Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: moved to the Atlassian cloud

This page has been moved to the Atlassian cloud

This page can now be found at: https://clazzes.atlassian.net/l/c/LDaA97kp

--

The OAuth login module is a planned login facility providing access to third party OAuth-2.0 and OpenID/Connect Services.

...

The org.clazzes.login.oauth HttpLoginService is configured by the standard OSGi configuration service using the properties mentioned below:

PropertyDescription
sessionCookieThe name of the cookie to set in user agents.
sessionTimeoutThe timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider.
secureCookieThe secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy.
delegateDomainThe domain against which to check incoming bearer tokens. If not set, incoming bearer tokens will not be accepted by the OAuth HttpLoginService.
domain.<domain>.labelThe mandatory human-readable label for the configured domain with identifier <domain>.
domain.<domain>.authorizationLocationThe OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
domain.<domain>.tokenLocationThe OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
domain.<domain>.userLocationThe optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
domain.<domain>.configurationLocationThe well-known OpenID Connect configuration location.
domain.<domain>.faviconLocationThe optional favicon location for domains, which do not have a /favicon.ico resource on the root of their authorization web host.
domain.<domain>.clientIdThe client ID of our application as registered at the OAuth Provider.
domain.<domain>.clientPasswordThe password for the client ID of our application as registered at the OAuth Provider.
domain.<domain>.scopeThe mandatory scope to pass to the authorization endpoint.
domain.<domain>.promptThe optional prompt value to pass to the authorization endpoint.
domain.<domain>.responseTypeThe optional response type to pass to the authorization endpoint.
domain.<domain>.options

Comma-separated list of options from the set

  • lenientAccessTokenCheck - Used to by pass at_hash checks in issued ID tokens, need e.g. for microsoft providers.
  • propagateLocale - Used to propagate the locale of the login iframe to the OAuth provider as the locale URL parameter.

Examples

github.com

Github implements OAuth2 and is not a full-features OpenID Connect provider.

Property

Value

domain.GITHUB.authorizationLocation

http://github.com/login/oauth/authorize

domain.GITHUB.userLocation

https://api.github.com/user

domain.GITHUB.label

github.com

domain.GITHUB.clientId

Cleint ID a registered under 'Authorized OAuth Apps' https://github.com/settings/applications


domain.GITHUB.clientPassword

Password of the above mentioned client ID.


domain.GITHUB.tokenLocation

https://github.com/login/oauth/access_token

domain.GITHUB.scope

user

google.com

Google implements a clean OpenID Connect provider with no hazzles.

Property

Value

domain.GOOGLE.clientId

Client ID as registered under https://console.developers.google.com/apis/credentials


domain.GOOGLE.clientPassword

Password of the above mentioned client ID.

domain.GOOGLE.configurationLocation

https://accounts.google.com/.well-known/openid-configuration

domain.GOOGLE.label

google.com

domain.GOOGLE.scope

openid profile email

domain.GOOGLE.accessType

offline

domain.GOOGLE.prompt

consent

microsoftonline.com

Microsoft implements OpenID connect, but leaves out the at_hash claim in ID tokens.

Property

Value

domain.MICROSOFT.clientId

https://apps.dev.microsoft.com/#/appList


domain.MICROSOFT.clientPassword

Password of the above mentioned client ID.

domain.MICROSOFT.configurationLocation

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

domain.MICROSOFT.label

microsoft.com

domain.MICROSOFT.scope

openid profile User.Read offline_access

domain.MICROSOFT.responseType

token id_token

domain.MICROSOFT.options

lenientAccessTokenCheck

domain.MICROSOFT.prompt

consent

domain.MICROSOFT.faviconLocation

https://www.microsoft.com/favicon.ico

Further Readings

OpenID 1.0 Specification: http://openid.net/specs/openid-connect-core-1_0.html

...