MediaCore can integrate with OAuth2-based SSO services. In this scenario, MediaCore acts as the clients to your exiting OAuth2 server. When MediaCore needs to authenticate a user, an OAuth flow will be initiated against an external OAuth server. This allows the external service to take whatever steps are necessary to authenticate the user (such as show a login form) before redirecting the user back to MediaCore with the necessary credentials for them to be signed in and given a MediaCore user account.
More specifically, MediaCore uses a standard OAuth 2.0 "Authorization Code" flow (as per IETF RFC 6749) to authenticate the current user against the external SSO service and obtain an OAuth 2.0 “bearer access token”. The MediaCore software will then make a single HTTP request, authenticated by the received access token, to a User Profile API Endpoint that has been configured in your site's OAuth settings panel. The returned information will then be used to automatically create or update an account for the user in your MediaCore site.
1. Go to your Admin settings panel and click Authentication in the sidebar.
2. Find OAuth in the list of Single Sign-on options.
3. Click Configure OAuth Settings link.
4. Fill in the form.
Client Secret: These are the credentials MediaCore will use when communicating with your OAuth server.
Authorization Endpoint: This is the URL where MediaCore directs users in order to initiate an OAuth flow.
Token Endpoint: This is the URL where MediaCore requests an OAuth access token after the initial authorization step has completed.
User Profile Endpoint: This is the URL where MediaCore can fetch the user's name, email, groups, and other information in order to populate their user account.
Login Button Text: Make your organization's SSO easy for users to recognize by customizing the login button text.
To complete the OAuth SSO integration, you must implement a custom REST API that MediaCore can query for user info during the sign-on process.
After the standard OAuth2 authorization flow has completed, MediaCore will make a GET request to the User Profile Endpoint that you have configured in your OAuth settings panel. This request will include an Authorization header that contains the access token for the user that's signing in. It is your responsibility to use this access token to look up the user's information and return the desired profile in a JSON response.
GET /profile HTTP/1.1
Authorization: Bearer liznMhJ95oAfHg6nORRU7wsNW
HTTP/1.1 200 OK
A unique string identifier for the user.
The user's email address. Each OAuth user must have a different email address.
The user's first and last names. These will often be concatenated together when displaying the user's name in MediaCore.
With some extra configuration, MediaCore can automatically provision each user’s group memberships during the sign-on process. Please contact firstname.lastname@example.org to set this up.