!!Enterprise Licenses Only\\
This plugin allows you to delegate access of OAuth providers. On the CrushFTP's login page next to the login button will appear the enabled provider's "__Signed in"__ button".\\
Currently __Google Sign-In__, __Microsoft Sign-In__, __Azure Active Directory B2C Sign in__ and __Amazon Cognito Sign in__ are supported.\\
\\
!!1. Google Sign-In\\
\\
You will start at the API credentials manager:\\
[https://console.developers.google.com/projectselector/apis/credentials]\\
\\
You first need to make a project.  My example calls this CrushFTP-Test.\\
[attachments|gDriveSetup/create_project.png]\\
\\
Next select create credentials, and choose the Web Application type.\\
[attachments|gDriveSetup/create_credentials.png]\\
\\
[attachments|gDriveSetup/oauth_consent.png]\\
\\
Configure the __Authorized JavaScript origins__. Like __protocol://dns_or_ip:port__. Without a trailing slash or it will complain.\\
Provide the __Redirect URL__ too. The location where Google sends back the Id token (Id Token : That will be used for authentication of the google user). Copy the Client ID that will be required to integrate the Google Sing-In Button.\\
\\
__Integrate Google Sign-In button__\\
\\
[attachments|gsign_in_button.png]\\
\\
Go to the __Preferences-> Ip/Servers__ and select the __HTTP__ or __HTTPS__ port item(__OAuth Sign in__ Tab) where you want to enable the Google Sing-In button. Check the __"Enable Google Sign in"__ flag and provide the __Client ID__ of you Google project(mentioned above).\\
\\
[attachments|port_item_settings.png]\\
\\
!!2. Microsoft Sign-In\\
\\
It requires Microsoft Graph Application registration. Start at the Microsoft azure portal:\\
[https://azure.microsoft.com/en-us/features/azure-portal/]\\
\\
__Application registration__: Go to the App registrations and click on New registration:\\
\\
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\
\\
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\
\\
[CrushOAuth/app_reg_config.png]\\
\\
Make sure that MSAL.js 2.0, Implicit grant (Access Token, ID Token) grant types are permitted.\\ 
\\
[CrushOAuth/app_reg_auth_config.png]\\
\\
Get Client Id and Tenant Id from App registration -> Overview.\\
\\
[MicrosoftMails/client_id.png]\\
\\
Go to the __Preferences__-> __Ip/Servers__ and select the __HTTP or HTTPS__ port item(__OAuth Sign in__  Tab) where you want to enable the __Microsoft Sing-In__ button. Check the __"Enable Microsoft Sign in"__ flag and provide the __Client ID__ and __Tenant ID__ of your App registration(mentioned above).\\
[CrushOAuth/port_item_settings_ms.png]\\
\\
!!3. Azure Active Directory B2C\\
\\
About Azure Directory B2C : [https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview]\\
CrushFTP requires : __Tenant name__, __User flow name__, __Client ID__ of the App registration.\\
[CrushOAuth/b2c_azure_settings.png]\\
\\
__Application registration__: Go to the App registrations and click on New registration:\\
\\
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\
\\
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\
\\
[CrushOAuth/app_reg_config.png]\\
\\
Check the flag "__ID tokens (used for implicit and hybrid flows)__" at __Platform configurations__.\\
[CrushOAuth/b2c_id_token.png]\\
\\
Get __Application (client) ID__ from App registration -> Overview\\
\\
[CrushOAuth/b2c_client_id.png]\\
\\
Go to the __Preferences-> Ip/Servers__ and select the HTTP or HTTPS port item(__OAuth Sign in__ Tab) where you want to enable the __Azure Active Directory B2C__ button. Check the "__Enable Azure Active Directory B2C Sign in__" flag and provide the __Tenant name__, __User flow name__, __Client ID__ of the App registration (mentioned above).\\
[CrushOAuth/port_item_settings_b2c.png]\\
\\
Configure the CrushOAuth plugin and enable the flag:  "__Enable Azure Active Directory B2C Auth__".\\
\\
!!4. Amazon Cognito\\

About __Amazon Cognito__ : [https://aws.amazon.com/cognito/]\\
Create ([https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html]) or use one of your existing __Amazon Cognito user pool__: [https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html]\\
\\
Create or configure __app client__ of the user pool ([https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html]). \\
\\
App type : Select __Confidential client__.\\
Enable __Generate client secret__.\\
Allowed callback URLs:  https://your.CrushFTP.domain.com__/WebInterface/login.html__\\
OAuth 2.0 grant types : __Authorization code grant__\\
OpenID Connect scopes : __OpenID__\\
\\
[CrushOAuth/cognito_user_pool_app_client_1.png]\\
[CrushOAuth/cognito_user_pool_app_client_2.png]\\
\\
Go to the __Preferences__-> __Ip/Servers__ and select the __HTTP or HTTPS__ port item(__OAuth Sign in__ Tab) where you want to enable the Amazon Cognito Sing-In button. Check the "Enable Amazon Cognito Sign in" flag.\\
Required info from __App client__ of the __User Pool__ : __Client ID__ and __Client Secret__.\\
Required info from __User Pool__ :\\ 
Cognito Domain Prefix: It is part of the __Cognito domain__ (Amazon console -> Amazon Cognito -> User Pools -> __User poll__ -> __App integration__ tab). It also contains the region of the User Pool.\\
Like:
{{{[domain_name].auth.[amazon region]}}}\\
User pool ID\\
\\
[CrushOAuth/cognito_client_id_secret.png]\\
[CrushOAuth/cognito_user_pool.png]\\
[CrushOAuth/port_item_settings_cognito.png]\\
\\
Configure the __CrushOAuth__ plugin and enable the flag: __Enable Amazon Cognito Auth__.
\\
!!5. Plugin Settings\\
\\

__1.__ Username matching -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principle name). You can put multiple value separated by comma. Domain filter is allowed to (like *mydomain.com).\\
\\
__2.__ Allowed authentication types\\
\\
__3.__ OAuth only used for Authentication (User manager then defines user's access.) -> If the users already exists with username of the OAuth, you can use the plugin just for authentication.\\
\\
__4.__ Template Username -> The signed in user inherits no just the settings, but the VFS items too (as Linked VFS).\\
\\
Import settings from CrushFTP user -> The signed in user inherits just the settings from this user. __It must have a value! __Default value would be : __default__ -> the default user of CrushFTP\\
\\
__5.__ VFS related settings : You can also assign a VFS item for the signed in user.\\
\\
[attachments|plugin_settings.png]\\
\\