How to configure OAuth Authentication in Kinetic Task/Workflow Engine

This guide will show you how to setup OAuth Authentication using the OAuth Authenticator provided in Kinetic Task. This guide will specifically show you how to setup OAuth between Kinetic Task and Kinetic Request CE (to set up Kinetic Task to use Kinetic Request CE for authentication), but the steps should be the same for any other OAuth provider you are using.

Retrieve Client Id and Client Secret from the OAuth Provider

For the Kinetic platform, Kinetic Request CE can be configured as an OAuth provider to allow for single sign on between other Kinetic platform components (Kinetic Task, etc). The information configured under Space -> Settings -> Oauth is what will need to be given to the integrating application to complete the process.

SpaceSettingsOauth

Enable the OAuth Authenticator

When logged into the Kinetic Task Admin Console, navigate to Admin -> Setup -> Authentication and then select OAuth Authenticator from the Authenticator dropdown.

enable-oauth-authenticator

Setting NameSetting
Provider NameRecognizable name that will go on the OAuth login button (ie. A name of Kinetic Request will have the button text 'Login with Kinetic Request').
Auto Redirect LoginIf 'Yes', Task automatically redirects to the authorize endpoint. If 'No', Task's login page will show with a link to login with the configured OAuth provider.
Authorize EndpointEndpoint to authorize an OAuth application for the OAuth provider (ie. http://acme.com/kinetic/acme/app/oauth/authorize).
Token EndpointEndpoint to retrieve a token for the OAuth provider (ie. http://acme.com/kinetic/acme/app/oauth/token).
Check Token EndpointEndpoint to validate a retrieved token for the OAuth provider. The token that is being validated will be added to the end of the endpoint(ie. http://acme.com/kinetic/acme/app/oau...k_token?token=). If left blank, token won't be validated.
Logout Redirect EndpointLocation that Kinetic Task will redirect a user to after logging out of the application. If not set, Task will redirect to the Kinetic Task login page by default.
Client IdClient Id for the configured OAuth Client.
Client SecretClient Secret for the configured OAuth Client.
Redirect URIRedirect URI for the configured OAuth Client (ie. http://acme.com/kinetic-task/oauth).
ScopeScope for the configured OAuth Client (can be left blank and should be if configuring with Kinetic Request CE).

For Kinetic Request CE, the Authorize, Token, and Check Token endpoints all should point at a CE space url (ie. http://localhost:8080/kinetic/acme or https://acme.kinops.io) and then add the rest of the url on the end as shown in the examples (/app/oauth/authorize, /app/oauth/token, /app/oauth/check_token?token= respectively).

The Redirect URI is going to be the location of your Kinetic Task instance (ie. http://localhost:8080/kinetic-task) followed by /oauth.

The Scope is determined when you set up your OAuth provider and if you are configuring to use with Kinetic Request CE, Scope can be left blank.

oauth-authenticator-configured

Configure the Identity Store

If using with Kinetic Request CE, the Kinetic Core Identity Store should be configured so that user information can be shared to Kinetic Task from Kinetic Request CE. More information about the Kinetic Core Identity Store can be found here.

If using with another OAuth Provider, use the Local Identity Store which needs no further configuration.