OAuth Clients

Introduction

GLPI 11 introduces a major OAuth 2.0 authentication feature that revolutionizes how third-party applications access your GLPI data. This new functionality enables secure and modern integration with your organization's ecosystem. OAuth 2.0 is a modern authorization protocol that allows third-party applications to access your GLPI resources without sharing your passwords.

Why Use It?

• Enhanced Security: No password sharing

• Granular Control: Specific permissions per application

• Modern Integrations: Compatible with mobile and web applications

• Centralized Management: Instant access revocation

• Traceability: Access and usage tracking

Prerequisites

• Administrator profile or rights on OAuth Clients

• Access to the Configuration menu

Creating an OAuth Client

Step 1: Navigating the Interface

• In the main menu, click Configuration

• Select OAuth Clients from the submenu

• On the OAuth Clients page, click Add

Basic Information

• Name: Descriptive name for the client

• Comment: Description of the client (optional)

Selecting Grants

Choose the authentication type according to your application

Authorization Code: The most secure interactive authentication for applications with users. The user is redirected to GLPI to authenticate, then sent back to the application with a temporary code that is exchanged for a token.

Password Grant: Direct authentication with username and password. The application directly requests user credentials and sends them to GLPI to obtain a token.

Client Credentials: Machine-to-machine authentication without a human user. The application authenticates solely with its own credentials (client ID/secret), with no specific user involved.

Defining Scopes (Permissions)

• api: General access to the GLPI API

• user: Information of the logged-in user

• email: User's email address

• inventory: Submission of inventories

• status: System status

• graphql: GraphQL interface

Save

• Click Add at the bottom of the form

• The OAuth client is created with unique identifiers (ClientID and Client Secret)

Configuring the OAuth Client

Redirect URI

• Edit your OAuth client

• "Authorized redirect URIs" section

• Add your application's URLs

IP Restrictions

• "IP Restrictions" section

• Add authorized IP addresses

Using the OAuth Client with the Agent

Enabling Inventory

• In the main menu, click Administration

• Select Inventory from the submenu

• Check the "Enable inventory" checkbox

Agent Authorization

Once inventory is enabled, the field for "Agent authentication" becomes relevant.

In the corresponding dropdown list, select "OAuth – Client credentials" to use an OAuth client as the authentication source.

Creating the OAuth Client

Create an OAuth client that will be used by the agent. In the "Scopes" section, select Inventory to authorize access to inventory functionalities.

Once the client is created, carefully keep the following information:

• Client ID

• Client Secret

These values will be necessary for configuring the agent in the next step.

Connecting to the Agent

To finalize the configuration, add the oauth-client-id and oauth-client-secret parameters in the agent's configuration. This information will allow the agent to authenticate correctly with the OAuth server.

• oauth-client-id: copy/paste the Client ID of the OAuth client created previously.

• oauth-client-secret: copy/paste the Client Secret associated with this same OAuth client.

Once these parameters are entered, save the agent's configuration. The agent will then automatically use these credentials to obtain an access token and communicate securely with the server.

Configure my GLPI agents