config-oauth-client
Configures the Spotfire Server in the role of an OAuth 2.0 client.
config-oauth-client
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
[-e <true|false> | --enabled=<true|false>]
[-s | --set-authz-server]
[-r | --remove-authz-server]
[-n value | --authz-server-name=value]
[--authz-server-enabled=<true|false>]
[--authz-server-metadata-url=value]
[--authz-server-metadata-file-path=value]
[--authz-server-client-id=value]
[--authz-server-client-secret=value]
[--authz-server-clear-grant-types=<true|false>]
{-Gvalue}
[--authz-server-token-endpoint-auth-method=value]
[--authz-server-revocation-endpoint-auth-method=value]
[--authz-server-clear-resources=<true|false>]
{-Rvalue}
[--authz-server-clear-custom-params=<true|false>]
{-Pkey=value}
[--authz-server-include-resource-in-auth-req=<true|false>]
[--authz-server-include-resource-in-token-req=<true|false>]
[--authz-server-pushed-authorization-request-enabled=<true|false>]
[--authz-server-use-pkce=<true|false>]
Overview
This command is used for configuring the Spotfire Server in the role of an OAuth 2.0 client towards one or more OAuth 2.0 Authorization Servers. In this role, the Spotfire Server can use OAuth 2.0 to establish an access token for calling external services (for example for fetching data). To configure user authentication through OpenID Connect see the 'config-oidc' command.
Options
| Option | Optional or Required | Default Value | Description |
|---|---|---|---|
|
Optional | configuration.xml |
The path to the server configuration file. |
|
Optional |
The path to the bootstrap configuration file. See the bootstrap.xml help topic for more information about this file. |
|
|
Optional | true |
Specifies whether the OAuth 2.0 client role should be enabled. |
|
Optional |
Indicates that an Authorization Server configuration should be set (will replace the configuration for any existing Authorization Server with the same name). Cannot be specified together with
|
|
|
Optional |
Indicates that an Authorization Server configuration should be removed. Cannot be specified together with
|
|
|
Optional, unless either
--set-authz-server or
--remove-authz-server has been specified.
|
The name of the Authorization Server to set or remove. |
|
|
Optional, unless
--set-authz-server has been specified.
|
true |
Specifies whether the Authorization Server should be enabled. |
|
Optional, unless
--set-authz-server has been specified.
|
The URL to the Authorization Server's OAuth 2.0 Authorization Server Metadata (or OpenID Connect Discovery document). |
|
|
Optional, unless
--set-authz-server has been specified, in
which case it is mandatory unless
--authz-server-metadata-url has been
specified.
|
The path to a file containing OAuth 2.0 Authorization Server
Metadata (or OpenID Connect Discovery document).
Note: Use of this option is discouraged. If possible, use the
The Metadata will be incorporated into the
configuration. The Metadata must adhere to the format of RFC 8414 and contain
at least 'issuer', 'authorization_endpoint' and 'token_endpoint'.
--authz-server-metadata-url argument
instead.
|
|
|
Optional, unless
--set-authz-server has been specified.
|
The client ID given by the Authorization Server during registration. |
|
|
Optional, unless
--set-authz-server has been specified.
|
The client secret given by the Authorization Server during registration. |
|
|
Optional | false |
By specifying this flag, the grant types are cleared from
the Authorization Server configuration. This flag can be used together with the
|
|
Optional | 'authorization_code', 'refresh_token' |
A grant type that can be used with the Authorization Server.
Valid values are ' |
|
Optional | One of the algorithms listed as supported in the Metadata is used. |
The authentication method to use when communicating with the Authorization Server's Token Endpoint. Can be one of the following:
'private_key_jwt' is not supported).
|
|
Optional | One of the algorithms listed as supported in the Metadata is used. |
The authentication method to use when communicating with the Authorization Server's Revocation Endpoint. Can be one of the following:
'private_key_jwt' is not supported).
|
|
Optional | false |
By specifying this flag, the resource indicators are cleared
from the Authorization Server configuration. This flag can be used together
with the
|
|
Optional |
A resource indicator (as defined in RFC 8707) that should be
included (using the
|
|
|
Optional | false |
By specifying this flag, the custom parameters are cleared
from the Authorization Server configuration. This flag can be used together
with the
|
|
Optional |
A custom parameter that is included in the authorization request. Must not be any of the parameters controlled through other settings. This argument is optional and can be specified multiple times with different keys. |
|
|
Optional | false |
Specifies whether an RFC 8707 resource indicator (when available) should be included as a 'resource' parameter in requests to the Authorization Endpoint. |
|
Optional | false |
Specifies whether an RFC 8707 resource indicator (when available) should be included as a 'resource' parameter in requests to the Token Endpoint. |
|
Optional | true |
Specifies whether to use RFC 9126 pushed authorization requests (PAR), if they are supported by the Authorization Server. |
|
Optional | true |
Specifies whether PKCE (RFC 7636) should be used (if it is supported by the Authorization Server, according to the Authorization Server Metadata). |