AliasSubAuthenticationOAuth
This page provides generated reference documentation for the AliasSubAuthenticationOAuth data model.
"AuthenticationProvider" Datenmodell.
Overview
| Property | Summary |
|---|---|
| serverAuthMethod | Choose the method to use for authentication with OAuth2. Either with a shared secret (client secret) or a certificate. |
| clientId | The client id is a public identifier assigned by the application registered at the authorization entity. |
| certificateName | The name or alias of the certificate/key pair in the keystore. |
| clientSecret | The private client secret of the assigned application registered at the authorization entity. |
| scope | The scope of the requested permissions. |
| enableProviderLogout | Whether logging out should also log out the user from the OAuth-Provider using the OpenID RP-Initiated-Logout mechanism. |
| enableProviderLogoutHint | Whether logout-hints should be supplied to the configured logout provider. |
| thirdParty | Used to display provider specific designer properties. Controls which endpoints are used to communicate with the authentication provider. In some cases (e.g.… |
| tenantId | Tenant Id of the application |
| audience | The audience used for jwt-bearer client-assertions tokens ("aud" claim). This is only required if certificate-based authentication is used. Although some… |
| authorizeEndpointUrl | Url to request the Authorization Code This usually follows the same scheme and may contain an api version "/oauth2/[version]/authorize" |
| authorizeEndpointUrlModifierProcess | This process is executed before the authorize-endpoint is accessed. It offers the chance to add url parameters to the authorize endpoint url. The result must… |
| accessTokenEndpointUrl | Url to request the Access Token This usually follows the same scheme and may contain an api version "/oauth2/[version]/token" |
| endSessionEndpointUrl | If set, the logout will also perform a "OpenID Connect RP-Initiated Logout". This can be used to log out of the account managed by a third party… |
| accessTokenResponseType | The format of the third-party REST response containing the access token. |
| getUsernameFromAccessTokenProcess | This process is executed after the access token has been received and before the system tries to load the user from adito. The result must be the user's… |
serverAuthMethod
Type: EOAuth2ServerAuthMethod
Choose the method to use for authentication with OAuth2. Either with a shared secret (client secret) or a certificate.
clientId
Type: String
The client id is a public identifier assigned by the application registered at the authorization entity.
@see https://tools.ietf.org/html/rfc6749#section-2.2
certificateName
Type: String
Requires: serverAuthMethod property group
The name or alias of the certificate/key pair in the keystore.
clientSecret
Type: String
Requires: serverAuthMethod property group
The private client secret of the assigned application registered at the authorization entity.
scope
Type: String
The scope of the requested permissions.
Example - Azure:
The following scope refers to the permissions configured in the application's registration
https://outlook.office365.com/.default
@see
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
enableProviderLogout
Type: Boolean
Default: false
Whether logging out should also log out the user from the OAuth-Provider using the OpenID RP-Initiated-Logout mechanism.
enableProviderLogoutHint
Type: Boolean
Default: true
Requires: enableProviderLogout = true
Whether logout-hints should be supplied to the configured logout provider.
If the logout provider supports OpenID RP-Initiated-Logout hints and multiple users are logged in,
the active user within adito will automatically be logged out without a user selection dialog.
If microsoft is used, the logout_hint parameter will be used.
NOTE that adito can only use this parameter if the "login_hint" optional claim is configured in azure for the oauth application.
If a custom provider is used, the "client_id" and "id_token_hint" will be used.
Providers are not required to support those hints, but if they support them, they must guarantee that the account matches.
thirdParty
Type: EThirdParty
Used to display provider specific designer properties. Controls which endpoints are used to communicate with the authentication provider. In some cases (e.g. Microsoft/Azure) the used endpoints are predefined and cannot be modified.
tenantId
Type: String
Requires: thirdParty property group
Tenant Id of the application
audience
Type: String
Requires: serverAuthMethod property group
The audience used for jwt-bearer client-assertions tokens ("aud" claim).
This is only required if certificate-based authentication is used.
Although some providers may not validate the "aud" claim and thus don't require this to be set.
This is usually the same as the "issuer" ("aud" claim) set in tokens generated by the authorization server.
For KeyCloak this would, for example, be /realms/.
authorizeEndpointUrl
Type: String
Requires: thirdParty property group
Url to request the Authorization Code This usually follows the same scheme and may contain an api version "/oauth2/[version]/authorize"
authorizeEndpointUrlModifierProcess
Type: String
Requires: thirdParty property group
This process is executed before the authorize-endpoint is accessed.
It offers the chance to add url parameters to the authorize endpoint url.
The result must be a string starting with an ampersand "&", e.g. "&key=param".
In-process available local variables:
All values defined for the loginType inside the loginList. To access use the same keys without whitespaces.
This process is OPTIONAL, if no process is configured, the endpoint will be called regardless.
An example process can be found in the documentation.
Example:
https://[OAuth2Provider]/oauth2/v1/auth?[SystemGeneratedParameters][ThisProcessGeneratedParameters]
Example - Azure:
If the domain hint is configured, it's used in the authorize-url as domain_hint=[YOUR_DOMAIN],
if not, the manual account selection is enforced with prompt=select_account.
accessTokenEndpointUrl
Type: String
Requires: thirdParty property group
Url to request the Access Token This usually follows the same scheme and may contain an api version "/oauth2/[version]/token"
endSessionEndpointUrl
Type: String
Requires: thirdParty property group
If set, the logout will also perform a "OpenID Connect RP-Initiated Logout".
This can be used to log out of the account managed by a third party OpenId-Provider.
The following parameters are currently supported by ADITO:
-
post_logout_redirect_uri (used to redirect back to the adito logout page).
-
id_token_hint and client_id (used to match the specific user, if multiple accounts are logged in).
accessTokenResponseType
Type: EAccessTokenResponseType
Requires: thirdParty property group
The format of the third-party REST response containing the access token.
getUsernameFromAccessTokenProcess
Type: String
Requires: thirdParty property group
This process is executed after the access token has been received and before the system tries to load the user from adito.
The result must be the user's identification configured in adito.
In-process available local variables:
token = The access token as string
token_raw = The full REST response containing the access token by the third-party api.
The format as well as the contents of this response can vary between providers.
If the identification value is not contained inside the response,
it has to be requested from the third-party api via REST using the access token.
This process is REQUIRED, if no process is configured, the authentication will not work.
An example process can be found in the documentation.