Configure OAuth

Hello there!

Need Help? We are right here!

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Your Contact E-mail

What are you looking for

How can we help you?

Configure OAuth

The setup of your OAuth/OpenID (OIDC) Provider(s) to enable Single Sign-On is done in the Configure OAuth tab. We will get to the details of the steps to configure this tab and the meaning of different options on this page.

First, you have to select an application you want to configure as an OAuth/OpenID (OIDC) Provider from the Select your provider page that lists all the supported OAuth/OpenID (OIDC) Providers along with ‘Custom OpenID App’ and ‘Custom OAuth App’.

For simplicity, we are going to use ‘provider’ instead of ‘OAuth/OpenID (OIDC) Provider’ in this document.

We support the following OAuth and OpenID providers and below are the links to their guides.

OAuth Apps


Azure AD	Discord	Facebook	Github
Github Enterprise	Gitlab	Google Apps	Meetup
miniOrange	Slack	Salesforce	Gluu Server
Custom OAuth App

OpenID Apps


ADFS	AWS Cognito	Azure B2C	Keycloak
Okta	Custom OpenID App

If you select any one of the default applications that are supported, the endpoints are already known. So you just need to fill in the application credentials along with some basic information while configuring the app. But if the provider that you are looking for is not present in the ‘Select your Provider’ list then you can select the option ‘Custom OpenID App’ or ‘Custom OAuth App’ and configure that provider. Here you need to manually fill all the endpoints.

We provide step-by-step setup guides for all the supported default apps. You can see the setup guides by clicking ‘View Setup Guide’ button. The setup guides contain all the steps to create the application on the selected provider and steps to configure the app on the Atlassian application.

Configure Oauth tab

In OAuth/OIDC terminology, a client application is an actor that wants to access the protected resource on behalf of the resource owner (user) and with its authorization.

In order to request access to information of users on the provider, the client application must first register with the provider. After successfully creating the application on the provider, you will get all the information to configure the app. The information received from the application on the provider can be filled in the respective fields discussed in the later section.

At registration, the client application is assigned a client ID and a client secret (password). The client ID and secret are unique to the client application for the provider. If a client application registers with multiple providers (e.g. Facebook, Okta and Google), each provider will issue its own unique client ID to the client application.

Whenever the Client requests access to information, the client application needs to authenticate itself by sending the client ID and the client secret to the Provider.

General Settings

Callback URL

The Callback URL is used to configure the Authorized Callback URL/Redirect URI field in the provider application. This tells the server where to send the user after authentication with the appropriate tokens. This is the URL where the provider sends the response at an SSO attempt and the app uses the information received from the provider to log in the user and update the user’s information.

Client ID

Client ID is a Public identifier for the Application. In OAuth 2.0 the Client ID is unique for any OAuth Client on the same provider. It is used by providers to identify the client responsible for the OAuth/OpenID (OIDC) request. You can configure Client ID using the App ID of the selected application.

Client Secret

This is a confidential secret key used for authentication. The Client Secret is a secret known only to the Client and the provider. Providers use it to authenticate the application when the application requests to access a user’s account. You can configure Client Secret using the App Secret of the selected application.

Scope

The scope is a mechanism in OAuth and OpenID to limit an application’s access to a user’s account. Each scope grants access to specific information. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

For OpenID Providers, the scopes are defined as openid, profile, email, address, and phone and each grant access to that specific information. But for OAuth Providers there are no naming conventions.

Authorize Endpoint

The authorization endpoint is the endpoint on the provider where the user logs in, and grants authorization to the client application. It is used to obtain an authorization code (which is then later exchanged for an access token).

Access Token Endpoint

A request to the token endpoint is used to exchange an authorization code for an access token. The access token is later used to get access to the user information.

Get User info Endpoint

The User Info endpoint can be used to retrieve identity information about a user. The caller sends a valid access token representing the user and depending on the granted scopes, the User Info endpoint returns the user information against based claims.

Fetch Group Endpoint

The group's endpoint provides functionality for fetching information about provider user groups. These groups are used to update groups on the local Atlassian application based on your group mapping.

Logout Endpoint

A client uses the logout endpoint to clear the provider-side session and cookies for a web browser. This field is optional. Not all providers support Logout Endpoint, so in that case, you can leave it blank. But if this field is filled in correctly, once you log out of your Atlassian application you will also be logged out of the respective OAuth provider.

Provider Specific Settings

Tenant Id

This field is for Azure AD OAuth Provider. It is a mandatory field. In Azure Active Directory, a tenant is an instance of the Azure AD service. It represents an organization within Azure Active Directory. Applications are created inside a tenant. The tenant ID identifies which Azure AD/Azure B2C instance the application sits under, so Azure knows where to look when you request things using that application ID. It is used to generate Authorize Endpoint
(https://login.microsoftonline.com/{tenant_id}/oauth2/authorize) and Access Token Endpoint
(https://login.microsoftonline.com/{tenant_id}/oauth2/token) for Azure AD and Azure B2C.

Host Name

This field is for Keycloak OpenID Provider. It is a mandatory field. The hostname represents the network or system used to deliver a user to a certain address or location. It is used to generate Authorize Endpoint ({host_name}/auth/realms/{realm_name}/tokens/login) and Access Token Endpoint
({host_name}/auth/realms/{realm_name}/tokens/access/codes) for Keycloak.

Realm Name

This field is for Keycloak OpenID Provider. It is a mandatory field. A realm, in Keycloak, realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Here, the realm name is used to generate Authorize Endpoint
({host_name}/auth/realms/{realm_name}/tokens/login) and Access Token Endpoint
({host_name}/auth/realms/{realm_name}/tokens/access/codes) for Keycloak.

Domain Name

A domain name represents the URL on which the application is running. Here, the configured domain name is used to generate Authorize Endpoint and Access Token Endpoint for ADFS, AWS Cognito, Okta and Salesforce.

Configure OAuth
OAuth Apps
OpenID Apps
General Settings
Provider Specific Settings