<workflowgen url>
with the domain and path to your WorkflowGen instance; for example, localhost/wfgen
or mycompany.com/wfgen
.[email protected]
).An authorization server defines your security boundary, and is used to mint access and identity tokens for use with OIDC clients and OAuth 2.0 service accounts when accessing your resources via API. Within each authorization server you can define your own OAuth scopes, claims, and access policies. Source: Information sidebar in Okta's administrative panel
WorkflowGen GraphQL API
<workflowgen url>/graphql
WorkflowGen GraphQL API
(or whatever description you want)
My APIs
my-apis
Authorization server for all my APIs
(or whatever description you want)
com.workflowgen.api.username
Access Token
Expression
Any scope
ID Token
.
All Clients Policy
Enables all clients to have access to this application server›.
All clients
All Grant Types; Any Scopes; Any User assigned
default
default
Use the default scope if no other scope is specified
Set as a default scope
wfgen-graphql-full-access
wfgen-graphql-full-access
Full access to the WorkflowGen GraphQL API
OIDC - OpenID Connect
Web Application
WorkflowGen
Authorization Code
<workflowgen url>/auth/callback
<workflowgen url>/auth/logout/return
<workflowgen url>
without any path (just the base URL); for example, https://localhost
, if <workflowgen url>
is https://localhost/wfgen
Allow everyone in your organization to access
<workflowgen url>/auth/callback
client ID
and a client secret
, which can be found on the Okta WorkflowGen web application's General tab.
audience
and a metadata endpoint (Metadata URI)
, which can be found on the Okta WorkflowGen GraphQL API authorization server page.
web.config
web.config
file and add/update the following properties:<CLIENT ID>
with the client ID of the WorkflowGen web application from Okta.
<CLIENT_SECRET>
with the client secret of the WorkflowGen web application from Okta.
<METADATA_URL>
with the Metadata URI property found in the WorkflowGen GraphQL API's settings page. Then, replace the last part, /.well-known/oauth-authorization-server
, with /.well-known/openid-configuration
(e.g. https://{YOUR_OKTA_DOMAIN}/oauth2/{AUTH_SERVER_ID}/.well-known/openid-configuration
). ApplicationSecurityAuthUsernameClaim
key is set to the value entered in a rule earlier. Therefore, you could use any value here provided that you also modify the rule.web.config
file.web.config
file and add/update the following property:<SECRET>
with a value that can't be easily guessed, such as a UUID.web.config
files of certain modulesAdvantys.Security.JWTAuthenticationModule
WorkflowGen authentication module, but certain other modules should not because they are either public or aren't part of the global authentication system.web.config
file and add/update the following property:auth
module's web.config
, add/update the following property:hooks
and scim
modules as well.
\wfgen\bin
to each custom webform's \bin
folder (\wfgen\wfapps\webforms\<custom webform>\bin
):
Advantys.My.dll
Advantys.Security.dll
Newtonsoft.Json.dll
jose-jwt.dll
web.config
file:/.well-known/openid-configuration
.
preferred_username
.
client ID
of the configured WorkflowGen web application from Okta.
ApplicationSecurityAuthDecodeAccessToken
option to N
.ApplicationSecurityAuthDecodeAccessToken=N
, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.
SELF_PROVISONING
(or something else)Self-provisioning
auth
node application from the Okta ID token connected with Google Apps:OIDC - OpenID Connect
Native Application
WorkflowGen Plus
Authorization Code
and Refresh Token
workflowgenplus://oidc
workflowgenplus://oidc
Allow everyone in your organization to access
workflowgenplus://oidc
client ID
, which can be found on the Okta WorkflowGen Plus native application page's Settings tab.
Okta domain name
, which can be found directly to the left of your profile picture on the top right corner of the page.client ID
and a client secret
, which can be found on the newly registered service application's general tab.
My API Services App
Non-interactive Client
client ID
you retrieved earlier from your registered service app (e.g. My API Services App
)The OAuth2 implicit grant is notorious for being the grant with the longest list of security concerns in the OAuth2 specification. And yet, that is the approach implemented by ADAL JS and the one we recommend when writing SPA applications. What gives? It’s all a matter of tradeoffs: and as it turns out, the implicit grant is the best approach you can pursue for applications that consume a Web API via JavaScript from a browser.
My SPA
, or the name of your single-page applicationAuthorization Code
Allow everyone in your organization to access
client ID
, which can be found on the General tab on your single-page application page.Authorization
header.WorkflowGen CLI
Authorization Code
and Refresh token
http://127.0.0.1:8888/callback
8888
is defined by default; you can change it if it's already in use on your computer.Allow everyone in your organization to access
client ID
, which can be found on the General tab on the WorkflowGen CLI native application's page.
metadata endpoint
, which consists of the value of Metadata URI property from the Settings tab of your WorkflowGen GraphQL API authorization server with /.well-known/oauth-authorization-server
replaced by /.well-known/openid-configuration
.client ID
, which can be found on the registered application's parameters tab.
client secret
, which can be found on the registered application's parameters tab.
domain
, which can be found on the registered application's parameters tab.Client credentials
mode.workflowgenplus://
auth.init
okta
https://mycompany.com/wfgen
)
client ID
you created earlier in the configuration (e.g. 0o7gdj4hs92yh7
) from the step Okta configuration for WorkflowGen Plus v2.
metadata URL
, which consists of the value of Metadata URI property from the Settings tab of your WorkflowGen GraphQL API authorization server with /.well-known/oauth-authorization-server
replaced by /.well-known/openid-configuration
(e.g. https://{YOUR_OKTA_DOMAIN}/oauth2/{AUTH_SERVER_ID}/.well-known/openid-configuration
). The value must be URL encoded.
https://mycompany.com/wfgen/graphql
)ws
application.