You can use any authentication provider that supports the standard OpenID Connect protocol to control authentication and user access control for your apps. If your organization uses such an authentication provider, this article describes how to use it in your AppSheet apps.

For the technical user, OpenId Connect is essentially the OAuth2 protocol with standardized definitions for the scopes and behaviors. Most modern authentication providers like Okta support this protocol.  You will have to go thru some standard steps in the provider's admin console to define an "app" (this tells the provider that AppSheet is going to be accessing it) and get an app key and secret. These will need to be entered into your AppSheet account.

Step 1 : Register an "app" with the OpenID Connect provider

The specifics of this vary by provider. Typically, the provider has an admin console where you would create a new "app". 

  • Give it a name that is meaningful to you --- like "AppSheet Access" or "Acme Corp Field Service". 
  • It will ask for a callback URL. The callback urls should be 'https://www.appsheet.com/Account/ELC' and 'http://localhost:53519/Account/ELC', separated by a comma and a space. It is important to get these urls correct with the right capitalization. Also, please note that the second callback url is strictly not required --- it would only be necessary if you requested us to debug your application at some point in the future.
  • If there is a 'scope' option, the value should be 'openid'

The provider should give you a key (or client id) and a secret for this app. Make sure to copy these as you will need them in the next step.

Step 2: Configure your AppSheet account

Now that you have set up your provider, you need to register it in your AppSheet account. Do so from the Integrations -> Auth Domains pane on your Account page. Choose to add a new Auth Domain and among the options, choose Open ID Connect. This brings up a form with five inputs:

  • App/client key/id: this is the value you got from the provider.
  • App/client secret: also another value you got from the provider.
  • Auth endpoint: this depends on the provider. In the case of Okta, it is https://{yourOktaDomain}/oauth2/v1/authorize
  • Token endpoint: this depends on the provider. In the case of Okta, it is https://{yourOktaDomain}/oauth2/v1/token
  • Scope: almost always, it should be 'openid profile email' (type it in without the single quotes)

Specific OpenID Connect provider may have their quirks and you may need to read their documentation to configure this correctly, especially the auth and token endpoints. For example, here is the Okta documentation on the subject. https://developer.okta.com/docs/api/resources/oidc/#response-properties

Step 3: Use the new auth domain in your apps

You can now use this domain auth source in your apps. In the Security pane of the app editor, open the Domain Auth tab and enable domain-based authentication. Your newly defined auth domain will be one of the choices you can pick. 

Did this answer your question?