How to configure OAuth Authentication in Kinetic Task/Workflow Engine

Anne Ramey
Platform Admins

This guide will show you how to setup OAuth Authentication using the OAuth Authenticator provided in Kinetic Task. This guide will specifically show you how to setup OAuth between Kinetic Task and Kinetic Request CE (to set up Kinetic Task to use Kinetic Request CE for authentication), but the steps should be the same for any other OAuth provider you are using.

Retrieve Client Id and Client Secret from the OAuth Provider

For the Kinetic platform, Kinetic Request CE can be configured as an OAuth provider to allow for single sign on between other Kinetic platform components (Kinetic Task, etc). The information configured under Space -> Settings -> Oauth is what will need to be given to the integrating application to complete the process.

SpaceSettingsOauth

Enable the OAuth Authenticator

When logged into the Kinetic Task Admin Console, navigate to Admin -> Setup -> Authentication and then select OAuth Authenticator from the Authenticator dropdown.

enable-oauth-authenticator

Setting Name Setting
Provider Name Recognizable name that will go on the OAuth login button (ie. A name of Kinetic Request will have the button text 'Login with Kinetic Request').
Auto Redirect Login If 'Yes', Task automatically redirects to the authorize endpoint. If 'No', Task's login page will show with a link to login with the configured OAuth provider.
Authorize Endpoint Endpoint to authorize an OAuth application for the OAuth provider (ie. http://acme.com/kinetic/acme/app/oauth/authorize).
Token Endpoint Endpoint to retrieve a token for the OAuth provider (ie. http://acme.com/kinetic/acme/app/oauth/token).
Check Token Endpoint Endpoint to validate a retrieved token for the OAuth provider. The token that is being validated will be added to the end of the endpoint(ie. http://acme.com/kinetic/acme/app/oau...k_token?token=). If left blank, token won't be validated.
Logout Redirect Endpoint Location that Kinetic Task will redirect a user to after logging out of the application. If not set, Task will redirect to the Kinetic Task login page by default.
Client Id Client Id for the configured OAuth Client.
Client Secret Client Secret for the configured OAuth Client.
Redirect URI Redirect URI for the configured OAuth Client (ie. http://acme.com/kinetic-task/oauth).
Scope Scope for the configured OAuth Client (can be left blank and should be if configuring with Kinetic Request CE).

For Kinetic Request CE, the Authorize, Token, and Check Token endpoints all should point at a CE space url (ie. http://localhost:8080/kinetic/acme or https://acme.kinops.io) and then add the rest of the url on the end as shown in the examples (/app/oauth/authorize, /app/oauth/token, /app/oauth/check_token?token= respectively).

The Redirect URI is going to be the location of your Kinetic Task instance (ie. http://localhost:8080/kinetic-task) followed by /oauth.

The Scope is determined when you set up your OAuth provider and if you are configuring to use with Kinetic Request CE, Scope can be left blank.

oauth-authenticator-configured

Configure the Identity Store

If using with Kinetic Request CE, the Kinetic Core Identity Store should be configured so that user information can be shared to Kinetic Task from Kinetic Request CE. More information about the Kinetic Core Identity Store can be found here.

If using with another OAuth Provider, use the Local Identity Store which needs no further configuration.