CMiC API and OAuth 2.0 Integration - OAuth 2.0 App Server Setup

Enterprise customers looking to implement OAuth 2.0 can either configure an existing app server or set up a new server specifically secured with OAuth 2.0. A separate app server protected by OAuth improves security by isolating sensitive data and offering better access control. It enhances scalability and maintainability by separating authentication services from other CMiC products, like Construct Apps. This setup also supports flexibility for third-party integrations and simplifies future updates without disrupting core functions. Additionally, it centralizes logging and auditing to help monitor security events.

For switching an existing app server or enabling a new one, reach out to your CMiC Account Manager or Support.

For Cloud customers, support for OAuth 2.0 will be available soon. Please contact CMiC Support for the latest updates.

OAuth CMiC Back-End Configuration

For Enterprise CMiC hosted customers, once the app server is protected by OAuth, the following information will be inserted into CMiC by DBAs:

Copy

{ insert into da.sdapi_app_registration_tn t
(APIIA_APPLICATION_ID, APIIA_ISSUER_URI, APIIA_JWKS_URI)
values
('{application id}', '{issuer_uri}', '{jwks_uri}'); }

Example

Copy

{ insert into da.sdapi_app_registration_tn t
(APIIA_APPLICATION_ID, APIIA_ISSUER_URI, APIIA_JWKS_URI)
values
('12345', 'https://sts.windows.net/{tenant_id}/', 'https://login.windows.net/common/discovery/keys');}

Additional Information – CMiC App Properties and What They're Used For

cmic.oauth2.ipcheck.enabled

To enable or disable the IP check. This is enabled by default.

cmic.oauth2.remove.domainFromUser

To remove the domain from the CMiC user. For example, if the property value is cmic.ca, then all emails with @cmic.ca will be removed and only the username portion will be passed as the CMiC user.

cmic.oauth2.user.claim.name

This is a specific token claim which holds the CMiC username.