org.clazzes.login.oauth

The timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider.

24

)))

25

|(% style="width: 23.6864%;" %)(((

26

secureCookie

27

)))|(% style="width: 76.3136%;" %)(((

28

The secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy.

29

)))

30

|(% style="width: 23.6864%;" %)(((

31

delegateDomain

32

)))|(% style="width: 76.3136%;" %)(((

33

The domain against which to check incoming bearer tokens. If not set, incoming bearer tokens will not be accepted by the OAuth HttpLoginService.

34

)))

35

|(% style="width: 23.6864%;" %)(((

36

domain.<domain>.label

37

)))|(% style="width: 76.3136%;" %)(((

38

The mandatory human-readable label for the configured domain with identifier <domain>.

39

)))

40

|(% style="width: 23.6864%;" %)(((

41

domain.<domain>.authorizationLocation

42

)))|(% style="width: 76.3136%;" %)(((

43

The OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation

44

)))

45

|(% style="width: 23.6864%;" %)(((

46

domain.<domain>.tokenLocation

47

)))|(% style="width: 76.3136%;" %)(((

48

The OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation

49

)))

50

|(% style="width: 23.6864%;" %)(((

51

domain.<domain>.userLocation

52

)))|(% style="width: 76.3136%;" %)(((

53

The optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation

54

)))

55

|(% style="width: 23.6864%;" %)(((

56

domain.<domain>.configurationLocation

57

)))|(% style="width: 76.3136%;" %)(((

58

The well-known OpenID Connect configuration location.

59

)))

60

|(% style="width: 23.6864%;" %)(((

61

domain.<domain>.faviconLocation

62

)))|(% style="width: 76.3136%;" %)(((

63

The optional favicon location for domains, which do not have a {{code language="none"}}/favicon.ico{{/code}} resource on the root of their authorization web host.

64

)))

65

|(% style="width: 23.6864%;" %)(((

66

domain.<domain>.clientId

67

)))|(% style="width: 76.3136%;" %)(((

68

The client ID of our application as registered at the OAuth Provider.

69

)))

70

|(% style="width: 23.6864%;" %)(((

71

domain.<domain>.clientPassword

72

)))|(% style="width: 76.3136%;" %)(((

73

The password for the client ID of our application as registered at the OAuth Provider.

74

)))

75

|(% style="width: 23.6864%;" %)(((

76

domain.<domain>.scope

77

)))|(% style="width: 76.3136%;" %)(((

78

The mandatory scope to pass to the authorization endpoint.

79

)))

80

|(% style="width: 23.6864%;" %)(((

81

domain.<domain>.prompt

82

)))|(% style="width: 76.3136%;" %)(((

83

The optional prompt value to pass to the authorization endpoint.

84

)))

85

|(% style="width: 23.6864%;" %)(((

86

domain.<domain>.responseType

87

)))|(% style="width: 76.3136%;" %)(((

88

The optional response type to pass to the authorization endpoint.

89

)))

90

|(% style="width: 23.6864%;" %)(((

91

domain.<domain>.options

92

)))|(% style="width: 76.3136%;" %)(((

93

Comma-separated list of options from the set

94

95

* {{code language="none"}}lenientAccessTokenCheck{{/code}} - Used to by pass at_hash checks in issued ID tokens, need e.g. for microsoft providers.

96

* {{code language="none"}}propagateLocale{{/code}} - Used to propagate the locale of the login iframe to the OAuth provider as the {{code language="none"}}locale{{/code}} URL parameter.

97

)))

98

99

= {{id name="org.clazzes.login.oauth-Examples"/}}Examples =

100

101

== {{id name="org.clazzes.login.oauth-github.com"/}}github.com ==

102

103

Github implements OAuth2 and is not a full-features OpenID Connect provider.

|=(((

Property

)))|=(((

Value

)))

|(((

domain.GITHUB.authorizationLocation

112

)))|(((

113

(% class="nolink" %)http:~/~/github.com/login/oauth/authorize

114

)))

115

|(((

116

domain.GITHUB.userLocation

117

)))|(((

118

(% class="nolink" %)https:~/~/api.github.com/user

)))

|(((

domain.GITHUB.label

)))|(((

github.com

)))

|(((

domain.GITHUB.clientId

127

)))|(((

128

Cleint ID a registered under 'Authorized OAuth Apps' [[https:~~/~~/github.com/settings/applications>>url:https://github.com/settings/applications||shape="rect"]]\\

129

)))

130

|(((

131

domain.GITHUB.clientPassword

132

)))|(((

133

Password of the above mentioned client ID.\\

134

)))

135

|(((

136

domain.GITHUB.tokenLocation

137

)))|(((

138

(% class="nolink" %)https:~/~/github.com/login/oauth/access_token

)))

|(((

domain.GITHUB.scope

)))|(((

user

)))

== {{id name="org.clazzes.login.oauth-google.com"/}}google.com ==

147

148

Google implements a clean OpenID Connect provider with no hazzles.

|=(((

Property

)))|=(((

Value

)))

|(((

domain.GOOGLE.clientId

157

)))|(((

158

Client ID as registered under [[https:~~/~~/console.developers.google.com/apis/credentials>>url:https://console.developers.google.com/apis/credentials||shape="rect"]]\\

159

)))

160

|(((

161

domain.GOOGLE.clientPassword

162

)))|(((

163

Password of the above mentioned client ID.

164

)))

165

|(((

166

domain.GOOGLE.configurationLocation

167

)))|(((

168

(% class="nolink" %)https:~/~/accounts.google.com/.well-known/openid-configuration

)))

|(((

domain.GOOGLE.label

)))|(((

google.com

)))

|(((

domain.GOOGLE.scope

)))|(((

openid profile email

)))

|(((

domain.GOOGLE.accessType

)))|(((

offline

)))

|(((

domain.GOOGLE.prompt

)))|(((

consent

)))

== {{id name="org.clazzes.login.oauth-microsoftonline.com"/}}microsoftonline.com ==

192

193

Microsoft implements OpenID connect, but leaves out the {{code language="none"}}at_hash{{/code}} claim in ID tokens.

|=(((

Property

)))|=(((

Value

)))

|(((

domain.MICROSOFT.clientId

202

)))|(((

203

(% class="nolink" %)https:~/~/apps.dev.microsoft.com/#/appList(%%)\\

204

)))

205

|(((

206

domain.MICROSOFT.clientPassword

207

)))|(((

208

Password of the above mentioned client ID.

209

)))

210

|(((

211

domain.MICROSOFT.configurationLocation

212

)))|(((

213

(% class="nolink" %)https:~/~/login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

214

)))

215

|(((

216

domain.MICROSOFT.label

)))|(((

microsoft.com

)))

|(((

domain.MICROSOFT.scope

222

)))|(((

223

openid profile User.Read offline_access

224

)))

225

|(((

226

domain.MICROSOFT.responseType

)))|(((

token id_token

)))

|(((

domain.MICROSOFT.options

232

)))|(((

233

lenientAccessTokenCheck

234

)))

235

|(((

236

domain.MICROSOFT.prompt

)))|(((

consent

)))

|(((

domain.MICROSOFT.faviconLocation

242

)))|(((

243

(% class="nolink" %)https:~/~/www.microsoft.com/favicon.ico

244

)))

245

246

= {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings =

247

248

OpenID 1.0 Specification: [[http:~~/~~/openid.net/specs/openid-connect-core-1_0.html>>url:http://openid.net/specs/openid-connect-core-1_0.html||shape="rect"]]

249

250

Microsoft's implementation notes: [[https:~~/~~/docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens>>url:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens||shape="rect"]]

251

252

Microsoft Online OpenID configuration: [[https:~~/~~/login.microsoftonline.com/common/.well-known/openid-configuration>>url:https://login.microsoftonline.com/common/.well-known/openid-configuration||shape="rect"]]

253

254

Google's OpenID Connect implementation notes: [[https:~~/~~/developers.google.com/identity/protocols/OpenIDConnect>>url:https://developers.google.com/identity/protocols/OpenIDConnect||shape="rect"]]

255

256

Google Accounts OpenID configuration: [[https:~~/~~/accounts.google.com/.well-known/openid-configuration>>url:https://accounts.google.com/.well-known/openid-configuration||shape="rect"]]

257

258

github OAuth Guide: [[https:~~/~~/developer.github.com/v3/oauth>>url:https://developer.github.com/v3/oauth||shape="rect"]]

259

260

IANA registry of JSON Web Token Claims: [[https:~~/~~/www.iana.org/assignments/jwt/jwt.xhtml>>url:https://www.iana.org/assignments/jwt/jwt.xhtml||shape="rect"]]

261

262

= {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs =

263

264

RFC 7515, (% style="color: rgb(0,0,0);" %)JSON Web Signature (JWS), [[https:~~/~~/tools.ietf.org/html/rfc7515>>url:https://tools.ietf.org/html/rfc7515||shape="rect"]]

265

266

RFC 7516, (% style="color: rgb(0,0,0);" %)JSON Web Encryption (JWE), [[https:~~/~~/tools.ietf.org/html/rfc7516>>url:https://tools.ietf.org/html/rfc7516||shape="rect"]]

267

268

RFC 7517, (% style="color: rgb(0,0,0);" %)JSON Web Key (JWK), [[https:~~/~~/tools.ietf.org/html/rfc7517>>url:https://tools.ietf.org/html/rfc7517||shape="rect"]]

269

270

RFC 7518, JSON Web Algorithms (JWA), [[https:~~/~~/tools.ietf.org/html/rfc7518>>url:https://tools.ietf.org/html/rfc7518||shape="rect"]]

271

272

RFC 7519, JSON Web Token (JWT), [[https:~~/~~/tools.ietf.org/html/rfc7519>>url:https://tools.ietf.org/html/rfc7519||shape="rect"]]

Wiki source code of org.clazzes.login.oauth