You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.

SubjectJAVA PropertyExplanation
JWT Authenticationblueriq.security.jwt.login-path

Optional login path property that is used when building the login redirect URL to the Gateway Service. This can be overridden when the Gateway Service is running behind a reverse proxy.

Default: /login

application.properties


blueriq.security.jwt.logout-path

Optional logout path property that is used when building the logout redirect URL to the Gateway Service. This can be overridden when the Gateway Service is running behind a reverse proxy.

Default: /logout

application.properties


blueriq.security.jwt.sso-logout

Boolean indicating whether when logging out of Blueriq the user should be logged out of the Single-Sign-On session as well.

Default: false

application.properties

Claims mapping

The following configuration properties can be used to extract information from the JWT claims:

SubjectJAVA PropertyExplanation

blueriq.security.jwt-claims.roles-path

A JsonPath expression to the roles claim in the JWT body. 

For example, if the JWT body contains below claims, this property should be set to $.realm_access.roles in order to indicate that the roles claim nested within the realm_access claim represents the roles. 

{
  ... other claims ...
  "realm_access": [
    "roles": ["role1", "role2"]
  ]
  ... other claims ...
}

Before Blueriq 16.7, the expression was a comma-separated list of path segments. Please refer to the Legacy Properties for more information on the legacy format and how to enable it.

application.properties


blueriq.security.jwt-claims.teams-path

A JsonPath expression to the teams claim in the JWT body. 

See roles-path above for more information.

application.properties


blueriq.security.jwt-claims.role-mapping.<role-claim>

Maps a role claim to zero, one or multiple Blueriq roles. If a role claim does not have a mapping, it is considered to have an implicit identity mapping.

Example: blueriq.security.jwt-claims.role-mapping.employee=authenticated_user,vu_employee

(all users which have the employee role at the identity provider will have the authenticated_user and vu_employee roles in Blueriq)

application.properties


blueriq.security.jwt-claims.team-mapping.<team-claim>

Maps a team claim to zero, one or multiple Blueriq teams. If a team claim does not have a mapping, it is considered to have an implicit identity mapping.

Example: blueriq.security.jwt-claims.team-mapping.amsterdam=europe,netherlands

(all users which have the amsterdam team at the identity provider will have the europe and netherlands teams in Blueriq)

application.properties


blueriq.security.jwt-claims.username-path

A JsonPath expression to the usernameclaim in the JWT body. 

See roles-path above for more information.

If no value is specified, the default value is used: $.preferred_username.

application.properties


blueriq.security.jwt-claims.claim-mapping.<key-id>=<value>

Additional optional custom parameter to retrieve a claim from the JWT and place it in the Authentication under the specified key. The value should be a JsonPath expression to the claim in the JWT body.

Only (lists of) strings, numbers and booleans are supported. These values will all be converted to strings.

See roles-path above for more information.

These claims can be retrieved to the profile using the GetAuthenticationClaims service.

application.properties