How to Implement OAuth Authentication and Token Management in Etendo RX
Overview
This guide describes how to integrate Single Sign-On (SSO) authentication and OAuth 2.0 access token management between Etendo RX (ERP) and an external Middleware (EtendoAuth) that brokers identity (Auth0 or another OpenID Connect IdP) and Google APIs (Drive, Picker, etc.).
It covers architecture, data model, authentication flow, token acquisition, persistence, renewal, error handling, operational procedures, code references, and a support checklist.
1. Architecture and Responsibilities
Etendo RX (ERP)
- Maintains OAuth providers configuration (endpoints, credentials, scopes).
- Delegates user authentication and Google OAuth consent flows to the Middleware when configured.
- Persists received access tokens and related metadata.
- Cleans previous tokens for the same user + provider before saving a new one.
Middleware (EtendoAuth)
- Provides SSO via Auth0 (or any OIDC IdP): builds authorize URL, exchanges authorization code, validates ID Token (JWKS), and returns control to the ERP.
- Orchestrates Google OAuth 2.0 consent and token exchange / refresh.
- Issues short‑lived internal authorization codes (ephemeral) for secure backchannel exchange (optional).
- Stores refresh tokens securely (in production use an encrypted database, not in‑memory map).
Data Model (Etendo RX)
Table | Purpose |
---|---|
ETRX_OAUTH_PROVIDER |
OAuth provider metadata (client id/secret, endpoints, grant type, redirect URI, userinfo URI, JWKS URL, scopes, flags). |
ETRX_TOKEN_INFO |
Access token, validity, provider scope context, user linkage, flags (e.g. APPROVE_GOOGLE_DOC ). |
ETRX_TOKEN_USER |
User ↔ token relationship depending on security model. |
ETRX_INSTANCE_CONNECTOR |
External middleware instance registration (base URL, authorization type, credentials/token if required). |
2. Authentication Flow (SSO via Auth0)
Objective: authenticate the user and optionally return an internal short‑lived code for ERP session linkage.
High-level sequence:
- ERP redirects user to Middleware
/login?provider=auth0&redirect_uri=<erp_return>&account_id=<account>
. - Middleware builds Auth0
/authorize
URL (scope:openid profile email
) and redirects user. - IdP (Auth0) authenticates user and redirects to Middleware
/callback?code=...&state=...
. - Middleware exchanges
code
for tokens (id_token
,access_token
). - Middleware validates
id_token
signature (JWKS), issuer, audience,exp
,iat
. - Middleware redirects to original ERP
redirect_uri
with either user info or an internal ephemeralcode
(if/authorize
flow is used). - ERP (optional) POSTs the ephemeral
code
to/authorize
to retrieve claims (sub, email, account). - ERP creates / updates the internal session and associates the user.
Notes:
- ERP may also accept Bearer JWT directly in incoming requests (tests reference SWSAuthenticationManagerTest
).
- Ephemeral codes are stored for a short TTL (e.g. 10 minutes) in Middleware memory store.
3. OAuth Token Generation and Management (Google)
Objective: obtain and maintain valid Google API access tokens (e.g. Drive scope drive.file
).
High-level sequence:
- User triggers "Get Middleware Token" in ERP and selects a scope.
- ERP builds a
state
payload{ userId, redirect }
(redirect = ERP servlet endpointSaveTokenFromMiddleware
). - ERP redirects to Middleware
/oauth/google/start?state=<base64url>
. - Middleware decides whether to request consent (missing or first time refresh token) and redirects to Google authorize endpoint.
- Google returns to Middleware
/oauth/google/callback?code=...&state=...
. - Middleware exchanges the authorization code at
https://oauth2.googleapis.com/token
. - Middleware stores
refresh_token
(if new) and currentaccess_token
with expiry. - Middleware redirects to ERP
redirect
URL with token (or error) parameters. - ERP servlet
SaveTokenFromMiddleware
persists token inETRX_TOKEN_INFO
(after deleting previous token for same user/provider).
Transparent Refresh:
- Middleware function ensureAccessToken(userId)
checks expiry; if expired, uses stored refresh_token
to obtain a new access_token
and updates cache.
4. ERP Configuration (Etendo RX)
ETRX_OAUTH_PROVIDER
Key fields:
AUTHORIZATION_URI
,TOKEN_URI
,USER_INFO_URI
,JWKSETURI
CLIENT_ID
,CLIENT_SECRET
,REDIRECT_URI
AUTHORIZATION_GRANT_TYPE
(e.g.authorization_code
)CLIENT_AUTHENTICATION_METHOD
(e.g.client_secret_basic
)CODE_CHALLENGE_METHOD
(PKCES256
if public client)USERNAMEATTRIBUTE
(e.g.email
orsub
)PROVIDER_SCOPE
GET_MIDDLEWARE_TOKEN
(flag to delegate to Middleware predefined flow)
ETRX_TOKEN_INFO
Stores:
AD_USER_ID
,ETRX_OAUTH_PROVIDER_ID
TOKEN
(access token),VALID_UNTIL
MIDDLEWARE_PROVIDER
(e.g.google - drive.file
)- Flags (e.g.
APPROVE_GOOGLE_DOC
)
ETRX_INSTANCE_CONNECTOR
Registers:
- Middleware base URL
- Authorization type and credentials (token / basic user & password)
5. Middleware Endpoints Summary
Endpoint | Method | Purpose |
---|---|---|
/login |
GET | Start SSO with Auth0. Params: provider , redirect_uri , account_id? |
/callback |
GET | Auth0 callback: exchange code → tokens, validate JWT, redirect ERP |
/authorize |
POST | Exchange ephemeral internal code for user claims (secure backchannel) |
/oauth/google/start |
GET | Begin Google consent. Requires state |
/oauth/google/callback |
GET | Exchange Google code → tokens; redirect ERP |
/picker |
GET | Google Picker example; ensures valid access token |
/jwks |
GET | JWKS exposure (if Middleware signs tokens) |
/logout , /register |
Var | Secondary flows |
6. Error Handling and Traceability
Middleware
- Structured log prefixes:
[LOGIN]
,[CALLBACK]
,[AUTHORIZE]
,[GOOGLE]
. -
Common errors:
-
Missing
state
→ 400 - Missing
refresh_token
and none cached → 400 - Token exchange failure → 500 (
token_exchange_failed
) - Invalid ID Token signature / audience / issuer → 401
ERP
SaveTokenFromMiddleware
interpretserror
anderror_description
query parameters.- Converts technical codes (e.g.
access_denied
) to user-friendly messages. - Deletes previous token records before insertion (avoid duplicates / stale tokens).
7. Implementation Best Practices
Security:
- Enforce HTTPS end-to-end.
- Keep
refresh_token
only in Middleware (not exposed to ERP UI). Provide only access tokens when strictly required. - Validate
iss
,aud
,exp
,iat
of ID Tokens. - Limit scopes (principle of least privilege, e.g.
drive.file
). - Rotate client secrets; store in secret manager.
- Use PKCE (
S256
) for public clients. - Configure strict CORS and secure cookies.
Reliability:
- Replace in-memory token store with encrypted persistent storage in production.
- Synchronize clocks (avoid premature expiry rejections).
- Implement retry with backoff for transient network errors to Google / Auth0.
Observability:
- Correlate logs using a request ID propagated from ERP → Middleware.
- Mask sensitive values (tokens, client secrets) in logs.
8. Operational Procedure (Step-by-Step)
A. Register OAuth Provider in ERP
- Create record in
ETRX_OAUTH_PROVIDER
with IdP endpoints and credentials. - Set
REDIRECT_URI
to the ERP servlet endpoint handling token return (e.g./etendorx/SaveTokenFromMiddleware
). - Enable
GET_MIDDLEWARE_TOKEN
if delegating token acquisition to Middleware. - (Optional) Set
JWKSETURI
for direct JWT validation.
B. Test SSO (Auth0)
- Trigger ERP SSO action → calls Middleware
/login
. - Authenticate via Auth0 → returns to Middleware
/callback
→ redirects ERP. - Confirm ERP session created and user mapped by
email
orsub
.
C. Obtain Google Token (Drive Example)
- In ERP invoke action "Get Middleware Token" selecting scope (e.g.
drive.file
). - Flow:
/oauth/google/start
→ Google consent →/oauth/google/callback
→ ERP redirect. - Validate new entry in
ETRX_TOKEN_INFO
with correctMIDDLEWARE_PROVIDER
value and expiry. - Test Google API / Picker integration; Middleware refreshes tokens transparently.
9. Code References
ERP (Etendo RX)
- Servlet:
src/com/etendoerp/etendorx/SaveTokenFromMiddleware.java
-
Tables:
-
src-db/database/model/tables/ETRX_OAUTH_PROVIDER.xml
src-db/database/model/tables/ETRX_TOKEN_INFO.xml
src-db/database/model/tables/ETRX_TOKEN_USER.xml
src-db/database/model/tables/ETRX_INSTANCE_CONNECTOR.xml
Middleware (EtendoAuth)
- Auth0 Routes:
src/routes/login.ts
,src/routes/callback.ts
,src/routes/authorize.ts
- Auth0 Service:
src/services/auth0.ts
(authorize URL, token exchange, JWT validation) - Google Routes:
src/routes/oauth_google.ts
- Google Logic:
src/googleAuth.ts
(exchangeCodeForTokens
,ensureAccessToken
,refreshAccessToken
) - Token Store (replace in production):
src/tokenStore.ts
- Google Picker Example:
src/routes/picker.ts
10. Support Checklist
- Auth0 env vars:
AUTH0_DOMAIN
,AUTH0_CLIENT_ID
,AUTH0_CLIENT_SECRET
set. - Google env vars:
GOOGLE_CLIENT_ID
,GOOGLE_CLIENT_SECRET
,GOOGLE_REDIRECT_URI
,GOOGLE_API_KEY
set. - ERP
ETRX_OAUTH_PROVIDER
configured orGET_MIDDLEWARE_TOKEN = Y
. - Middleware base URL registered in
ETRX_INSTANCE_CONNECTOR
(if used). REDIRECT_URI
matches IdP and Google console configuration.- System clocks synchronized.
- Valid TLS certificates.
- Middleware logs show expected sequence
[LOGIN]
→[CALLBACK]
. - On
access_denied
errors: verify user consent, scopes, and IdP policy.
Summary
This document centralizes the steps and structures required to implement secure OAuth SSO and Google token management in Etendo RX using a dedicated Middleware layer. Follow best practices to ensure security, reliability, and maintainability.
This work is licensed under CC BY-SA 2.5 ES by Futit Services S.L..