You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.


OpenID Connect configuration has to be specified in application.properties
Consult OpenID Connect Properties page from more information.

Configuration

There are two ways of configuring Blueriq with OpenID Connect:

  1. Using Discovery: endpoints and keys map are loaded from the OpenID Connect Provider discovery location (usually the path is built by adding /.well-known/openid-configuration suffix to token issuer path) and the other properties properties are specified in application.properties.
  2. Property file exclusive configuration: endpoints, keys map and the other properties is specified in application.properties.
blueriq.security.openid-connect.use-discovery is used to enable one or another.

If blueriq.security.openid-connect.use-discovery is true, the following properties can be omitted from the configuration because they will be discovered:

  • blueriq.security.openid-connect.token-endpoint
  • blueriq.security.openid-connect.authorization-endpoint
  • blueriq.security.openid-connect.end-session-endpoint
  • blueriq.security.openid-connect.public-keys
application.properties
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect

blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master
blueriq.security.openid-connect.client-id=<client-id>
blueriq.security.openid-connect.client-secret=<client-secret>
blueriq.security.openid-connect.scopes=openid

blueriq.security.auth-providers-chain=openid-provider

If blueriq.security.openid-connect.use-discovery is false, endpoints and keys map have to be specified:

application.properties
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect

blueriq.security.openid-connect.use-discovery=false
blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master

blueriq.security.openid-connect.token-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/token
blueriq.security.openid-connect.authorization-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/auth

blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/logout

blueriq.security.openid-connect.public-keys.<key-id>=<key-value>

blueriq.security.openid-connect.client-id=<client-id>
blueriq.security.openid-connect.client-secret=<client-secret>
blueriq.security.openid-connect.scopes=openid


# configure how to extract user info from ID token
blueriq.security.openid-connect.username-path=preferred_username
blueriq.security.openid-connect.roles-path=realm_access,roles
blueriq.security.openid-connect.teams-path=teams

blueriq.security.auth-providers-chain=openid-provider

Provider Support

OpenID Connect will not work if use-discovery is true and:

  • OpenID Connect Provider does not support authorization-code grant type.
  • sso-logout property is true and end-session-endpoint is not supported by OpenID Connect Provider.
  • OpenID Connect Provider request_uri_parameter_supported is false.
  • OpenID Connect Provider does not support RS256 token endpoint auth signing algorithm.
  • Scopes are missing from application.properties
  • OpenID Connect Provider does not support any scope.
  • Token issuer defined in application.properties does not match with the one supported by OpenID Connect Provider.

Provider Support

Regardless the value of use-discovery, if sso-logout is true then the end-session-endpoint has to be present.

Property blueriq.security.openid-connect.keys-endpoint was removed.



  • No labels