Versions Compared

Old Version 26

changes.mady.by.user Manuel Gierlinger

Saved on

compared with

New Version Current

changes.mady.by.user Manuel Gierlinger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

This guide focuses on the OAuth2 authentication. It provides all information to configure an OAuth2 authentication for signer and for users. The first section focuses on the settings for the signer authentication and provides an overview of all configurations necessary to add a new provider. Please note that all information regarding the configuration of the provider for the signer authentication also apply for the user authentication.

...

On the first figure you can find the settings for the signer authentication. If you have configured and enabled the provider, you can then force the signer to authenticate before signing. For the signer authentication, we allow configuring 2 different options: an OAuth 2.0 Authorization Code flow (RFC 6749, Chapter 4.1) where one or several resource URIs are contacted to retrieve identification information, or the OpenID Connect (OIDC) compliant retrieval of a JWT token containing the identification data already. Choose the method offered by your identity provider.

FigureDesciption

OAuth For Signer AuthenticationImage Modified

  1. Provider Name
  2. Redirect Url when the OAuth process is concluded
  3. Client Id
  4. Client Secret
  5. Scope
  6. Authorization Uri
  7. Token Uri
  8. Logout Uri
  9. JWT configuration
  10. Resource Uris

...

OpenID Connect (OIDC) with JWT (JSON Web Token) Image Modified

Info

Please note the following: Some IDPs require the "openid" scope to provide necessary information. Therefore, please check the necessary scopes of your IDP if JWT validation is used.

...

After successful login in the external system, I am getting "The validation of the OAuth login could not be processed" with a OAuth User Authentication configuration. What am I doing wrong?

During login with an external OAuth Identity Provider, you are first redirected to the authorization (login) page of the external system which provides identification dataset via a resource endpoint, or which issues a JWT token with a signed response. The error shows that your configuration is not compatible with the external  identity provider configuration. Therefore please verify your configuration and compare it against the manual of the OAuth Identity Provider. Please mind that also the error message in serverside application logs just indicates that "something in token retrieval was wrong", but will not be verbose about potential causes. The serverside log message "<TOKEN_FETCH_CALL_FAILED - Failed to fetch OAuth access token" could indicate reasons such as:

  • Token URI is invalid
  • JWKS URI is invalid and therefore a retrieved JWT cannot be verified
  • Other verifications on JWT level, such as token validity, are not fulfilled

...