OAuth (Open Authorization) is a protocol that allows users to securely authenticate themselves in third-party systems without having to share their login credentials. ChurchTools supports the OAuth protocol, so you can use your ChurchTools Login credentials to log in to systems such as Nextcloud, for example.
Advantages of OAuth #
- Security: Your access data remains confidential and is not transmitted to the third-party system.
- Convenience: You can use one Login for several applications and have to remember fewer passwords.
- Control: You retain control over which systems have access to your ChurchTools data and as an admin you can control who has access and who does not.
How does OAuth work? #
- Login to a third-party system: When you log in to a third-party system such as Nextcloud, select “Login with ChurchTools” (text may vary).
- Forwarding to ChurchTools: You will be redirected to the ChurchTools Login page. Enter your access data here.
- Grant Permission: After successfully logging in, you will be asked if you want to grant the third-party system access.
- Grant access: After your consent, ChurchTools provides the third-party system with an access token. This token allows the third-party system to access certain information without knowing your access data.
- Redirection: You are redirected back to the third-party system and are logged in.
Typical use cases #
- File Management: Log in to Nextcloud using ChurchTools.
- Communication: Integration with e-mail services that support OAuth.
- Administration tools: Use project management software with your ChurchTools account.
Frequently asked questions (FAQ) #
What data is shared? Only the data required to use the third-party system. You can see in advance which information will be released.
Is OAuth secure? Yes, OAuth is a proven standard that is used by many large companies. Your access data always remains secure.
Important terms #
- Redirect URI – the client’s address to which the user is redirected after a successful Login. This redirect confirms to the client that the Login was authorized.
- Client identifier – unique identifier of the client on the server. It identifies the client, but does not contain any secret information.
- Client Secret – Secret password of the client to the server. It is used on the server side to uniquely authenticate the client and must never be used publicly or in the browser.
- API base URL – basic address of the API via which all other API requests are made. All endpoints are technically based on this URL.
- Authorization URL – Address to which the user is redirected from the client to the server for Login and consent. This is where the user authenticates themselves and allows access.
- Access token URL – Server address via which the client requests an access token. This token is required to access the API.
- Profile URL – Server address via which the logged-in user’s profile data can be retrieved. Access is only possible with a valid access token.
- Scope – The scope of permissions that the client requests from the server. It determines which data or functions the third-party system is permitted to access with a valid access token.