What is OAuth? (Login to third-party systems)

OAuth (Open Authorization) is a protocol that enables users to authenticate themselves securely in third-party systems without having to disclose their access data. ChurchTools supports the OAuth protocol, so you can use your ChurchTools login data to sign up to systems such as Nextcloud.

Advantages of OAuth #

• Security: Your access data remains confidential and is not transmitted to the third-party system.
• Convenience: You can use one Login for several applications and have to remember fewer passwords.
• Control: You retain control over which systems have access to your ChurchTools data and as an admin you can control who has access and who does not.

How does OAuth work? #

1. Third-party system registration: If you sign up to a third-party system such as Nextcloud, select “Login with ChurchTools” (text may vary).
2. Forwarding to ChurchTools: You will be redirected to the ChurchTools Login page. Enter your access data here.
3. Grant permission: After successfully signing up, you will be asked if you want to grant access to the third-party system.
4. Grant access: After your consent, ChurchTools provides the third-party system with an access token. This token allows the third-party system to access certain information without knowing your access data.
5. Redirection: You are redirected back to the third-party system and are logged in.

Typical use cases #

• File management: Sign up to Nextcloud with ChurchTools.
• Communication: Integration with e-mail services that support OAuth.
• Administration tools: Use project management software with your ChurchTools account.

Frequently asked questions (FAQ) #

What data is shared? Only the data required to use the third-party system. You can see in advance which information will be released.

Is OAuth secure? Yes, OAuth is a proven standard that is used by many large companies. Your access data always remains secure.

Important terms #

• Redirect URI – the address of the client to which the user is redirected after a successful Login. Via this redirect, the client receives confirmation that registration has been allowed.
• Client identifier – unique identifier of the client on the server. It identifies the client, but does not contain any secret information.
• Client Secret – Secret password of the client to the server. It is used on the server side to uniquely authenticate the client and must never be used publicly or in the browser.
• API base URL – basic address of the API via which all other API requests are made. All endpoints are technically based on this URL.
• Authorization URL – Address to which the user is redirected from the client to the server for Login and consent. This is where the user authenticates themselves and allows access.
• Access token URL – Server address via which the client requests an access token. This token is required to access the API.
• Profile URL – Server address via which the logged-in user’s profile data can be retrieved. Access is only possible with a valid access token.

Further links #

• What is OAuth? (External resource)