Parameters of the general oauth2 profile available to all services.

Characteristics

Configuration File Name	`application-oauth2.yml`
Referenced by Services	`authentication,organization,controller`
Storage Location	Git root directory

Parameters

This article describes the behavior of the core system. However, the configuration file is read by the TENANT-MANAGEMENT Service as well if installed.

Parameter Description Read by Service Default Value

keycloak.host

The parameter is used as a variable for the IP address of the used Keycloak server that can be referenced in authentication.oauth2.tenants. If the value is changed, the new value will replace the old one in each reference.

The value is set automatically during the installation of the infrastructure Helm Chart during which the IP address of your Keycloak server has to be specified.

If a different identity provider is used, you can remove this parameter and define an own one in order to reference it in authentication.oauth2.tenants.

-

authentication.oauth2.tenants

List of tenant configurations read by the AUTHENTICATION and CONTROLLER service. Each list entry contains the configuration parameters for one tenant. They have to fit the settings in the used identity provider.

If Keycloak is used, check the settings via the Keycloak Admin Console. Further notes:

We recommend to reference the server IP address via the variable keycloak.host.
The AUTHENTICATION service has to be registered as Keycloak Client in each Keycloak Realm which corresponds to a tenant in yuuvis® Momentum.
>> Installing and Configuring Keycloak as an Identity Provider

AUTHENTICATION, CONTROLLER

See code block below.

name

Name of the tenant. If it is changed, please do not forget to adjust it in the *Uri parameters below.
The parameter is required.

AUTHENTICATION

clientId

Identification of the AUTHENTICATION service for the connection to the identity provider. Valid for all tenants. Get the value from the identity provider.
The parameter is required.

AUTHENTICATION, CONTROLLER

clientSecret

Tenant-specific identification of the AUTHENTICATION service for the connection to the identity provider. Only valid for one tenant. Get the value from the identity provider.

AUTHENTICATION, CONTROLLER

userAuthorizationUri Contains the Authorization URI of the OAuth2 identity provider. AUTHENTICATION

accessTokenUri Contains the Token URI of the OAuth2 identity provider.
The parameter is required. AUTHENTICATION, CONTROLLER

userInfoUri URL of the identity provider's endpoint for retrieving user data.
The parameter is required. AUTHENTICATION, CONTROLLER

endSessionUri

If this parameter is set, a logout from a yuuvis® Momentum session will trigger a logout from the identity provider as well. Set as value the endpoint of the identity provider that is responsible for the logout process.

As of 2023 Summer: If Keycloak is used as identity provider, the post_logout_redirect_uri query parameter can be appended in order to specify a valid redirect URI to be called after a successful logout.
Note: If post_logout_redirect_uri is specified, the scope parameter has to be configured with value openid.

scope	post_logout_redirect_uri	Effect
not configured	not configured	If a logout is requested, an inquiry dialog is displayed where the logout request has to be confirmed. After a successful logout, a success notification is displayed.
set to `openid`	not configured	After a successful logout, a success notification is displayed.
not configured	properly configured	A logout is not possible. An error with Missing parameters: id_token_hint message is returned.
set to `openid`	properly configured	The specified redirect URI is called after a successful logout.

Click here to show example configuration...

authentication.oauth2.tenants:
-   name: tenant
    clientId: momentum
    clientSecret: 00000000-0000-0000-0000-000000000000
    userAuthorizationUri: https://${keycloak.host}/auth/realms/tenant/protocol/openid-connect/auth
    accessTokenUri: https://${keycloak.host}/auth/realms/tenant/protocol/openid-connect/token
    userInfoUri: https://${keycloak.host}/auth/realms/tenant/protocol/openid-connect/userinfo
    endSessionUri: https://${keycloak.host}/auth/realms/tenant/protocol/openid-connect/logout?post_logout_redirect_uri=https://my.momentum.org/
    userNameExtractionPattern: $.sub
    scope: openid

AUTHENTICATION

userNameExtractionPattern JSON path expression to extract the user name from the response of the endpoint specified in userInfoUri.
The parameter is required. AUTHENTICATION, CONTROLLER

scope

Comma-separated list of strings. Available values and their effects depend on the used identity provider.

For Keycloak:

Required as of Keycloak 22 (supported as of 2023 Autumn).
Available as of 2023 Summer.
The only available value is openid (see Keycloak documentation).
If scope is set to openid, Keycloak is triggered to create an ID token that allows for a logout without an inquiry dialog.
In combination with properly configured endSessionUri parameter, it allows a redirection after a successful logout (see above).

keycloak.server Parameter read by the ORGANIZATION service if profile keycloak is active: URL of the Keycloak server. ORGANIZATION https://keycloak-https.infrastructure/auth

keycloak.admin.username Parameter read by the ORGANIZATION service if profile keycloak is active: Username for the login of the ORGANIZATION service in order to retrieve and store data in Keycloak. ORGANIZATION keycloak

keycloak.admin.password Parameter read by the ORGANIZATION service if profile keycloak is active: Password for the login of the ORGANIZATION service in order to retrieve and store data in Keycloak. ORGANIZATION changeme

The values for the parameters can be modified as described here.
>> Configuring Services using Profiles.

Default configuration for authentication.oauth2.tenants

authentication.oauth2.tenants:
- name: yuuvistest
  clientId: yuuvis-authentication-service
  clientSecret: dbdf4856-3c86-4e5f-aca7-96f3d93d35b4
  userAuthorizationUri: https://${keycloak.host}/auth/realms/yuuvistest/protocol/openid-connect/auth
  accessTokenUri: https://${keycloak.host}/auth/realms/yuuvistest/protocol/openid-connect/token
  userInfoUri: https://${keycloak.host}/auth/realms/yuuvistest/protocol/openid-connect/userinfo
  endSessionUri: https://${keycloak.host}/auth/realms/yuuvistest/protocol/openid-connect/logout
  userNameExtractionPattern: $.sub
  scope: openid
- name: testyuuvis
  clientId: yuuvis-authentication-service
  clientSecret: 61048b73-8cd7-4682-b78c-786c5dc8a2a1
  userAuthorizationUri: https://${keycloak.host}/auth/realms/testyuuvis/protocol/openid-connect/auth
  accessTokenUri: https://${keycloak.host}/auth/realms/testyuuvis/protocol/openid-connect/token
  userInfoUri: https://${keycloak.host}/auth/realms/testyuuvis/protocol/openid-connect/userinfo
  endSessionUri: https://${keycloak.host}/auth/realms/testyuuvis/protocol/openid-connect/logout
  userNameExtractionPattern: $.sub 
  scope: openid