- 05 Jul 2023
- 2 minutes to read
OAuth 2 settings
- Updated on 05 Jul 2023
- 2 minutes to read
When setting up the OAuth 2 authentication method you can configure the following settings. These settings are available in multiple locations.
Authentication settings
The following settings are available via Quick-access menu > Plugins > Authentication > OAuth 2.
Setting | Description | Notes |
---|---|---|
Allow creation of new accounts | Enable this setting if you want this plugin to create new OAuth 2 accounts when users log in via an OAuth service for the first time. | This is enabled by default. |
Allow automatic linking of existing accounts | Enable this setting if you want to allow automatic linking of external OAuth 2 accounts with existing local Totara user accounts via email addresses during the login process. To prevent accounts being compromised it is strongly recommended to enable email ownership confirmation in the issuer settings. | This is enabled by default. |
Server settings
The following settings are available when creating an OAuth service via Quick-access menu > Server > OAuth 2 services.
Setting | Description | Notes |
---|---|---|
Name | The name of the issuer service (e.g. Google, Facebook, etc.). This may be displayed on the login page. | - |
Client ID | The unique ID provided by the issuer. | - |
Client secret | A unique password or secret generated by the issuer. | - |
Authenticate token requests via HTTP headers | Utilise the HTTP basic authentication scheme when sending the client ID and password with a refresh token request. This is recommended by the OAuth 2 standard, but may not be available with some issuers. | - |
Scopes included in a login request | Some systems require additional scopes for a login request in order to read the user's basic profile. The standard scopes for an OpenID Connect-compliant system are "openid profile email". | - |
Scopes included in a login request for offline access | Each OAuth system defines a different way to request offline access. For example, Microsoft requires an additional scope "offline_access". | - |
Additional parameters included in a login request | Some systems require additional parameters for a login request in order to read the user's basic profile. | |
Additional parameters included in a login request for offline access | Each OAuth system defines a different way to request offline access. For example, Google requires the additional parameters: "access_type=offline&prompt=consent". These parameters should be in the URL query parameter format. | - |
Service base URL | Base URL used to access the service. | - |
Login domains | If set, this setting is a comma-separated list of domains that logins will be restricted to when using this provider. | - |
Logo URL | This is usually the logo used by the issuer, and it may be displayed on the login page. | - |
Show on login page | If the OAuth 2 authentication plugin is enabled, this login issuer will be listed on the login page to allow users to log in with accounts from this issuer. | - |
Require email verification | Require that all users verify their email address before they can log in with OAuth. This applies to newly created accounts as part of the login process, or when an existing Totara account is connected to an OAuth login via matching email addresses. | Only trusted issuers such as Microsoft, Google and Facebook have the option to enable or disable the Require email verification setting. For all other issuers and custom services, the option is hidden and defaults to true in the database, meaning email verification is required. |
© Copyright 2024 Totara Learning Solutions. All rights reserved.