OpenID Connect and Frappe social login
OpenID Connect
Frappe also uses Open ID connect essential standard for authenticating users. To get
id_token
with
access_token
, pass
openid
as the value for the scope parameter during authorization request.
If the scope is
openid
the JSON response with
access_token
will also include a JSON Web Token (
id_token
) signed with
HS256
and
Client Secret
. The decoded
id_token
includes the
at_hash
.
Example Bearer Token with scope
openid
{
"token_type": "Bearer",
"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6Imp3dCJ9.eyJpc3MiOiJodHRwczovL21udGVjaG5pcXVlLmNvbSIsImF0X2hhc2giOiJOQlFXbExJUy1lQ1BXd1d4Y0EwaVpnIiwiYXVkIjoiYjg3NzJhZWQ1YyIsImV4cCI6MTQ3Nzk1NTYzMywic3ViIjoiNWFjNDE2NThkZjFiZTE1MjI4M2QxYTk0YjhmYzcwNDIifQ.1GRvhk5wNoR4GWoeQfleEDgtLS5nvj9nsO4xd8QE-Uk",
"access_token": "ZJD04ldyyvjuAngjgBrgHwxcOig4vW",
"scope": "openid",
"expires_in": 3600,
"refresh_token": "2pBTDTGhjzs2EWRkcNV1N67yw0nizS"
}
Frappe social login setup
In this example there are 2 servers,
Primary Server
This is the main server hosting all the users. e.g.
https://frappe.io
. To setup this as the main server, go to
Setup
>
Integrations
>
Social Login Keys
and enter
https://frappe.io
in the field
Frappe Server URL
. This URL repeats in all other Frappe servers who connect to this server to authenticate. Effectively, this is the main Identity Provider (IDP).
Under this server add as many
OAuth Client
(s) as required. Because we are setting up one app server, add only one
OAuth Client
Frappe App Server
This is the client connecting to the IDP. Go to
Setup
>
Integrations
>
Social Login Keys
on this server and add appropriate values to
Frappe Client ID
and
Frappe Client Secret
(refer to client added in primary server). As mentioned before keep the
Frappe Server URL
as
https://frappe.io
Now you will see Frappe icon on the login page. Click on this icon to login with account created in primary server (IDP)
https://frappe.io
Note
: If
Skip Authorization
is checked while registering a client, page to allow or deny the granting access to resource is not shown. This can be used if the apps are internal to one organization and seamless user experience is needed.
Steps
Part 1 : on Frappe Identity Provider (IDP)
Login to IDP
Add OAuth Client on IDP
Set Server URL on IDP
Part 2 : on Frappe App Server
Set
Frappe Client ID
and
Frappe Client Secret
on App server (refer the client set on IDP)
Note : Frappe Server URL is the main server where identities from your organization are stored.
Login Screen on App Server (login with frappe)
Part 3 : Redirected on IDP
login with user on IDP
Confirm Access on IDP
Part 4 : Back on App Server
Logged in on app server with ID from IDP