Application Authentication

 

Documentation home

 

See also: User Authentication

 

Using a logon form/Calling a Logon Service. 1

Calling OpenID Connect Authentication. 2

 

Application Authentication means that user authentication is invoked by the application; unauthenticated users are initially allowed access to the system. This is in contrast to automatic authentication where users are authenticated when they first access the system. You might use Application Authentication when you want to support a mixture of authentication techniques or when you need to allow unauthenticated users into the system e.g. when the application provides links to register new users or has public pages. There are two commonly used options:

 

 

 

Using a logon form/Calling a Logon Service

There is nothing special about a logon form: it just represents a page where the user can enter their credentials – usually userid and password. Usually this is implemented as a separate form so that it can be called from any other form.

 

Typically all forms comprising the application would check whether the user was already signed on and if not, route control to the logon form. This check is made in the Before Form Event before any other processing. Any parameters passed into the requested form are also passed into the logon form. For example:

 

if (!system.securityManager.userLoggedOn)

{

      form.gotoForm("My_Logon_Form", {

            formName: form.elementName,

            formParms: JSON.stringify(getThisFormParameters())

      });

}

 

// Returns an object containing all URL parameters for the current form with corresponding values.

// Ignore any with no value

function getThisFormParameters()

{

var parms = {};

      for ( var field in Iterator(form.fields.iterator()) )

{

// Add field if it's a URL parameter and it has a non null value

if (field.isUrlParameter() && field.value)

            {

                   parms[field.elementName] = field.stringValue;     //string value should cope with dates, times, objects etc as URL parameters

}

}

return parms;  

}

 

The logon form has form fields formName and formParms defined as URL parameters.

 

Here is some sample code that gets control when the logon form’s Logon button is clicked. In this example the user’s userid and password are passed into the Logon Service to be checked. This check might also be performed in the logon form and result in just a validated userid being passed to the Logon Service. Both models are equally valid.

 

// Call the logon service to set the user logged on and load credentials, roles, authorisations

try

{

      system.securityManager.logon("My_Logon_Service",

      [

            [ ["userid", fields.user_id.value], ["password", fields.password.value] ]

      ]);

      // and carry on

      returnToCaller();

}

// Display any logon failures generated by the Logon Service

catch (e)

{

      event.owner.addErrorMessage("Logon failed - " + e.toString(), false);

}

 

function returnToCaller()

{

      // Return to the form requested by the user if there is one, passing its original parameters

      if (fields.formName.value)

      {

            form.gotoForm(fields.formName.value, (fields.formParms.value ? JSON.parse(fields.formParms.value) : null));

      }

      else

      {

            // otherwise go to the landing form

            form.gotoForm(LANDING_FORM);

      }

}

 

 

 

Calling OpenID Connect Authentication

Here is sample code to invoke authentication using OpenID Connect. An OpenID Connect Configuration (named “Google” in this example) must already have been set up using the Server Administration App User Authentication page. Automatic authentication using OpenID Connect can also be configured using the Server Administration Application.

 

The following example shows an OpenID Connect authorization call to Google. Claims returned by the OpenID Connect Provider can be added as roles and/or credentials if this is configured in the OpenID Connect Configuration. Note that the application has to be registered with Google using the Google Developer Tools.

 

This example will result in a popup being displayed by the OpenID Connect Provider to prompt for userid/password.

 

function logon()

{

  try

  {

    system.securityManager.logonOpenIDConnect("Google");

    return true;

  }

  catch (e)

  {

    event.owner.addErrorMessage(e.javaException.message, false);

    event.owner.addErrorMessage("code: " + e.javaException.errorCode + ", description: "  + e.javaException.errorDescription);

    return false;

  }

}

 

The logonOpenIdConnect() method can also optionally accept an OpenID Scope scope as the second parameter e.g.

 

system.securityManager. logonOpenIDConnect("Google", "openid profile email");