You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
application.properties
Configuration
There are two ways of configuring Blueriq with OpenID Connect:
- Using Discovery: endpoints and keys map are loaded from the OpenID Connect Provider discovery location (usually the path is built by adding
/.well-known/openid-configuration
suffix totoken issuer path
) and the other properties properties are specified inapplication.properties.
- Property file exclusive configuration: endpoints, keys map and the other properties is specified in
application.properties
.
blueriq.security.openid-connect.use-discovery
is used to enable one or another.If blueriq.security.openid-connect.use-discovery
is true
, the following properties can be omitted from the configuration because they will be discovered:
- blueriq.security.openid-connect.token-endpoint
- blueriq.security.openid-connect.authorization-endpoint
- blueriq.security.openid-connect.end-session-endpoint
- blueriq.security.openid-connect.public-keys
blueriq.security.login-type=openid-connect blueriq.security.auth-providers.openid-provider.type=openid-connect blueriq.security.openid-connect.use-discovery=true blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master blueriq.security.openid-connect.client-id=<client-id> blueriq.security.openid-connect.client-secret=<client-secret> blueriq.security.openid-connect.scopes=openid blueriq.security.auth-providers-chain=openid-provider
If blueriq.security.openid-connect.use-discovery
is false, endpoints and keys map have to be specified:
blueriq.security.login-type=openid-connect blueriq.security.auth-providers.openid-provider.type=openid-connect blueriq.security.openid-connect.use-discovery=false blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master blueriq.security.openid-connect.token-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/token blueriq.security.openid-connect.authorization-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/auth blueriq.security.openid-connect.sso-logout=true blueriq.security.openid-connect.end-session-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/logout # The key-value should be encoded as Base64 encoded bytes that conform to the X509EncodedKeySpec blueriq.security.openid-connect.public-keys.<key-id>=<key-value> blueriq.security.openid-connect.client-id=<client-id> blueriq.security.openid-connect.client-secret=<client-secret> blueriq.security.openid-connect.scopes=openid # configure how to extract user info from ID token blueriq.security.jwt-claims.username-path=$.preferred_username blueriq.security.jwt-claims.roles-path=$.realm_access.roles blueriq.security.jwt-claims.teams-path=$.teams blueriq.security.auth-providers-chain=openid-provider
Provider Support
OpenID Connect will not work if use-discovery
is true
and:
- OpenID Connect Provider does not support
authorization-code
grant type. sso-logout
property is true andend-session-endpoint
is not supported by OpenID Connect Provider.- OpenID Connect Provider
request_uri_parameter_supported
isfalse
. - OpenID Connect Provider does not support
RS256
token endpoint auth signing algorithm. - Scopes are missing from
application.properties
- OpenID Connect Provider does not support any scope.
- Token issuer defined in application.properties does not match with the one supported by OpenID Connect Provider.
Provider Support
use-discovery
, if sso-logout
is true
then the end-session-endpoint
has to be present.Property blueriq.security.openid-connect.keys-endpoint
was removed.
Limitations
- Currently, when using OpenID Connect as an authentication provider, no other authentication provider on the chain will work.
- OpenID Connect does not work when the SameSite cookie security configuration is set to Strict and the OpenId Connect provider is hosted on a different domain than the Runtime. The Lax configuration setting is advised.
Mapping claims from the ID token
To be able to get claims from the ID token into the user session, the following property can be specified (with multiple individual key-id's):
blueriq.security.jwt-claims.claim-mapping.<key-id>=<value>
Where the key-id is the key in the user session authenticationClaims object and the value maps to the name of the ID token property.
The <value> should be a JsonPath expression (for example $.resource_access.account.roles).
The result in the token should either be one value, or an array containing multiple values.
To be able to store the values from the user session into the profile, see Service call type: AQ_GetAuthenticationClaims.
Limitations
- Currently only String typed, single valued or multi valued claims are supported.