Versions Compared

Old Version 13

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 14

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Default: None
JSON key is attributes - as a JSON Array containing string values

Identity Providers

Image Modified

When Ceptor authenticates users using foreign OpenID Connect Providers, you can define the authentication providers here.
These Identity Providers are then used within the Ceptor Gateway - see Location - Authentication for information about how to configure the gateway to use these identity providers under specific conditions. 

Ceptor has custom support for some identity providers which almost are following the OpenID Connect standard, such as LinkedIn and Facebook.

Configuration for identity providers are stored in a JSON Array called openid.identityproviders - each identity provider is a separate JSON Object.

Code Block
languagejs
titleExample Configuration
linenumberstrue
collapsetrue
"openid.identityproviders": [
  {
    "name": "facebook",
    "description": "Authenticate using facebook",
    "clientid": "624082557774373",
    "secret": "{encoded}F89141217749F5FA6306CAF6F9656965F3A5A8E3069BE032136125F3A4B27183",
    "tokenurl": "https://graph.facebook.com/v2.9/oauth/access_token",
    "facebook": true,
    "linkedin": false,
    "fieldmappers": []
  },
  {
    "name": "google",
    "description": "Google as an identity provider",
    "clientid": "371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com",
    "secret": "{encoded}806F9FE0C7CBC28D5777D6DE91772DA4961482568956695A",
    "tokenurl": "https://accounts.google.com/o/oauth2/token",
    "facebook": false,
    "linkedin": false,
    "fieldmappers": []
  },
  {
    "name": "microsoft",
    "description": "Authenticate using microsoft as identity provider",
    "clientid": "317190f9-efec-4307-beb9-7f8380a8ae16",
    "secret": "{encoded}9EED6C32369008FE6F3DC027CC0C2195137300594A2620",
    "tokenurl": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
    "facebook": false,
    "linkedin": false,
    "fieldmappers": []
  }
]


Image Modified

OpenID Connect Identity Provider

Name

Identity provider name

...

Code Block
languagejs
titleExample configuration
linenumberstrue
collapsetrue
"oauth2.clients": [{
  "name": "Sample",
  "client_id": "https://www.example.com/",
  "description": "Example client",
  "client_secret": "secret",
  "accesstoken_type": "UUID",
  "allowed_uris": ["https://www.example.com/oauth2"],
  "allowed_logout_uris": [],
  "valid_grant_types": [
    "authorization_code",
    "implicit",
    "hybrid",
    "refresh_token"
  ],
  "allowed_scopes": [
    "openid",
    "profile",
    "offline_access"
  ],
  "refreshtoken_validity_seconds": 86400,
  "maximum_idtoken_expiration_minutes": 120
}]


Image Added

OAuth2 / OpenID Connect Client

Name

Name of OAuth 2 / OpenID Connect client or partner.

Default: None
JSON key is name

Description

Optional description

Default: None
JSON key is description

Client ID

Client ID - must be unique across all configured clients.

Default: None
JSON key is client_id

Client Secret

Client secret - may be encrypted/obfuscated.

Default: None
JSON key is client_secret

Accesstoken type

Type of access token to issuer - either UUID or JWT - if UUID, the token itself does not contain any attributes, and the OAuth2 introspection (or userinfo) URL must be called using the access token to get any of the attributes related to it. If the type is JWT, the access token is similar to the ID token a signed JWT token containing the attributes itself.

Default: None
JSON key is accesstoken_type

Token name

Name of token to use if not the default -allows you to select specific tokens (and thus specific keys, content etc.) for specific clients.

Default: None
JSON key is tokenname

Redirect URIs

List of valid redirect URIs for this client/partner

Default: None
JSON key is allowed_uris as a JSON array of strings

Logout URIs

List of valid logout URIs for this client/partner

Default: None
JSON key is allowed_logout_uris as a JSON array of strings

Grant types

List of valid grant types to allow for this client. If this list is empty, all types are allowed, otherwise only the specified ones are allowed for this client to use.

Default: None
JSON key is valid_grant_types

Scopes

If not empty, this list restricts which scope names the client is allowed to use.

Default: None
JSON key is allowed_scopes as a JSON array of strings

Access token validity (secs)

If specified, can override the default validity period of issued access tokens.

Default: None
JSON key is accesstoken_valid_seconds

Refresh token validity (secs)

If specified, can override the default validity period of issued refresh tokens.

Default: None
JSON key is refreshtoken_validity_seconds

ID token validity (mins)

If specified, can override the default validity period of issued ID tokens.

Default: None
JSON key is maximum_idtoken_expiration_minutes