Notes on most widely used providers
[]
The following providers have been tested with the HCMS Client. We explain here some specific of their configuration.
Keycloak is primary recommended. It meets all requirements and all default values are set for this particular provider.
Keycloak
issuer_url
In the HCMS Client-side configuration - config.json - the issuer_url property, you need to enter a URL that ends with realms/ and append the name of the realm, e.g, for the censhare realm: realms/censhare.
Okta
Grant type
On the provider side - in the client/application configuration - an additional "Grant type" option needs to be enabled and set to Refresh Token. Enabling this option automatically adds a new configuration choice, Refresh token behavior, by default set to User persistent token. Please leave it like this.
Client scope
In the HCMS Client-side configuration - config.json - configuration needs to include a client scope, defined in the property scope which must include offline_access. this will force refresh the token, otherwise the users will fail to log in. At best, you should set it like this: "scope": "openid email profile offline_access".
logout_id_token_hint
Also in the HCMS Client-side configuration - config.json - the logout_id_token_hint must be enabled, i.e., you should set it like this: "logout_id_token_hint": true. Without it, the logout will fail with a misleading error about unauthorized client.
logout_redirect
It is recommended to enable logout_redirect, i.e., set "logout_redirect": true.
AWS Cognito
Authorization code grant
- "Authorization code grant" must be added as a supported OAuth 2.0 grant type.
### Scopes
All necessary scopes must be enabled in the configuration: "OpenID", "Email" and "Profile".
### Special logout endpoint
AWS Cognito does not support the standard "end session" endpoint and offers its own non-standard
/logoutendpoint. This is supported in the HCMS Client code and automatically used without any special configuration. Cognito as a provider is detected by the URL domain.