config-rfc-9068-token-exchange-authenticator

config-rfc-9068-token-exchange-authenticator 
[-c value | --configuration=value] 
[-b value | --bootstrap-config=value] 
[-e <true|false> | --enabled=<true|false>] 
[--metadata-uri=value] 
[--expected-issuer=value] 
[--jwks=value] 
[--jwks-uri=value] 
[--jws-alg=value] 
[--jwe-alg=value] 
[--jwe-enc=value] 
[--decryption-jwks=value] 
[--max-clock-skew-seconds=value] 
[--validate-aud-claim=<true|false>] 
[--validate-may-act-claim=<true|false>] 
[--validate-scope-claim=<true|false>] 
[--expected-audience=value] 
[--username-claim=value] 
[--display-name-claim=value] 
[--email-claim=value] 
[--domain-claim=value] 
[--domain-name=value] 
[--domain-option=value] 
[--clear-jws-alg=<true|false>] 
[--clear-jwe-alg=<true|false>] 
[--clear-jwe-enc=<true|false>] 
[--clear-decryption-jwks=<true|false>] 
[--clear-display-name-claim=<true|false>] 
[--clear-email-claim=<true|false>]

Overview

This command is used for configuring the RFC 9068 token authenticator for use with the Token Exchange grant in the built-in OAuth2 Authorization Server.

Options


Option	Optional or Required	Default Value	Description
`-c value --configuration=value`	Optional	configuration.xml	The path to the server configuration file.
`-b value --bootstrap-config=value`	Optional	none	The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file.
`-e <true\|false> --enabled=<true\|false>`	Optional	none	Specifies whether or not the Token Exchange grant should be enabled.
`--metadata-uri=value`	Optional		The URI to an OAuth 2.0 Authorization Server Metadata document containing the basic information needed to verify subject tokens. The document must contain an 'issuer' and a 'jwks_uri'. If this argument is not specified then `--expected-issuer` and `--jwks` or `--jwks-uri` must be specified if the value of `--enabled` is 'true'.
`--expected-issuer=value`	Optional	none	The expected issuer of the subject tokens. This argument is mutually exclusive with the `--metadata-uri` argument.
`--jwks=value`	Optional	none	A JSON Web Key Set (JWKS) containing the keys needed to verify subject token signatures. This argument is mutually exclusive with the `--metadata-uri` and `--jwks-uri` arguments.
`--jwks-uri=value`	Optional	none	The URI to a JSON Web Key Set (JWKS) containing the keys needed to verify subject token signatures. This argument is mutually exclusive with the `--metadata-uri` and `--jwks` arguments.
`--jws-alg=value`	Optional	none	The expected JWS algorithm ('alg' value). If no algorithm is specified any (supported) algorithm, except 'none', is accepted.
`--jwe-alg=value`	Optional	none	The expected JWE algorithm ('alg' value). If no algorithm is specified any (supported) algorithm is accepted.
`--jwe-enc=value`	Optional	none	The expected JWE encryption method ('enc' value). If no encryption method is specified any (supported) encryption method is accepted.
`--decryption-jwks=value`	Optional	none	A JSON Web Key Set (JWKS) containing the keys needed to decrypt subject tokens. If no value is provided then subject tokens must be unencrypted.
`--max-clock-skew-seconds=value`	Optional	60	The maximum clock skew (in seconds) to be accepted when validating the expiration time.
`--validate-aud-claim=<true\|false>`	Optional	true	Specifies whether the 'aud' claim should be validated or not.
`--validate-may-act-claim=<true\|false>`	Optional	true	Specifies whether the 'may_act' claim (if present) should be validated or not.
`--validate-scope-claim=<true\|false>`	Optional	true	Specifies whether the 'scope' claim (if present) should be validated or not.
`--expected-audience=value`	Optional	The URI of the Spotfire Server OAuth2 Token Endpoint	The expected value of the 'aud' claim.
`--username-claim=value`	Optional	sub	The name of the claim to use as username for the authenticated users. May for example be 'email' but note that only 'sub' is guaranteed by the RFC 9068 specification to be present. The name of the claim is case sensitive.
`--display-name-claim=value`	Optional	none	The name of the claim to use as display name for the authenticated users. The name of the claim is case sensitive. If no value is provided then the value of the username claim will be used.
`--email-claim=value`	Optional	none	The name of the claim to use as email address for the authenticated users. The name of the claim is case sensitive. If no value is provided then no email address will be extracted.
`--domain-claim=value`	Optional	iss	The name of the claim to use as domain name for the authenticated users. The name of the claim is case sensitive. May only be specified if the value of the `--domain-option` is 'use_domain_claim'.
`--domain-name=value`	Optional	none	The domain name which to assign the authenticated users to. This argument is optional unless the value of the `--domain-option` is 'use_static_domain'.
`--domain-option=value`	Optional	use_domain_claim	The way the domain of authenticated users will be established. May be one of 'use_domain_claim', 'use_static_domain' and 'parse_username_claim'.
`--clear-jws-alg=<true\|false>`	Optional	false	Specifying this flag will clear any previously configured JWS algorithm.
`--clear-jwe-alg=<true\|false>`	Optional	false	Specifying this flag will clear any previously configured JWE algorithm.
`--clear-jwe-enc=<true\|false>`	Optional	false	Specifying this flag will clear any previously configured JWE encryption method.
`--clear-decryption-jwks=<true\|false>`	Optional	false	Specifying this flag will clear any previously configured decryption JWKS.
`--clear-display-name-claim=<true\|false>`	Optional	false	Specifying this flag will clear any previously configured display name claim.
`--clear-email-claim=<true\|false>`	Optional	false	Specifying this flag will clear any previously configured email claim.

Examples

Basic configuration (using an Authorization Server Metadata document):

config-oauth-server-token-exchange --enabled=true --metadata-uri=https://as.example.com/.well-known/oauth-authorization-server

To assign users to the default SPOTFIRE domain:

config-oauth-server-token-exchange --enabled=true --metadata-uri=https://as.example.com/.well-known/oauth-authorization-server --domain-option=use_static_domain --domain-name=SPOTFIRE

To also extract the display name and email address of users:

config-oauth-server-token-exchange --enabled=true --metadata-uri=https://as.example.com/.well-known/oauth-authorization-server --display-name-claim=name --email-claim=email

Background

OAuth2 Token Exchange (RFC 8693) allows the Spotfire Server to delegate certain authentication and authorization decisions to an external third-party Authorization Server. This is useful, for example, when embedding Spotfire in a portal, using the JavaScript API, by providing the possibility of a true single sign-on experience.

To use the feature, the Spotfire Server must be configured to trust subject tokens issued by the external authorization server. The subject tokens must comply with the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068). See also Using an external authorization server.