!!Enterprise Licenses Only\\
This plugin allows you to delegate access of OAuth providers. On the CrushFTP's login page next to the login button will appear the enabled provider's "__Signed in"__ button".\\
Currently __Google Sign-In__, __Microsoft Sign-In__, __Azure Active Directory B2C Sign in__ and __Amazon Cognito Sign in__ are supported.\\
\\
!!1. Google Sign-In\\
\\
You will start at the API credentials manager:\\
[https://console.developers.google.com/projectselector/apis/credentials]\\
\\
You first need to make a project.  My example calls this CrushFTP-Test.\\
[attachments|gDriveSetup/create_project.png]\\
\\
Next select create credentials, and choose the Web Application type.\\
[attachments|gDriveSetup/create_credentials.png]\\
\\
[attachments|gDriveSetup/oauth_consent.png]\\
\\
When configuring the credential, you have to tell Google the domain you will be originating from when creating the auth token, so this is the URL you use for server administration.  Just the protocol://dns_or_ip:port   Don't have a trailing slash or it will complain.\\
You also need to put in the redirect URL of where Google is going to send back the Id token (Id Token : That will be used for authentication of the google user). Copy the Client ID that will be required to integrate the Google Sing-In Button.\\
\\
__Integrate Google Sign-In button__\\
\\
[attachments|gsign_in_button.png]\\
\\
Go to the __Preferences-> Ip/Servers__ and select the __HTTP__ or __HTTPS__ port item(__OAuth Sign in__ Tab) where you want to enable the Google Sing-In button. Check the __"Enable Google Sign in"__ flag and provide the __Client ID__ of you Google project(mentioned above).\\
\\
[attachments|port_item_settings.png]\\
\\
!!2. Microsoft Sign-In\\
\\
It requires Microsoft Graph Application registration. Start at the Microsoft azure portal:\\
[https://azure.microsoft.com/en-us/features/azure-portal/]\\
\\
__Application registration__: Go to the App registrations and click on New registration:\\
\\
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\
\\
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\
\\
[CrushOAuth/app_reg_config.png]\\
\\
Make sure that MSAL.js 2.0, Implicit grant (Access Token, ID Token) grant types are permitted.\\ 
\\
[CrushOAuth/app_reg_auth_config.png]\\
\\
Get Client Id and Tenant Id from App registration -> Overview.\\
\\
[MicrosoftMails/client_id.png]\\
\\
Go to the __Preferences__-> __Ip/Servers__ and select the __HTTP or HTTPS__ port item(__OAuth Sign in__  Tab) where you want to enable the __Microsoft Sing-In__ button. Check the __"Enable Microsoft Sign in"__ flag and provide the __Client ID__ and __Tenant ID__ of your App registration(mentioned above).\\
[CrushOAuth/port_item_settings_ms.png]\\
\\
!!3. Azure Active Directory B2C\\
\\
About Azure Directory B2C : [https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview]\\
CrushFTP requires : __Tenant name__, __User flow name__, __Client ID__ of the App registration.\\
[CrushOAuth/b2c_azure_settings.png]\\
\\
__Application registration__: Go to the App registrations and click on New registration:\\
\\
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\
\\
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\
\\
[CrushOAuth/app_reg_config.png]\\
\\
Check the flag "__ID tokens (used for implicit and hybrid flows)__" at __Platform configurations__.\\
[CrushOAuth/b2c_id_token.png]\\
\\
Get __Application (client) ID__ from App registration -> Overview\\
\\
[CrushOAuth/b2c_client_id.png]\\
\\
Go to the __Preferences-> Ip/Servers__ and select the HTTP or HTTPS port item(__OAuth Sign in__ Tab) where you want to enable the __Azure Active Directory B2C__ button. Check the "__Enable Azure Active Directory B2C Sign in__" flag and provide the __Tenant name__, __User flow name__, __Client ID__ of the App registration (mentioned above).\\
[CrushOAuth/port_item_settings_b2c.png]\\
\\
Configure the CrushOAuth plugin and enable the flag:  "__Enable Azure Active Directory B2C Auth__".\\
\\
!!4. Amazon Cognito\\

About __Amazon Cognito__ : [https://aws.amazon.com/cognito/]\\
Create ([https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html]) or use one of your existing __Amazon Cognito user pool__: [https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html]\\
\\
Create or configure __app client__ of the user pool ([https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html]). \\
\\
App type : Select __Confidential client__.\\
Enable __Generate client secret__.\\
Allowed callback URLs:  https://your.CrushFTP.domain.com__/WebInterface/login.html__\\
OAuth 2.0 grant types : __Authorization code grant__\\
OpenID Connect scopes : __OpenID__\\
\\
[CrushOAuth/cognito_user_pool_app_client_1.png]\\
[CrushOAuth/cognito_user_pool_app_client_2.png]\\
\\
Go to the __Preferences__-> __Ip/Servers__ and select the __HTTP or HTTPS__ port item(__OAuth Sign in__ Tab) where you want to enable the Amazon Cognito Sing-In button. Check the "Enable Amazon Cognito Sign in" flag.\\
Required info from __App client__ of the __User Pool__ : __Client ID__ and __Client Secret__.\\
Required info from __User Pool__ :\\ 
Cognito Domain Prefix: It is part of the __Cognito domain__ (Amazon console -> Amazon Cognito -> User Pools -> __User poll__ -> __App integration__ tab). It also contains the region of the User Pool.\\
Like:
{{{[domain_name].auth.[amazon region]}}}\\
User pool ID\\
\\
[CrushOAuth/cognito_client_id_secret.png]\\
[CrushOAuth/cognito_user_pool.png]\\
[CrushOAuth/port_item_settings_cognito.png]\\
\\
Configure the __CrushOAuth__ plugin and enable the flag: __Enable Amazon Cognito Auth__.
\\
!!5. Plugin Settings\\
\\

__1.__ Username matching -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principle name). You can put multiple value separated by comma. Domain filter is allowed to (like *mydomain.com).\\
\\
__2.__ Allowed authentication types\\
\\
__3.__ OAuth only used for Authentication (User manager then defines user's access.) -> If the users already exists with username of the OAuth, you can use the plugin just for authentication.\\
\\
__4.__ Template Username -> The signed in user inherits no just the settings, but the VFS items too (as Linked VFS).\\
\\
Import settings from CrushFTP user -> The signed in user inherits just the settings from this user. __It must have a value! __Default value would be : __default__ -> the default user of CrushFTP\\
\\
__5.__ VFS related settings : You can also assign a VFS item for the signed in user.\\
\\
[attachments|plugin_settings.png]\\
\\