Application
Authentication
See also: User Authentication
Using a logon form/Calling a Logon Service
Calling OpenID Connect Authentication
Application Authentication means that user
authentication is invoked by the application; unauthenticated users are
initially allowed access to the system. This is in contrast to automatic authentication where users are
authenticated when they first access the system. You might use Application
Authentication when you want to support a mixture of authentication techniques
or when you need to allow unauthenticated users into the system e.g. when the
application provides links to register new users or has public pages. There are
two commonly used options:
There is nothing special
about a logon form: it just represents a page where the user can enter their
credentials – usually userid and password. Usually
this is implemented as a separate form so that it can be called from any other
form.
Typically all forms
comprising the application would check whether the user was already signed on
and if not, route control to the logon form. This check is made in the Before Form Event before any other
processing. Any parameters passed into the requested form are also passed into
the logon form. For example:
if (!system.securityManager.userLoggedOn)
{
form.gotoForm("My_Logon_Form", {
formName: form.elementName,
formParms: JSON.stringify(getThisFormParameters())
});
}
//
Returns an object containing all URL parameters for the current form with
corresponding values.
// Ignore any with no value
function getThisFormParameters()
{
var parms
= {};
for ( var field in Iterator(form.fields.iterator()) )
{
// Add
field if it's a URL parameter and it has a non null value
if (field.isUrlParameter()
&& field.value)
{
parms[field.elementName] = field.stringValue;
//string value should cope with dates, times, objects etc as URL
parameters
}
}
return parms;
}
The logon form has form
fields formName
and formParms
defined as URL parameters.
Here is some sample code
that gets control when the logon form’s Logon
button is clicked. In this example the user’s userid
and password are passed into the Logon Service
to be checked. This check might also be performed in the logon form and result
in just a validated userid being passed to the Logon
Service. Both models are equally valid.
//
Call the logon service to set the user logged on and load credentials, roles,
authorisations
try
{
system.securityManager.logon("My_Logon_Service",
[
[ ["userid", fields.user_id.value],
["password", fields.password.value] ]
]);
// and carry on
returnToCaller();
}
//
Display any logon failures generated by the Logon Service
catch (e)
{
event.owner.addErrorMessage("Logon failed - " + e.toString(),
false);
}
function returnToCaller()
{
// Return to the form requested by the
user if there is one, passing its original parameters
if (fields.formName.value)
{
form.gotoForm(fields.formName.value, (fields.formParms.value
? JSON.parse(fields.formParms.value) : null));
}
else
{
// otherwise go to the landing form
form.gotoForm(LANDING_FORM);
}
}
Here is sample code to
invoke authentication using OpenID Connect. An OpenID Connect Configuration (named “Google” in this
example) must already have been set up using the Server Administration App User
Authentication page. Automatic authentication using OpenID
Connect can also be configured using the Server Administration Application.
The following example
shows an OpenID Connect authorization call to Google.
Claims returned by the OpenID Connect Provider can be
added as roles and/or credentials if this is configured in the OpenID Connect Configuration. Note that the application has
to be registered with Google using the Google Developer Tools.
This example will result
in a popup being displayed by the OpenID Connect
Provider to prompt for userid/password.
function
logon()
{
try
{
system.securityManager.logonOpenIDConnect("Google");
return
true;
}
catch
(e)
{
event.owner.addErrorMessage(e.javaException.message, false);
event.owner.addErrorMessage("code:
" + e.javaException.errorCode + ",
description: " + e.javaException.errorDescription);
return
false;
}
}
The logonOpenIdConnect() method
can also optionally accept an OpenID Scope scope as the second parameter e.g.
system.securityManager. logonOpenIDConnect("Google", "openid profile email");