wfgen-graphql-full-access
under the Permission column.
My APIs
applicationMy APIs
application, do the following:My APIs
application in the list.
wfgen-graphql-full-access-role
under the Permission column.
web.config
file:web.config
file, add and/or update the following application settings, then save the file:ApplicationSecurityAuthAdditionalScopes
key that refer to the other APIs you defined in step 2 of the Azure portal steps above. The scopes must be separated by a comma.WorkflowPage
class in the WorkflowGen.My
library provides a public CurrentUserAccessToken
method to easily retrieve the current user's shared access token that can be used to query the GraphQL API and your third-party APIs. See the snippet code below.ws
application.web.config
file.ApplicationSecurityAuthSessionTokenCookie
wfgen_token
✏️ Note: This is useful when you have multiple instances of WorkflowGen running and you want to have access to both and be authenticated on both instances at the same time.ApplicationSecurityAuthSessionTimeOut
ApplicationSecurityAuthMobileSessionTimeOut
ApplicationSecurityAuthAudience
https://<workflowgen url>/graphql
ApplicationSecurityAuthAdditionalScopes
openid
, profile
, and email
scopes are always in the request.ApplicationSecurityAuthGraphQLScope
ApplicationSecurityAuthGraphQLAppRole
ms-identity-v2
provider.WorkflowGen GraphQL API
application and you don't need GraphQL API authentication configured with the provider, you can avoid creating the registration and configure WorkflowGen with the Microsoft Graph API instead, which is included by default in all application registrations. To configure it, you only have to change some configuration options in the web.config
file:ApplicationSecurityAuthAudience
key to the Microsoft Graph API URL, e.g.https://graph.microsoft.com
.
ApplicationSecurityAuthDecodeAccessToken
option to N
.ApplicationSecurityAuthDecodeAccessToken=N
, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.