You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
1. Setup
To login using OpenID Connect an identity provider is needed.
For login via the UI, only the Authorization Code Flow (with response-type=code) is supported
Multiple OpenID Connect identity providers at the same time are not supported
Using the Material Angular theme together with OpenID Connect
The default Material theme based on Angular supports OpenID Connect authentication out-of-the-box, but it may require customizations depending on the desired usage. By default, the theme communicates the return URL (the URL that the user intended to open before being redirected to the login page) as part of the OpenID Connect redirect_url, which may cause problems if the return URL is dynamic and the identity provider has a whitelist of allowed redirect_url values. The default theme can be changed as desired to support this use-case, if needed.
2. How does it work
3. Exception handling
If any exception occurs, a page with a custom exception is shown.
Detailed information about the exception can be found in the log when your log level is on DEBUG
4. How to configure an OpenID Connect identity provider
The identity provider needs to be configured in application.properties and added to blueriq.security.auth-providers-chain. The client id, client secret and public key are mandatory and can be extracted from the identity provider.
Blueriq uses the id token to extract the information needed to login. Username, teams and roles from id token are mapped to Blueriq UserData. For the roles and teams the path to the roles and teams in the token can be configured.
There are some optional validation checks that can be executed when validating the access token. One of them is the audience check. This check can be configured.
5. REST API
Blueriq Runtime exposes two endpoints to authenticate with OpenId Connect. These endpoints can be used as described in the algorithm at section 5.3.
5.1. Login Endpoint
Description
Login endpoint that returns the URL required for calling the authorization endpoint of OpenID Connect Identity Provider.
Parameters
Query Parameter | Expected Type | Description | Required |
---|---|---|---|
redirect_uri | string | Redirection URI to which the response will be sent. | true |
5.2. Callback Endpoint
Description
Exchanges authorization code for token and authenticates user in Blueriq.
Parameters
Query Parameter | Expected Type | Description | Required |
---|---|---|---|
code | string | The authorization code to be exchanged for tokens. | true |
redirect_uri | string | The Redirection URI that was used to obtain the authorization code. | true |
state | string | Opaque value used to maintain state between the request and the callback | true |
5.3. Algorithm
The algorithm that can be used in order to login is the the following: