accessmanageroauth
This configuration is required when using the plugin AccessManager_OAuth.
-
Documentation
-
YAML Format
-
XML Format
| Fill relevant inputs (blue boxes) and click the blue bars on the left to copy XML configuration snippets. |
Configuration for OAuth in the cadenza usermanagement.
Configuration of the OAuth client (cadenza).
The corresponding client secret.
Usually, the secret has to be encoded (see also Secrets in Configuration).
Optional configuration for the OIDC/OAuth server-specific admin services. Only one provider kind is allowed to be configured at once. At the moment the only supported provider is Keycloak.
Configuration for the Keycloak realm user provider.
Defines the base URL for all the services exposed by the Keycloak Administration REST API endpoint. See Administration REST API linked in https://www.keycloak.org/documentation. The URL is expected to contain the realm name as a component of the path, for example, http://localhost:8080/admin/realms/NameOfMyRealm. The URL of all Keycloak admin services is derived based on it, for example, the realm user membership service will be http://localhost:8080/admin/realms/NameOfMyRealm/users. The service account of the client will be used to communicate with the api, so the required service account roles have to be configured in Keycloak for this service account.
Configuration of the Authorization Provider.
Enables the Relying Party initiated Logout. If enabled, then the oauth logout url must be defined and also the token passthrough must be enabled to have a valid id token for it.
Configuration of the group mappings between the group names from the token and the group name in the cadenza authentication database.
Group claim will be an array of objects, e.g.
[
{"id": "OAuthGroup1" "printName": "First Group"},
{"id": "OAuthGroup2" "printName": "Second Group"}
]The key defines which value of the object should be considered as technical name of the group.
The property name by which the information shall be accessible by means of user variable if it is present in the ID token.
A JsonPath expression to refer to the place(s) in the token where the property values are read from.
For example, in a token that contains a claim like
{ …
"foo": [
{ "bar": "spam" },
{ "bar": "eggs" }
]
…}a claimPath of $.foo[*].bar would yield [ "spam", "eggs" ] as property values.
Configuration of additional claims to be passed to Cadenza as a user property after authentication, so that it can be used via a user variable. The following claims are always mapped to user properties, regardless of configuration:
-
Whatever claim name is defined as
userNameClaimabove tocommon:login -
nametocommon:realName -
emailtocommon:email
Claim content can be referenced either by a claim name, or, for more intricate extractions, by a JSONPath expression into the token content.
If the claim content is a JSON array, the string value of each element is available in the user property, otherwise the string value of the whole claim content. Null or undefined values are skipped. Remember that user properties are always mapped as lists of strings.
This means that
-
"claim": "foo"and"claim": [ "foo" ]are both mapped as'foo'. -
"claim": [ 123, "456", { "k": "v" } ]is mapped as'123', '456', '{ "k": "v" }'. -
"claim": []is not mapped to a user property, as there are no values inside.
(In all cases, single quotes in the result are meant to enclose the strings, they are not part of the strings themselves.)
| This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. |
cadenzaconfig:
settings:
accessmanageroauth:
client:
clientId: "text"
clientSecret: "text"
adminService:
keycloak:
baseUrl: "text"
authorizationProvider:
authenticationUrl: "text"
userNameClaim: "text"
signatureAlgorithm: "text"
publicKey:
type: "text"
value: "dGV4dA=="
authenticationRequestScopes:
- "text"
- "text"
tokenUrl: "text"
userDetailsTokenName: "id_token"
usePKCE: true
allowTokenPassthrough: true
relyingPartyInitiatedLogout:
logoutUrl: "text"
groupMapping:
claim: "text"
claimValueStructure:
idList: {}
objectList:
groupIdKey: "text"
simpleMappings:
- tokenGroup: "text"
cadenzaGroup: "text"
- tokenGroup: "text"
cadenzaGroup: "text"
dynamicMapping: true
propertyMapping:
- name: "text"
claim: "text"
claimPath: "text"
- name: "text"
claim: "text"
claimPath: "text"Filename: accessmanageroauth-config.xml
| This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<accessmanagerOAuthConfiguration>
<client>
<clientId>text</clientId>
<clientSecret>text</clientSecret>
</client>
<adminService>
<keycloak>
<baseUrl>text</baseUrl>
</keycloak>
</adminService>
<authorizationProvider>
<authenticationUrl>text</authenticationUrl>
<userNameClaim>text</userNameClaim>
<signatureAlgorithm>text</signatureAlgorithm>
<publicKey type="text">dGV4dA==</publicKey>
<authenticationRequestScopes>
<scope>text</scope>
<scope>text</scope>
</authenticationRequestScopes>
<tokenUrl>text</tokenUrl>
<userDetailsTokenName>id_token</userDetailsTokenName>
<usePKCE>true</usePKCE>
<allowTokenPassthrough>true</allowTokenPassthrough>
<relyingPartyInitiatedLogout>
<logoutUrl>text</logoutUrl>
</relyingPartyInitiatedLogout>
</authorizationProvider>
<groupMapping>
<claim>text</claim>
<claimValueStructure>
<idList/>
<objectList groupIdKey="text"/>
</claimValueStructure>
<simpleMappings>
<simpleMapping tokenGroup="text" cadenzaGroup="text"/>
<simpleMapping tokenGroup="text" cadenzaGroup="text"/>
</simpleMappings>
<dynamicMapping>true</dynamicMapping>
</groupMapping>
<propertyMapping>
<property name="text">
<claim>text</claim>
<claimPath>text</claimPath>
</property>
<property name="text">
<claim>text</claim>
<claimPath>text</claimPath>
</property>
</propertyMapping>
</accessmanagerOAuthConfiguration>