OAuth 2 settings
  • 05 Jul 2023
  • 2 minutes to read

OAuth 2 settings


Article summary

When setting up the OAuth 2 authentication method you can configure the following settings. These settings are available in multiple locations.

Authentication settings

The following settings are available via Quick-access menu > Plugins > Authentication > OAuth 2

SettingDescriptionNotes

Allow creation of new accounts

Enable this setting if you want this plugin to create new OAuth 2 accounts when users log in via an OAuth service for the first time.

This is enabled by default. 

Allow automatic linking of existing accounts

Enable this setting if you want to allow automatic linking of external OAuth 2 accounts with existing local Totara user accounts via email addresses during the login process.

To prevent accounts being compromised it is strongly recommended to enable email ownership confirmation in the issuer settings.

This is enabled by default.

Server settings

The following settings are available when creating an OAuth service via Quick-access menu > Server > OAuth 2 services.

SettingDescriptionNotes

Name

The name of the issuer service (e.g. Google, Facebook, etc.). This may be displayed on the login page. 

-

Client ID

The unique ID provided by the issuer. 

-

Client secret

A unique password or secret generated by the issuer. 

-

Authenticate token requests via HTTP headers

Utilise the HTTP basic authentication scheme when sending the client ID and password with a refresh token request. This is recommended by the OAuth 2 standard, but may not be available with some issuers.

-

Scopes included in a login request

Some systems require additional scopes for a login request in order to read the user's basic profile. The standard scopes for an OpenID Connect-compliant system are "openid profile email".

-

Scopes included in a login request for offline access

Each OAuth system defines a different way to request offline access. For example, Microsoft requires an additional scope "offline_access".

-

Additional parameters included in a login request

Some systems require additional parameters for a login request in order to read the user's basic profile.


Additional parameters included in a login request for offline access

Each OAuth system defines a different way to request offline access. For example, Google requires the additional parameters: "access_type=offline&prompt=consent". These parameters should be in the URL query parameter format.

-

Service base URL

Base URL used to access the service.

-

Login domains

If set, this setting is a comma-separated list of domains that logins will be restricted to when using this provider.

-

Logo URL

This is usually the logo used by the issuer, and it may be displayed on the login page.

-

Show on login page

If the OAuth 2 authentication plugin is enabled, this login issuer will be listed on the login page to allow users to log in with accounts from this issuer.

-

Require email verification

Require that all users verify their email address before they can log in with OAuth. This applies to newly created accounts as part of the login process, or when an existing Totara account is connected to an OAuth login via matching email addresses.

Only trusted issuers such as Microsoft, Google and Facebook have the option to enable or disable the Require email verification setting. For all other issuers and custom services, the option is hidden and defaults to true in the database, meaning email verification is required.

© Copyright 2024 Totara Learning Solutions. All rights reserved.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.