Oauth External Authentication
Using multiple files for developing a robust FileMaker solution can be pretty normal when you plan out the distribution of your data and servers. Some solutions benefit from breaking out part of the solution into one or more separate files.
So, whether taking the load off a given server or simply planning for quicker data access across multiple time zones, one of the bigger problems which pops up with your standard FileMaker accounts is password management. This is where it becomes much easier to use external authentication.
In earlier days, we only had access to Active/Open Directory or system accounts hosted on the same machine as FileMaker server. But, since FileMaker Server 16, we now have the ability to use external authentication through Oauth. This means we can use a third party like Amazon, Google or Microsoft in order to allow users to access solutions and manage their own passwords.
If you're looking for an easier way to manage the users of your solution, then you'll find out how it works and how to make it happen within this video about Oauth External Authentication.
Comments
Firewall?
I don't seem to be able to get this working and wonder if this requires any ports opening on the firewall. Our firewall is managed and blocks incoming and outgoing ports, so we have to specifically allow them.
One account per user
I don't see the advantage, if - as stated at about the 12 minute mark - you still have to set up one user per account, when that user is coming from an OAUTH support. This is the same as setting up one user per account in FM, and does not introduce another set of UI to manage users. The only advantage I can envision is not having to grant the client a FULL ACCESS account to manage those local credentials. And I would still need to set up each FM solution with this set of users.
It does, however, have the advantage that ANY Google email can log in, IF that account is setup to be able to access your FM solution.
If you use Azure, it DOES have the concept of groups, but you need to add each user's email - any email will do - to the Azure access list, assigned to a group.
BIG advantage, in that a group can be in N number of FM solutions, and a single assignment of a user to that group, grants them access to any FM solution with that group setup in Security.
In Directory Services, like Azure, you can set up an account that is equivalent to a group, and in the directory service, assign users to that group. Their credentials are managed in the directory services, and only a few accounts need to exist in FM to support the delineation of privilege set to a group of users.