Skip to main content
Skip table of contents

Notes on most widely used providers

[]

The following providers have been tested with the HCMS Client. We explain here some specific of their configuration.

Keycloak is primary recommended. It meets all requirements and all default values are set for this particular provider.

Keycloak

issuer_url

In the HCMS Client-side configuration - config.json - the issuer_url property, you need to enter a URL that ends with realms/ and append the name of the realm, e.g, for the censhare realm: realms/censhare.

Okta

Grant type

On the provider side - in the client/application configuration - an additional "Grant type" option needs to be enabled and set to Refresh Token. Enabling this option automatically adds a new configuration choice, Refresh token behavior, by default set to User persistent token. Please leave it like this.

Client scope

In the HCMS Client-side configuration - config.json - configuration needs to include a client scope, defined in the property scope which must include offline_access. this will force refresh the token, otherwise the users will fail to log in. At best, you should set it like this: "scope": "openid email profile offline_access".

logout_id_token_hint

Also in the HCMS Client-side configuration - config.json - the logout_id_token_hint must be enabled, i.e., you should set it like this: "logout_id_token_hint": true. Without it, the logout will fail with a misleading error about unauthorized client.

logout_redirect

It is recommended to enable logout_redirect, i.e., set "logout_redirect": true.

AWS Cognito

Authorization code grant

  • "Authorization code grant" must be added as a supported OAuth 2.0 grant type. ### Scopes All necessary scopes must be enabled in the configuration: "OpenID", "Email" and "Profile". ### Special logout endpoint AWS Cognito does not support the standard "end session" endpoint and offers its own non-standard /logout endpoint. This is supported in the HCMS Client code and automatically used without any special configuration. Cognito as a provider is detected by the URL domain.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.