Open ID Authentication

Field	Description
Description (optional)	A description for the OpenID resource.
Access token URI	The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user. Note: Using the OpenID Access Token is not currently supported in ActiveMatrix Service Grid - Container Edition. The OpenID ID Token is used to identify the user. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP. Examples: Google: `https://www.googleapis.com/oauth2/v3/token` Microsoft AD FS: `https://host:port/adfs/oauth2/token` Here, host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application.
Client ID	The ID that identifies the client at the Identify Provider (IdP). This and the Client Secret (see below) are obtained from the IdP when the client registers an application with the IdP to provide authentication for users.
Client Secret	The password for the Client ID account. See the description above.
Redirect URI	The URI to which the IdP redirects the user after authenticating the user and generating an ID Token. http://host:port/appPath Here, host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to your Web application. Note: This URI must exactly match the Redirect URI that was specified when registering the application with the IdP.
Authorization URI	The REST Open ID user claims/information service URI, which is used to obtain user profile information. This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP. Examples: Google: `https://accounts.google.com/o/oauth2/auth` Microsoft AD FS: `https://host:port/adfs/oauth2/authorize` Here, host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application.
Auth Scope (optional)	Defines the claims to be returned by the IdP when the IdP authenticates the user and issues anID Token. These claims are user attributes and are intended to provide the application with user details. The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Therefore, if your IdP requires the openid scope, plus another scope, you must also specify openid. Specify the scopes required by your IdP. Examples: Google and Microsoft AD FS: openid, email Multiple scopes can be comma- or space-separated in the Auth Scope field.
User Key (optional)	From the list of claims that are returned from the IdP (based on the scope), this specifies the field that is used as a User ID. For example: Google and Microsoft AD FS: email
JSON Web Key Set URI	The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT)ID issued by the IdP. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP. Examples: Google: `https://www.googleapis.com/oauth2/v3/certs` Microsoft AD FS: `https://host:port/adfs/discovery/keys` Here, host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application.
Logout Path	When a user logs out of a TIBCO ActiveMatrix Web application, the browser sends this value to the TIBCO ActiveMatrix server. This property must be set to: `/logout` This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below).
Signout URL	Upon receiving `/logout` in the LogOutPathproperty, the server uses this URL to send the IdP a request to log the user out of the IdP. The Signout URL is specific to the IdP. Examples: Google: `https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://host:port/appPath/logout` Here, host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page. Microsoft AD FS: `https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath` Here, host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.
Unauthorized Redirect Requests (optional)	Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if you want the application to handle unauthorized requests and forward them to the appropriate location. For example, TIBCO ActiveMatrix BPM handles unauthorized requests. Therefore, for TIBCO ActiveMatrix BPM applications, this option must be selected.
Enable PKCE (optional)	Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge. Select the Enable PKCE check box to enable the PKCE. By default, the Enable PKCE check box is not selected in Application Configurator and ActiveMatrix Administrator. When you generate the configuration YAML file from Application Configurator or Application Extractor without selecting the Enable PKCE check box, the `enablePKCE` field is not generated in the configuration YAML file. If you want to use it at runtime, you must manually add "enablePKCE: true" in the configuration YAML file at the correct location. Alternatively, upload the configuration YAML file in Application Configurator and select the Enable PKCE check box and generate configuration YAML file. Sample *config.yaml file: openIDs: - name: DefaultOpenIDAsp operation: ADD description: This is updated using Application Configurator (1.0.1) accessTokenURI: https://example.adfs.com/adfs/oauth2/token authorizationURI: https://example.adfs.com/adfs/oauth2/authorize clientID: a486d00b-9863-4913-b9b8-22f369785fa3 clientSecret: '#!92JiizlfpjhZ+TWr enablePKCE: true jwksUrl: https://example.adfs.com/adfs/discovery/keys logOutPath: /logoutpath redirectURI: http://10.102.170.99:9895/helloworld/sayHello signOutURL: https://example.adfs.com/adfs/ls/?wa=wsignout1.0

Description (optional)

A description for the OpenID resource.

Access token URI

The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user.

Note: Using the OpenID Access Token is not currently supported in ActiveMatrix Service Grid - Container Edition. The OpenID ID Token is used to identify the user.

This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.

Examples:

Google: https://www.googleapis.com/oauth2/v3/token

Microsoft AD FS: https://host:port/adfs/oauth2/token

Here,

host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix,

port is the port used by the application.

Client ID

The ID that identifies the client at the Identify Provider (IdP). This and the Client Secret (see below) are obtained from the IdP when the client registers an application with the IdP to provide authentication for users.

Client Secret

The password for the Client ID account. See the description above.

Redirect URI

The URI to which the IdP redirects the user after authenticating the user and generating an ID Token.

http://host:port/appPath

Here,

host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix,

port is the port used by the application, and

appPath is the path to your Web application.

Note: This URI must exactly match the Redirect URI that was specified when registering the application with the IdP.

Authorization URI

The REST Open ID user claims/information service URI, which is used to obtain user profile information.

This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP.

Examples:

Google: https://accounts.google.com/o/oauth2/auth

Microsoft AD FS: https://host:port/adfs/oauth2/authorize

Here,

host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix,

port is the port used by the application.

Auth Scope (optional)

Defines the claims to be returned by the IdP when the IdP authenticates the user and issues anID Token. These claims are user attributes and are intended to provide the application with user details.

The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Therefore, if your IdP requires the openid scope, plus another scope, you must also specify openid. Specify the scopes required by your IdP.

Examples:

Google and Microsoft AD FS: openid, email

Multiple scopes can be comma- or space-separated in the Auth Scope field.

User Key (optional)

From the list of claims that are returned from the IdP (based on the scope), this specifies the field that is used as a User ID.

For example:

Google and Microsoft AD FS: email

JSON Web Key Set URI

The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT)ID issued by the IdP.

This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.

Examples:

Google: https://www.googleapis.com/oauth2/v3/certs

Microsoft AD FS: https://host:port/adfs/discovery/keys

Here,

host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix,

port is the port used by the application.

Logout Path

When a user logs out of a TIBCO ActiveMatrix Web application, the browser sends this value to the TIBCO ActiveMatrix server. This property must be set to:

/logout

This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below).

Signout URL

Upon receiving /logout in the LogOutPathproperty, the server uses this URL to send the IdP a request to log the user out of the IdP.

The Signout URL is specific to the IdP.

Examples:

Google: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://host:port/appPath/logout

Here,

host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix,

port is the port used by the application, and

appPath is the path to the application's landing page.

Microsoft AD FS: https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath

Here,

host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix,

port is the port used by the application, and

appPath is the path to the application's landing page.

Unauthorized Redirect Requests (optional)

Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if you want the application to handle unauthorized requests and forward them to the appropriate location. For example, TIBCO ActiveMatrix BPM handles unauthorized requests. Therefore, for TIBCO ActiveMatrix BPM applications, this option must be selected.

Enable PKCE

(optional)

Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge.

Select the Enable PKCE check box to enable the PKCE.

By default, the Enable PKCE check box is not selected in Application Configurator and ActiveMatrix Administrator. When you generate the configuration YAML file from Application Configurator or Application Extractor without selecting the Enable PKCE check box, the enablePKCE field is not generated in the configuration YAML file.

If you want to use it at runtime, you must manually add "enablePKCE: true" in the configuration YAML file at the correct location. Alternatively, upload the configuration YAML file in Application Configurator and select the Enable PKCE check box and generate configuration YAML file.

Sample *config.yaml file:

openIDs:
  - name: DefaultOpenIDAsp
    operation: ADD
    description: This is updated using Application Configurator (1.0.1)
    accessTokenURI: https://example.adfs.com/adfs/oauth2/token
    authorizationURI: https://example.adfs.com/adfs/oauth2/authorize
    clientID: a486d00b-9863-4913-b9b8-22f369785fa3
    clientSecret: '#!92JiizlfpjhZ+TWr
    enablePKCE: true
    jwksUrl: https://example.adfs.com/adfs/discovery/keys
    logOutPath: /logoutpath
    redirectURI: http://10.102.170.99:9895/helloworld/sayHello
    signOutURL: https://example.adfs.com/adfs/ls/?wa=wsignout1.0