OAuth Clients
Introduction
GLPI 11 introduces a major OAuth 2.0 authentication feature that revolutionizes how third-party applications access your GLPI data. This new functionality enables secure and modern integration with your organization's ecosystem. OAuth 2.0 is a modern authorization protocol that allows third-party applications to access your GLPI resources without sharing your passwords.
Why Use It?
Enhanced Security: No password sharing
Granular Control: Specific permissions per application
Modern Integrations: Compatible with mobile and web applications
Centralized Management: Instant access revocation
Traceability: Access and usage tracking
Prerequisites
Administrator profile or rights on OAuth Clients
Access to the Configuration menu
Creating an OAuth Client
Step 1: Navigating the Interface
In the main menu, click Configuration
Select OAuth Clients from the submenu
On the OAuth Clients page, click Add
Basic Information
Name: Descriptive name for the client
Comment: Description of the client (optional)
Selecting Grants
Choose the authentication type according to your application
Authorization Code: The most secure interactive authentication for applications with users. The user is redirected to GLPI to authenticate, then sent back to the application with a temporary code that is exchanged for a token.
Password Grant: Direct authentication with username and password. The application directly requests user credentials and sends them to GLPI to obtain a token.
Client Credentials: Machine-to-machine authentication without a human user. The application authenticates solely with its own credentials (client ID/secret), with no specific user involved.
Defining Scopes (Permissions)
api: General access to the GLPI API
user: Information of the logged-in user
email: User's email address
inventory: Submission of inventories
status: System status
graphql: GraphQL interface
Save
Click Add at the bottom of the form
The OAuth client is created with unique identifiers (ClientID and Client Secret)
Configuring the OAuth Client
Redirect URI
Edit your OAuth client
"Authorized redirect URIs" section
Add your application's URLs
IP Restrictions
"IP Restrictions" section
Add authorized IP addresses
Using the OAuth Client with the Agent
Enabling Inventory
In the main menu, click Administration
Select Inventory from the submenu
Check the "Enable inventory" checkbox
Agent Authorization
Once inventory is enabled, the field for "Agent authentication" becomes relevant.
In the corresponding dropdown list, select "OAuth – Client credentials" to use an OAuth client as the authentication source.
Creating the OAuth Client
Create an OAuth client that will be used by the agent. In the "Scopes" section, select Inventory to authorize access to inventory functionalities.
Warning: Remember to copy the client secret immediately, as it will only be displayed once and cannot be retrieved later.
Once the client is created, carefully keep the following information:
Client ID
Client Secret
These values will be necessary for configuring the agent in the next step.
Connecting to the Agent
To finalize the configuration, add the oauth-client-id and oauth-client-secret parameters in the agent's configuration. This information will allow the agent to authenticate correctly with the OAuth server.
oauth-client-id: copy/paste the Client ID of the OAuth client created previously.oauth-client-secret: copy/paste the Client Secret associated with this same OAuth client.
Once these parameters are entered, save the agent's configuration. The agent will then automatically use these credentials to obtain an access token and communicate securely with the server.
Last updated