You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.

Requirements

Logging in with the JWT Authentication Provider is only supported when using the Blueriq Gateway Service as a backend for frontend.

Setup

To login using JWT a fully configure Blueriq Gateway Service is required.



Blueriq does not provide an identity provider. Blueriq uses Keycloak as identity provider in the integration tests.

For login via the UI, only the Authorization Code Flow (with response-type=code) is supported

Multiple OpenID Connect identity providers at the same time are not supported

Using the Material Angular theme together with OpenID Connect

The default Material theme based on Angular supports JWT authentication out-of-the-box, but it may require customizations depending on the desired usage. By default, the theme communicates the visited URL (the URL that the user intended to open before being redirected to the login page) as part of the redirect URL. The default theme can be changed as desired to support this use-case, if needed.

2. How does it work



4. How to configure

The authorization provider needs to be configured in the application.properties and a blueriq.security.auth-providers-chain, see configure JWT authentication provider for more information.

Blueriq extracts information needed to login. Username, teams and roles from id token are mapped to Blueriq UserData, see JWT Mapping properties on how to configure the extraction.

Optionally when running the Client in front of an Reverse proxy the path of the login location can be overridden in the application.properties of the Runtime, otherwise it will default to /login.

blueriq.security.jwt.login-path=/auth/login


5. REST API

Blueriq Runtime exposes an endpoint to authenticate with JWT. The endpoint can be used as described in the algorithm at section 5.2.

5.1. Login Endpoint

GET /api/v2/jwt/login

Description

Login endpoint that returns the URL required for calling the login endpoint on the Blueriq Gateway Service.

Parameters





redirect_uristringRedirection URI to which the response will be sent.true

5.2. Algorithm

The algorithm that can be used in order to login is the the following:

(1) The front-end makes an XHR request to the API start endpoint.

(2) Back-end responds with 401.

(3) Front-end changes window.location to Login Endpoint and sends the suitable parameters (the redirect_uri)

(4) Login Endpoint returns the URL needed to login the with the Gateway Service.

(5) Front-end changes window.location to the return URL of the Login Endpoint

(6) The Gateway Service will redirect the front-end application of the Identity Provider providing a login page authorization code, state and a redirect_uri.

(7) The Identify provider redirects back to the Gateway Service to exchange tokens.

(8) The Gateway Service will redirect back to the Front-end to the URL from (3)

Didn't find the answer you were looking for? Try the advanced search