Page History
Info |
---|
OpenID Connect configuration has to be specified in application.properties |
Info |
---|
Consult OpenID Connect Properties page from more information. |
Configuration
There are two ways of configuring Blueriq with OpenID Connect:
- Using Discovery: endpoints and keys map are loaded from the OpenID Connect Provider discovery location (usually the path is built by adding
/.well-known/openid-configuration
suffix totoken issuer path
) and the other properties properties are specified inapplication.properties.
- Property file exclusive configuration: endpoints, keys map and the other properties is specified in
application.properties
.
Info |
---|
blueriq.security.openid-connect.use-discovery is used to enable one or another. |
If blueriq.security.openid-connect.use-discovery
is true
, the following properties can be omitted from the configuration because they will be discovered:
- blueriq.security.openid-connect.token-endpoint
- blueriq.security.openid-connect.authorization-endpoint
- blueriq.security.openid-connect.end-session-endpoint
- blueriq.security.openid-connect.public-keys
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
blueriq.security.login-type=openid-connect blueriq.security.auth-providers.openid-provider.type=openid-connect blueriq.security.openid-connect.use-discovery=true blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master blueriq.security.openid-connect.client-id=<client-id> blueriq.security.openid-connect.client-secret=<client-secret> blueriq.security.openid-connect.scopes=openid blueriq.security.auth-providers-chain=openid-provider |
If blueriq.security.openid-connect.use-discovery
is false, endpoints and keys map have to be specified:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=false
blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master
blueriq.security.openid-connect.token-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/token
blueriq.security.openid-connect.authorization-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/auth
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/logout
# The key-value should be encoded as Base64 encoded bytes that conform to the X509EncodedKeySpec
blueriq.security.openid-connect.public-keys.<key-id>=<key-value>
blueriq.security.openid-connect.client-id=<client-id>
blueriq.security.openid-connect.client-secret=<client-secret>
blueriq.security.openid-connect.scopes=openid
# configure how to extract user info from ID token
blueriq.security.openid-connect.username-path=preferred_username
blueriq.security.openid-connect.roles-path=realm_access,roles
blueriq.security.openid-connect.teams-path=teams
blueriq.security.auth-providers-chain=openid-provider |
Warning | ||
---|---|---|
| ||
OpenID Connect will not work if
|
Warning | ||
---|---|---|
| ||
Regardless the value of use-discovery , if sso-logout is true then the end-session-endpoint has to be present. |
Warning |
---|
Property |
Limitations
- Currently, when using OpenID Connect as an authentication provider, no other authentication provider on the chain will work.
Mapping claims from the ID token
To be able to get claims from the ID token into the user session, the following property can be specified (with multiple individual key-id's):
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
blueriq.security.openid-connect.claim-mapping.<key-id>=<value> |
Where the key-id is the key in the user session authenticationClaims object and the value maps to the name of the ID token property.
The <value> could either be the fieldname of root of the JWT (Json) token, or nested within the JSON. A comma is needed to navigate through the JSON (for example resource_access,account,roles).
The result in the token should either be one value, or an array containing multiple values.
To be able to store the values from the user session into the profile, see Service call type: AQ_GetAuthenticationClaims.
Limitations
- Currently only String typed, single valued or multi valued claims are supported.