accessManagerOAuth

<accessmanagerOAuthConfiguration

required

Configuration for OAuth in the cadenza usermanagement.

<client

required

Configuration of the OAuth client (cadenza).

<clientId

requiredstring

Id of the client.

</clientId>

<clientSecret

requiredstring

Encoded password of the client. The same encoder as for datasources is used (PasswordEncoder).

</clientSecret>

</client>

<adminService

optional

Optional configuration for the OIDC/OAuth server-specific admin services. Only one provider kind is allowed to be configured at once. At the moment the only supported provider is Keycloak.

Choice: Choose only ONE of the following

<keycloak

required

Configuration for the Keycloak realm user provider.

<baseUrl

requiredstring

Defines the base URL for all the services exposed by the Keycloak Administration REST API endpoint. See Administration REST API linked in https://www.keycloak.org/documentation. The URL is expected to contain the realm name as a component of the path, for example, http://localhost:8080/admin/realms/NameOfMyRealm. The URL of all Keycloak admin services is derived based on it, for example, the realm user membership service will be http://localhost:8080/admin/realms/NameOfMyRealm/users. The service account of the client will be used to communicate with the api, so the required service account roles have to be configured in Keycloak for this service account.

</baseUrl>

</keycloak>

Choice End

</adminService>

<authorizationProvider

required

Configuration of the Authorization Provider.

<authenticationUrl

requiredstring

The absolute url for the authentication request of the authorization provider. This is an endpoint in the authorization provider used by cadenza. The url normally ends with '/auth'.

</authenticationUrl>

<userNameClaim

optionalstring

The name of the claim where the userName is set. The default is 'preferred_username' according to the standard claims defined in the OpenID Connect Core 1.0 specification.

Default: preferred_username

</userNameClaim>

<signatureAlgorithm

optionalstring

The signature algorithm used to verify the token, e.g. 'RS256'.

</signatureAlgorithm>

<publicKey

optional

The base64 encoded public key of the authorization provider used for verifying the token.

xsd:base64Binary

type

optional

string

The type of the public key, e.g. 'RSA'.

</publicKey>

<authenticationRequestScopes

optional

<scope

requiredmax. unboundedstring

The scopes used in the authentication request, e.g. 'openid'.

</scope>

</authenticationRequestScopes>

<tokenUrl

requiredstring

The absolute url for the token request from cadenza to the authorization provider.

</tokenUrl>

<userDetailsTokenName

xsd:string

id_token

access_token

required

The name of the token which contains information about the user (e.g. name, group membership). Allowed values are access_token and id_token.

Default: id_token

</userDetailsTokenName>

<usePKCE

requiredboolean

Defines if Proof Key for Code Exchange (PKCE) is enabled during authentication flow. This is enabled by default. Further details on PKCE can be found here: https://tools.ietf.org/html/rfc7636

Default: true

</usePKCE>

<allowTokenPassthrough

requiredboolean

Defines if access and id tokens are stored for the time of the session, maintained to be valid and usable for 3rd party services (e.g. WFS) and for the Relying Party initiated logout if configured.

</allowTokenPassthrough>

<relyingPartyInitiatedLogout

optional

Enables the Relying Party initiated Logout. If enabled, then the oauth logout url must be defined and also the token passthrough must be enabled to have a valid id token for it.

<logoutUrl

requiredstring

Defines the oauth logout url, which is used for the Relying Party initiated Logout.

</logoutUrl>

</relyingPartyInitiatedLogout>

</authorizationProvider>

<groupMapping

optional

Configuration of the group mappings between the group names from the token and the group name in the cadenza authentication database.

<claim

requiredstring

The claim name of the token which defines the groups.

</claim>

<claimValueStructure

Choice: Choose only ONE of the following

<idList

required

Group claim will be a JSON array of simple string values e.g. [OAuthGroup1, OAuthGroup2]

</idList>

<objectList

required

groupIdKey

optional

string

The key defines which value of the object should be considered as technical name of the group.

</objectList>

Choice End

required

</claimValueStructure>

<simpleMappings

optional

<simpleMapping

tokenGroup

optional

string

cadenzaGroup

optional

string

requiredmax. unbounded

</simpleMapping>

</simpleMappings>

<dynamicMapping

optionalboolean

The dynamic group mapping can be used, if the names in the token and in cadenza are identical. If the token contains groups 'A' and 'B', then the user in cadenza will get the cadenza groups 'A' and 'B', if they exist.

Default: false

</dynamicMapping>

</groupMapping>

<propertyMapping

<property

name

optional

token

The property name by which the information shall be accessible by means of user variable if it is present in the ID token.

Choice: Choose only ONE of the following

<claim

requiredtoken

The JWT claim name where the property values are read from.

</claim>

<claimPath

requiredstring

A JsonPath expression to refer to the place(s) in the token where the property values are read from.

For example, in a token that contains a claim like { … foo: [ { bar: spam }, { bar: eggs } ] … } a claimPath of $.foo[*].bar would yield [ spam, eggs ] as property values.

</claimPath>

Choice End

requiredmax. unbounded

</property>

optional

Configuration of additional claims to be passed to Cadenza as a user property after authentication, so that it can be used via a user variable. The following claims are always mapped to user properties, regardless of configuration: * Whatever claim name is defined as 'userNameClaim' above to 'common:login' * 'name' to 'common:realName' * 'email' to 'common:email'

Claim content can be referenced either by a claim name, or, for more intricate extractions, by a JSONPath expression into the token content.

If the claim content is a JSON array, the string value of each element is available in the user property, otherwise the string value of the whole claim content. Null or undefined values are skipped. Remember that user properties are always mapped as lists of strings.

This means that * `claim: foo` and `claim: [ foo ]` are both mapped as `'foo'`. * `claim: [ 123, 456, { k: v } ]` is mapped as `'123', '456', '{ k: v }'`. * `claim: []` is not mapped to a user property, as there are no values inside. (In all cases, single quotes are meant to enclose the strings, they are not part of the strings themselves.)

</propertyMapping>

</accessmanagerOAuthConfiguration>