Using an OAuth identity provider to authenticate FileMaker clients

FileMaker Pro allows solutions to authenticate user accounts via third-party OAuth identity providers that have been specified in FileMaker Server.

To set up authentication by an OAuth identity provider:

  1. Click the Administration > External Authentication tab.

  2. For Predefined Identity Provider (IdP) Authentication Settings or Custom IdP Authentication Settings, configure an OAuth identity provider:

    • For Amazon and Google: Enter the client ID and client secret, then click Save Authentication Settings to save the provider's configuration.

    • For Microsoft: Enter the application ID, key, and directory ID, then click Save Authentication Settings to save the provider's configuration.

    • For Apple: Enter the service ID and client secret, then click Save Authentication Settings to save the provider's configuration.

    • For AD FS: Enter the application ID, application secret, and server host, then click Save Authentication Settings to save the provider's configuration.

    • For Custom OAuth: Enter the custom name, client ID, client secret, authorization code endpoint, authorization token endpoint, authorization profile endpoint, icon endpoint, user account schema, user group schema, and scope, then click Save Authentication Settings to save the provider's configuration.

  3. For Database Sign In, set External Server Accounts to Enabled.

  4. Enable the OAuth identity provider you want to use for authenticating FileMaker clients.

To remove OAuth identity providers:

  1. Click the Administration > External Authentication tab.

  2. Set the OAuth identity providers you want to remove to Disabled.

  3. If you no longer want to support external authentication for database login, set External Server Accounts to Disabled.

OpenID Connect (OIDC)

OpenID Connect (OIDC) is a layer on top of OAuth 2.0 and is supported by FileMaker Server and the various FileMaker clients. The OpenID scope is optional for OAuth 2.0 and depends on the OAuth provider whether an OpenID scope is used. You can select OpenID Connect (OIDC) in Administration > External Authentication tab > Custom IdP Authentication Settings. The default selection is OAuth 2.0.

For OIDC, user profiles are parsed from the ID token, and no additional calls are required to access user profile information. If a necessary configuration value is nested in an array, you can access the value name using the FileMaker Server configuration by using the ">" symbol. For example, given the following JSON for a user profile, you can access the group name using "groups>name":

Copy 
{
    ...,

    "groups": [
        {
            "id": "f29301a64ffe93268d8c1115ac2648ca",
            "name": "everyone",
            "$ref": [ https://admin.example.com:1234/admin/v1/Groups/f29301a64ffe93268d8c1115ac2648ca|https://defense.example.com/v3/__https:/admin.example.com:1234/admin/v1/Groups/f29301a64ffe93268d8c1115ac2648ca__;!!NZi9csSyBTUJvk25CELD1nwdZwZLbdBS_vPtjCHfzAt7h2pWE9R76wm8Tkw8Aw_w3eMNvsukTTVm64Qcr$ ]
        }
    ],

    ...
}

For the example, you need to enter the group name "everyone" in FileMaker Pro to match.

Notes 

  • For information about creating OAuth identity provider accounts, see FileMaker Pro Help.

  • Clients who use OAuth identity provider accounts should use the server's fully qualified domain name when opening a file hosted by FileMaker Server.

  • Admin Console does not validate or verify the OAuth identity provider values. Clients may see unexpected results if the identity providers are not set up correctly.