You are viewing the documentation for Blueriq 15. Documentation for other versions is available in our documentation directory.

SubjectJAVA PropertyExplanation
OpenID Connectblueriq.security.openid-connect.use-discoveryBoolean property which enables Blueriq to read identity provider specific properties from an specific exposed location if the value is true, or to read them from application.properties if the value is false. Default: false.

application.properties


blueriq.security.openid-connect.public-keys.<key id>=<key  value>

Defines the <key id, public key> mappings that are loaded by Blueriq if blueriq.security.openid-connect.use-discovery is false.

Note that the key value should be encoded as Base64 encoded bytes that conform to the X509EncodedKeySpec

application.properties


blueriq.security.openid-connect.client-id

The client-id of the Runtime, as defined at the identity provider.

application.properties


blueriq.security.openid-connect.client-secret

The client secret of the Runtime, as defined at the identity provider. This value is used, for example, to complete the OpenID Connect Authorization Code Flow, when exchanging the authorization code for ID and access tokens.

application.properties


blueriq.security.openid-connect.scopes

The OpenID Connect scopes used when starting the Authorization Code flow. The scopes must include the value "openid" in order for the identity provider to recognize that the OpenID Connect Authorization Code flow must be initiated. If "openid" is not specified as a scope, the identity provider may instead initiate the OAuth2 Authorization Code flow (depends on the identity provider in use). Multiple scopes can be specified separated with coma.

application.properties


blueriq.security.openid-connect.token-endpoint

the URL of the endpoint where access codes can be exchanged for ID and access tokens.

Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/token

application.properties


blueriq.security.openid-connect.token-endpoint-parameters.<name>=<value>

Additional custom parameters to be sent to the token endpoint. For example;

blueriq.security.openid-connect.token-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/

application.properties


blueriq.security.openid-connect.authorization-endpoint

the URL where the OpenID Connect Authorization Code flow can be started.

Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/auth

application.properties


blueriq.security.openid-connect.authorization-endpoint-parameters.<name>=<value>

Additional custom parameters to be sent to the authorization endpoint. For example;

blueriq.security.openid-connect.authorization-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/

application.properties


blueriq.security.openid-connect.token-issuer

The expected issuer in the "iss" claim of JWT tokens. A received JWT which does not have this exact, case-sensitive value in its "iss" claim will be rejected as invalid.

application.properties


blueriq.security.openid-connect.check-audience

Boolean indicating whether the audience claim should be checked. If true, the audience claim must contain the Runtime's client-id. All JWTs which do not contain the Runtime's client-id in the audience claim are rejected as invalid.

When false, the audience claim is not checked. Default: false.

application.properties


blueriq.security.openid-connect.sso-logout

Boolean indicating whether when logging out of Blueriq the user should be logged out of the Single-Sign-On session as well.

Default: false

application.properties


blueriq.security.openid-connect.end-session-endpointWhen sso-logout is true, the Runtime redirects to this URL at the identity provider in order to log out of the Single-Sign-On session.

application.properties


blueriq.security.openid-connect.post-logout-redirect-uri

Optional URI that the OpenID Connect provider should redirect to after logging out. This property will be taken account both when using discovery and when using manual configuration through properties.

Since Blueriq 15.13.1

application.properties


blueriq.security.openid-connect.user-info-endpointthe URL of the OpenID Connect UserInfo endpoint. This endpoint provides information about the user associated with an access token. It is used when the access token is not a JWT.

application.properties


blueriq.security.openid-connect.user-info-endpoint-parameters.<name>=<value>

Additional custom parameters to be sent to the user info endpoint. For example;

blueriq.security.openid-connect.user-info-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/

application.properties


SubjectJAVA PropertyExplanation

blueriq.security.openid-connect.roles-path

The comma-separated path to the roles claim in the JWT body. For example if the JWT body contains the following claims:


{
  ... other claims ...
  "realm_access": [
    "roles": ["role1", "role2"]
  ]
  ... other claims ...
}

then this property should be set to "realm_access,roles" in order to indicate that the roles claim nested within the realm_access claim represents the user's roles.

application.properties


blueriq.security.openid-connect.teams-path

The comma-separated path to the teams claim in the JWT body. See roles-path above for an example.

application.properties


blueriq.security.openid-connect.role-mapping.<role-claim>

Maps a role claim to zero, one or multiple Blueriq roles. If a role claim does not have a mapping, it is considered to have an implicit identity mapping.

Example: blueriq.security.openid-connect.role-mapping.employee=authenticated_user,vu_employee

(all users which have the employee role at the identity provider will have the authenticated_user and vu_employee roles in Blueriq)

application.properties


blueriq.security.openid-connect.team-mapping.<team-claim>

Maps a team claim to zero, one or multiple Blueriq teams. If a team claim does not have a mapping, it is considered to have an implicit identity mapping.

Example: blueriq.security.openid-connect.team-mapping.amsterdam=europe,netherlands

(all users which have the amsterdam team at the identity provider will have the europe and netherlands teams in Blueriq)

application.properties


blueriq.security.openid-connect.username-path

The comma-separated path to the username claim in the JWT body. For example if the JWT body contains the following claims:

{
  ... other claims ...
  "realm_access": [
    "nickname": "username"
  ]
  ... other claims ...
}

then this property should be set to "realm_access,nickname" in order to indicate that the nickname claim nested within the realm_access claim represents the username.

Auth0 will include the claim nickname in the JWT body when the scope profile is added to the list of scopes. We suggest to set this property to "nickname" when using Auth0.

If no value is specified, the default value is used: preferred_username.

application.properties


blueriq.security.openid-connect.claim-mapping.<key-id>=<value>

Additional optional custom parameter to retrieve a claim from the openid-connect JWT token en place it in the Authentication.

For more information see the openid connect configuration page.

These claims can be retrieved to the profile using the GetAuthenticationClaims service.

application.properties