Managing external OAuth applications

As an admin, using the OAuth framework, you can delegate authorization to external applications. Once registered, these applications can make API calls to UiPath applications or resources scoped to the APIs you designate.

Overview

Supported application types and access scope

You can register applications as one of the following types:

confidential applications: Applications that can safely store the application secret generated after registration; for example, web applications and service-to-service (S2S) applications.
non-confidential applications: Applications that cannot guarantee the safe storage of the application secret and therefore one is not created; for example, desktop or native mobile applications.

The application type defines the authorization grant type that is allowed for authorizing the application. Confidential applications are scoped to user-level and/or application-scoped APIs. Non-confidential applications can only send requests for user scope, meaning that a user must log in to authorize the request for the application.

Available UiPath Resources

When registering the external application, you give it access to one or several UiPath resources through the API of a UiPath application.

The following APIs are available:

Three Parts to Authorizing External Applications

There are three steps to getting an external application access your UiPath resources over OAuth:

Step	Who	What	Details
1	Organization administrator	Register an external application in Automation Suite	Registering external applications
2	Organization administrator	Provide the application registration details to the developer	Providing details to developers
2	Developer	Set up the external application to use the appropriate grant type to access your UiPath resources	Accessing UiPath resources using external applications

Registering External Applications

To register an external application so that it can use OAuth to access the UiPath resources within your organization:

In Automation Suite, go to Admin > External Applications and click Add Application in the top right.

The Add Application page opens where you can register an external application.
Fill in the Application Name field.
Select an option for Application Type.

If you select Confidential application, you will receive an app secret at the end of app creation, so make sure your application can store it securely. If it cannot, select Non-confidential application.
Under Resources, click Add Scopes.

The Edit Resource panel opens on the right, where you can select the resources to which the application should have access.
From the Resource drop-down list, select the UiPath API that the application can use.

Note: You can only add scope for one resource at a time. If you want to allow access to multiple resources, repeat this process to add scope for each resource.
On the User Scope(s) tab, select the check boxes for the logical API permissions that you want to grant, as needed.

Granting permissions under user scope means that the external application can access those resources within a user context and a user with the appropriate permissions must be logged in.
If this is a confidential application, you can switch to the Application Scope(s) tab to also grant application-level permissions for the selected resource, as needed.

With permissions under application scope, the external application has access to application-wide data for the selected scopes without the need for user interaction.

Non-confidential applications cannot access application scope.
Click Save.

The panel closes and the selected resource and scopes are added to the Resources table in the form.
If the external application can accept it, you can add a URL in the Redirect URL field and the authorization response is sent there. The application can then use it to access UiPath resources.
Click Add to create the registration.

A confirmation message opens. For confidential applications, the confirmation message includes the app secret that the registered external application can use to request authorization. Make sure you save it in a secure location because you cannot see it again.

Changing the Scope for an Existing Application

Scopes are the permissions of the external application in relation to your UiPath resources.

Go to Admin > External Applications.
Click at the right of the application row.
Change the scope to which the application has access:
- Use the icons at the right of a resource row to edit existing scope or to delete the resource.
- Click Add Scopes to add an additional resource and then select scopes for it.
Click Save.

Generating a New App Secret

If you don't know the application secret that was generated for an external application, you cannot recover it. But you can generate a new one.

Note: If you generate a new app secret, make sure to share it with the developer who is maintaining the integration with the external application. They must update the authentication mechanism, otherwise the existing integration no longer works.

To generate a new app secret:

Go to Admin > External Applications.
Click at the right of the application row.
Under App Secret, click Generate New.

A new app secret is generated and displayed above the button. It remains visible until you click Cancel to close the page.
Copy it and make sure you store it in a safe place.

Providing details to developers

After you register an external application, a developer must also set up the external application so that it properly authenticates, requests authorization from UiPath Identity Server, and then access the allowed UiPath resources.

To be able to perform those tasks, you must share the following information with them:

the Application Type and Application ID, both of which are visible on the Admin > External Applications page
the scopes added for each scope type. For some resources, the same name is used under both user and application scopes, so the type is also important.
if this is a confidential application, the application secret generated when you registered the external application.

Note: If you don't have the secret anymore, generate a new one as described above.