You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.
OpenID Connect configuration has to be specified in
application.propertiesConsult OpenID Connect Properties page from more information.
Configuration
There are two ways of configuring Blueriq with OpenID Connect:
- Using Discovery: endpoints and keys map are loaded from the OpenID Connect Provider discovery location (usually the path is built by adding
/.well-known/openid-configurationsuffix totoken issuer path) and the other properties properties are specified inapplication.properties. - Property file exclusive configuration: endpoints, keys map and the other properties is specified in
application.properties.
blueriq.security.openid-connect.use-discovery is used to enable one or another.If blueriq.security.openid-connect.use-discovery is true, the following properties can be omitted from the configuration because they will be discovered:
- blueriq.security.openid-connect.token-endpoint
- blueriq.security.openid-connect.authorization-endpoint
- blueriq.security.openid-connect.end-session-endpoint
- blueriq.security.openid-connect.public-keys
application.properties
blueriq.security.login-type=openid-connect blueriq.security.auth-providers.openid-provider.type=openid-connect blueriq.security.openid-connect.use-discovery=true blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master blueriq.security.openid-connect.client-id=<client-id> blueriq.security.openid-connect.client-secret=<client-secret> blueriq.security.openid-connect.scopes=openid blueriq.security.auth-providers-chain=openid-provider
If blueriq.security.openid-connect.use-discovery is false, endpoints and keys map have to be specified:
application.properties
blueriq.security.login-type=openid-connect blueriq.security.auth-providers.openid-provider.type=openid-connect blueriq.security.openid-connect.use-discovery=false blueriq.security.openid-connect.token-issuer=http://<server>:<port>/auth/realms/master blueriq.security.openid-connect.token-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/token blueriq.security.openid-connect.authorization-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/auth blueriq.security.openid-connect.sso-logout=true blueriq.security.openid-connect.end-session-endpoint=http://<server>:<port>/auth/realms/master/protocol/openid-connect/logout blueriq.security.openid-connect.public-keys.<key-id>=<key-value> blueriq.security.openid-connect.client-id=<client-id> blueriq.security.openid-connect.client-secret=<client-secret> blueriq.security.openid-connect.scopes=openid # configure how to extract user info from ID token blueriq.security.openid-connect.username-path=preferred_username blueriq.security.openid-connect.roles-path=realm_access,roles blueriq.security.openid-connect.teams-path=teams blueriq.security.auth-providers-chain=openid-provider
Provider Support
OpenID Connect will not work if use-discovery is true and:
- OpenID Connect Provider does not support
authorization-codegrant type. sso-logoutproperty is true andend-session-endpointis not supported by OpenID Connect Provider.- OpenID Connect Provider
request_uri_parameter_supportedisfalse. - OpenID Connect Provider does not support
RS256token endpoint auth signing algorithm. - Scopes are missing from
application.properties - OpenID Connect Provider does not support any scope.
- Token issuer defined in application.properties does not match with the one supported by OpenID Connect Provider.
Provider Support
Regardless the value of
use-discovery, if sso-logout is true then the end-session-endpoint has to be present.Property blueriq.security.openid-connect.keys-endpoint was removed.
Overview
Content Tools