Spotfire® Server and Environment - Installation and Administration

Custom authentication

The Spotfire Server provides an implementation of the com.spotfire.server.security.CustomAuthenticator interface which supports JWT access tokens that adhere to the RFC 9068 specification; the Rfc9068AccessTokenCustomAuthenticator.

About this task

See RFC 9068 for more information about RFC 9068.

Procedure

  1. Enable External Authentication on the server using the configuration tool or the command line command config-external-auth.
  2. As the Source, select Custom Authenticator and provide the fully qualified class name com.spotfire.server.security.Rfc9068AccessTokenCustomAuthenticator.
  3. Provide the initialization parameters of your choice:
    • source_type: where to retrieve the token from. Supported values are attribute, header and cookie. The default is header.
    • source_name: the name of the attribute/header/cookie containing the token.
    • source_regex: optional. A regular expression that can be used for retrieving the actual token from an attribute/header/cookie value that contains more things (the contents of the first capturing group will be used).
    • metadata_uri: the URI to an OAuth2 metadata document. Mandatory unless expected_issuer and jwks or jwks_uri are specified.
    • expected_issuer: the expected issuer of the token. Mandatory unless metadata_uri is specified.
    • jwks: a JWKS with the public key needed to verify the signature. Mandatory unless metadata_uri or jwks_uri is specified
    • jwks_uri: the URI to a JWKS with the public key needed to verify the signature. Mandatory unless metadata_uri or jwks is specified
    • jws_alg: the expected signature algorithm. Optional (if not specified then any algorithm will be accepted).
    • max_clock_skew_seconds: the maximum clock skew (in seconds) to be accepted when verifying timestamps. Default is 60 seconds.
    • validate_audience: true if the audience of the token should be validated. If the expected_audience is defined, the token received is validated against the value in expected_audience; if no expected_audience is specified, the validation is done against the public address of the Spotfire Server. Set to false to not validate the audience. The default is true.
    • expected_audience: the expected audience. Optional.
    • username_claim: the claim from which to extract the username. Default is sub.
    • email_claim: the claim from which to extract the email address. Default is no value.
    • display_name_claim: the claim from which to extract the display name. Default is no value.
    • domain_option: the way the domain of the user is determined. Supported values are: use_domain_claim, use_static_domain and parse_username_claim. The default is use_domain_claim.
    • domain_claim: the claim from which to extract the display name. Default is iss.
    • domain: the name of the domain to use. Mandatory if the value of domain_option is use_static_domain.
Copyright © Cloud Software Group, Inc. All rights reserved.