OAuth 2.0
This section discusses how to configure Panopticon Real Time to use the OAuth 2.0 for authorization. Upon a logon request, the Panopticon Real Time will redirect the user to the Login page provided by the OAuth 2.0.
Note that OAuth 2.0 does not normally provide support on how to authenticate the user, Panopticon Real Time will only know if the user is authorized or not. To authenticate the user, Panopticon Real Time can be configured to use a REST service to extract the user identity with an access token retrieved from the OAuth 2.0 provider. In addition to the standard OAuth 2.0 configurations, the server includes properties (i.e., authentication.oauth2.*) that are specifically used to extract the user details.
If user roles are configured, the user identity attribute (i.e., authentication.oauth2.identity.attribute.roles=<Name of role attribute in OAuth2 server>) will expect a list of roles that enable role based access restrictions on workbook folders.
For example: "roles": ["VIEWER","DESIGNER"]
If this attribute is not set, the default role VIEWER is used.
To use OAuth2.0, change the authentication type:
authentication.type=OAUTH2
Afterwards, go through the following properties to be configured with respect to your OAuth server configuration.
| Property | Description |
|
authentication.oauth2.client.id |
The ID of the OAuth 2.0 client. |
|
authentication.oauth2.client.secret |
The secret used by the OAuth 2.0 client. |
|
authentication.oauth2.identity.attribute.roles |
The attribute that will be extracted from the identity response and used as the role. |
|
authentication.oauth2.identity.attribute.roles.pattern |
Takes regex used to extract the roles from the OAuth 2.0 server identity response. contains two roles, admin and designer |
|
authentication.oauth2.identity.attribute.username |
The attribute that will be extracted from the identity response and used as the username. |
|
authentication.oauth2.identity.url |
The URL to the REST service that provides details about the authenticated user. |
|
authentication.oauth2.login.callback.url |
The callback URL. The URL should be the same as one of the specified callback URLs |
|
authentication.oauth2.login.response.type |
The response type. The only response type that is currently supported is code. The |
|
authentication.oauth2.login.redirect.url |
Redirects the user to the specified URL after successfully logging in. This property |
|
authentication.oauth2.login.scope |
The requested scope. The property can be left blank. |
|
authentication.oauth2.login.url |
The URL to the OAuth 2.0 login resource. This field can be left blank. |
|
authentication.oauth2.logout.redirect.url |
Logging out revokes the token from the authentication server if the property authentication.oauth2.logout.url
|
|
authentication.oauth2.logout.url |
The URL to the OAuth 2.0 logout resource. This property can be left blank. |
|
authentication.oauth2.token.method |
The method on how the token should be retrieved. Supported values are QUERY, BODY, |
|
authentication.oauth2.token.url |
The URL to the OAuth 2.0 token resource. |
|
access.default.roles |
The default role that will be assigned to everyone to execute a specific service. |
|
access.administrator.groups |
The list of administrator roles authenticated by the OAuth2.0 server. |
|
access.designer.groups |
The list of designer roles authenticated by the OAuth2.0 server. |
|
access.viewer.groups |
The list of viewer roles authenticated by the OAuth2.0 server. |
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.