Versions Compared

Old Version 1

changes.mady.by.user Bart Sopers

Saved on

compared with

New Version 2

changes.mady.by.user Felix Janssen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
blueriq.security.openid-connect.public-keys.<key id>=<key  value>
SubjectJAVA PropertyExplanation
OpenID Connectblueriq.security.openid-connect.use-discoveryBoolean property which enables Blueriq to read identity provider specific properties from an specific exposed location if the value is true, or to read them from application.properties if the value is false. Default: false.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.keys-endpointLocation from where Blueriq loads the public keys. In order to work, blueriq.security.openid-connect.use-discovery must be true.Example for Keycloak: http://<server>:<port>/auth/realms/<realm name>/protocol/openid-connect/certs

Note: this property was introduced in 11.4 and removed in 11.5 with the introduction of the discovery feature.

Include Page
BQ15:_PropertiesFileJavaBQ15:_PropertiesFileJava

Defines the <key id, public key> mappings that are loaded by Blueriq if blueriq.security.openid-connect.use-discovery is false.

Note that the key value should be encoded as Base64 encoded bytes that conform to the X509EncodedKeySpec

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.client-id

The client-id of the Runtime, as defined at the identity provider.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.client-secret

The client secret of the Runtime, as defined at the identity provider. This value is used, for example, to complete the OpenID Connect Authorization Code Flow, when exchanging the authorization code for ID and access tokens.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.scopes

The OpenID Connect scopes used when starting the Authorization Code flow. The scopes must include the value "openid" in order for the identity provider to recognize that the OpenID Connect Authorization Code flow must be initiated. If "openid" is not specified as a scope, the identity provider may instead initiate the OAuth2 Authorization Code flow (depends on the identity provider in use). Multiple scopes can be specified separated with coma.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.token-endpoint

the URL of the endpoint where access codes can be exchanged for ID and access tokens.

Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/token

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.token-endpoint-parameters.<name>=<value>

Additional custom parameters to be sent to the token endpoint. For example;

blueriq.security.openid-connect.token-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.authorization-endpoint

the URL where the OpenID Connect Authorization Code flow can be started.

Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/auth

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.authorization-endpoint-parameters.<name>=<value>

Additional custom parameters to be sent to the authorization endpoint. For example;

blueriq.security.openid-connect.authorization-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.token-issuer

The expected issuer in the "iss" claim of JWT tokens. A received JWT which does not have this exact, case-sensitive value in its "iss" claim will be rejected as invalid.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.check-audience

Boolean indicating whether the audience claim should be checked. If true, the audience claim must contain the Runtime's client-id. All JWTs which do not contain the Runtime's client-id in the audience claim are rejected as invalid.

When false, the audience claim is not checked. Default: false.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.sso-logout

Boolean indicating whether when logging out of Blueriq the user should be logged out of the Single-Sign-On session as well.

Default: false

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.end-session-endpointWhen sso-logout is true, the Runtime redirects to this URL at the identity provider in order to log out of the Single-Sign-On session.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.user-info-endpointthe URL of the OpenID Connect UserInfo endpoint. This endpoint provides information about the user associated with an access token. It is used when the access token is not a JWT.

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


blueriq.security.openid-connect.user-info-endpoint-parameters.<name>=<value>

Additional custom parameters to be sent to the user info endpoint. For example;

blueriq.security.openid-connect.user-info-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/

Include Page
BQ15:_PropertiesFileJavaBQ15:
_PropertiesFileJava


Include Page
BQ15:JWT Mapping propertiesBQ15:
JWT Mapping properties