Table of Contents

Register Trusted Application

In this topic, you register an app in an ERP instance so the ERP.net identity server can provide authentication and authorization services for your application and its users.

Each application that uses ERP.net APIs needs to be registered. Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the ERP instance.

Note

In future versions of ERP.net platform this way to register a trusted application will no longer be available, because of the sec scope (Only identity server itself will be granted with the sec scope) The ERP.net instance will provide a browser accessible endpoint where the application will provide its client_id, client_secret_hash, scopes and other required parameters to register the application. This endpoint will redirect the user to the login screen and if the user is a database administrator he or she will be able to approve the application registration.

Register an application

Registering your application establishes a trust relationship between your app and the ERP.net database instance. That means that your database trusts the application.

We'll show how to register an application manually, using the Domain API Query Tool.

Follow these steps to create the app registration:

  1. Sign in to your ERP instance and open the Domain API Query Tool.
    Every ERP.net database has it's own query tool on the Domain API site.
    The Domain Api site is usually hosted on address https://{COMPANY}.my.erp.net/api and the query tool is on https://{COMPANY}.my.erp.net/api/domain/query

    In this example we'll use the DEMODB ERP.net instance query tool: https://demodb.my.erp.net/api/domain/query

⚠️ You need to be a database administrator in order to be able to register a new trusted application.

  1. If the application is confidential, we need to prepare an application secret. Use this endpoint to get the application secret hash (Replace mysecret with your secret):

https://demodb.my.erp.net/sys/tools/sha256?secret=mysecret

  1. In the query tool we'll create a new record for System.Security.TrustedApplications entity.

Register interactive confidential application

Query: Systems_Security_TrustedApplications
Type: POST
Body:

{
  "ApplicationUri": "MYDEMOCLIENT",
  "Name": "MY DEMO CLIENT",
  "ClientType": "Confidential",
  "ApplicationSecretHash": "T/AGymuI51LwjLeIFxRQXOs9IHnupDKs/ajhWODR2C4=",
  "ImpersonateAsCommunityUserAllowed": true,
  "ImpersonateAsInternalUserAllowed": true,
  "ImpersonateLoginUrl": "http://localhost:5080/myapp/signin-oidc",
  "ImpersonateLogoutUrl": "http://localhost:5080/myapp/",
  "SystemUserAllowed": false
}
  • ApplicationUri is the unique name that identifies the application. This is the client_id in the OAuth terminology.
  • Name is the display name of the application.
  • ClientType - Confidential or Public.
  • ApplicationSecretHash a hash of the application secret - previously created using https://demodb.my.erp.net/sys/tools/sha256?secret=mysecret tool.
  • ImpersonateAsCommunityUserAllowed must be true if your application will work with community users. Community users are users that do not have access to system resources. They are usually customers of the company that owns the ERP.net database instance.
  • ImpersonateAsInternalUserAllowed must be true if internal users will use the application.
  • ImpersonateLoginUrl is a comma separated list of allowed URLs that are used from the application to receive the authorization code. When the user loads the application in the browser, if sign in is required, the browser is redirected to ERP.net Identity Server login page. After successful login the browser is redirected to the provided return_url that must be one of the URLs specified in ImpersonateLoginUrl providing the authorization_code through code url parameter. This code is used by the application to request an access_code that is used to gain access to ERP.net server resources.
  • ImpersonateLogoutUrl is a comma separated list of allowed URLs that are used after the user is logged out from the identity server and "Return to app" button is clicked.
  • SystemUserAllowed specifies if the application can act as a service application that is impersonated as specific user.

Register interactive public application

Query: Systems_Security_TrustedApplications
Type: POST
Body:

{
  "ApplicationUri": "MYDEMOCLIENT",
  "Name": "MY DEMO CLIENT",
  "ClientType": "Public",
  "ImpersonateAsCommunityUserAllowed": true,
  "ImpersonateAsInternalUserAllowed": true,
  "ImpersonateLoginUrl": "http://localhost:5080/myapp/signin-oidc",
  "ImpersonateLogoutUrl": "http://localhost:5080/myapp/",
  "SystemUserAllowed": false
}

Register service application

Query: Systems_Security_TrustedApplications
Type: POST
Body:

{
  "ApplicationUri": "MYSERVICEDEMOCLIENT",
  "Name": "Service Demo Client",
  "ApplicationSecretHash": "T/AGymuI51LwjLeIFxRQXOs9IHnupDKs/ajhWODR2C4=",  
  "ClientType": "Confidential",
  "SystemUserAllowed": true,
  "SystemUser": {
  "@odata.id": "Systems_Security_Users(cc314327-3d04-477f-ac53-cde19d8350e9)"
  }
}
  • SystemUser is the user for the service application.
Suggest improvement to this page