config-oidc
Configures authentication using OpenID Connect.
config-oidc
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
[-e <true|false> | --enabled=<true|false>]
[--third-party-login-init-enabled=<true|false>]
[--rp-initiated-logout-enabled=<true|false>]
[--back-channel-logout-enabled=<true|false>]
[--front-channel-logout-enabled=<true|false>]
[--front-channel-logout-session-required=<true|false>]
[-s | --set-provider]
[-r | --remove-provider]
[-n value | --provider-name=value]
[--provider-enabled=<true|false>]
[--provider-discovery-url=value]
[--provider-client-id=value]
[--provider-client-secret=value]
[--provider-domain-option=value]
[--provider-domain-name=value]
[--provider-username-claim=value]
[--provider-display-name-claim=value]
[--provider-email-claim=value]
[--provider-domain-claim=value]
[--provider-id-token-signing-alg=value]
[--provider-id-token-signature-verification-disabled=<true|false>]
[--provider-token-endpoint-auth-method=value]
[--provider-revocation-endpoint-auth-method=value]
{-Svalue}
[--provider-auth-request-prompt-value=value]
[--provider-clear-resources=<true|false>]
{-Rvalue}
[--provider-include-resource-in-auth-req=<true|false>]
[--provider-include-resource-in-token-req=<true|false>]
[--provider-clear-custom-params]
{-Pkey=value}
[--provider-include-id-token-hint=<true|false>]
[--provider-include-login-hint=<true|false>]
[--provider-login-hint-claim=value]
[--provider-pushed-authorization-request-enabled=<true|false>]
[--provider-use-pkce=<true|false>]
[--provider-bg-color=value]
[--provider-available-to-data-sources=<true|false>]
Overview
Use this command to configure authentication against one or more external providers using OpenID Connect. Authentication using OpenID Connect may be combined with username/password-based authentication and/or custom web authentication.
Options
| Option | Optional or Required | Default Value | Description |
|---|---|---|---|
|
Optional | configuration.xml | The path to the server configuration file. |
|
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
|
Optional | true | Specifies whether OpenID Connect should be enabled. |
|
Optional | true | Specifies whether Third Party Login Initiation should be enabled. |
|
Optional | false | Specifies whether RP-Initiated Logout
should be enabled. If enabled, then web users logging out from Spotfire are
also logged out from the provider (if the provider supports it).
Note: The End-Session Post Logout Redirect URI must be
registered with the provider to use this feature.
|
|
Optional | false |
Specifies whether Back-Channel Logout should be enabled. If enabled, then users logging out from the provider can also be logged out from Spotfire (if the provider supports it). |
|
Optional | false |
Specifies whether Front-Channel Logout should be enabled. If enabled, then web users logging out from the provider can also be logged out from Spotfire (if the provider supports it). |
|
Optional | true |
Specifies whether the 'iss' (issuer) and 'sid' (session ID) query parameters must be included in Front-Channel Logout requests. |
|
Optional | none | Indicates that a provider configuration
should be set (replaces the configuration for any existing provider with the
same name). Cannot be specified together with
--remove-provider.
|
|
Optional | none | Indicates that a provider configuration
should be removed. Cannot be specified together with
--set-provider.
|
|
This argument is optional unless either
--set-provider or
--remove-provider has been specified.
|
none | The name of the provider to set or remove. Normally displayed to end users on the login page. |
|
This argument is optional unless
--set-provider has been specified.
|
true | Specifies whether the provider should be enabled. |
|
This argument is optional unless
--set-provider has been specified.
|
none | The URL to the provider's OpenID Connect Discovery document. |
|
This argument is optional unless
--set-provider has been specified.
|
none | The client ID given by the provider during registration. |
|
This argument is optional unless
--set-provider has been specified.
|
none | The client secret given by the provider during registration. |
|
Optional | use_domain_claim | The way the domain of authenticated users
will be established. Can be one of the following.
|
|
This argument is optional unless the value
of the
--provider-domain-option is
'use_static_domain'.
|
By default the value of the 'issuer' claim is used. | The domain name to assign to the authenticated users. |
|
Optional | sub | The name of the claim to use as username
for the authenticated users. Can be
email, for example. The name of the claim is
case sensitive.
Note: Only
sub is guaranteed to be a unique and stable
identifier.
|
|
Optional | name | The name of the claim to use as the display name for the authenticated users. The name of the claim is case sensitive. |
|
Optional | By default, all algorithms listed as supported in the Discovery Document is accepted. | The name of the claim to use as email address for the authenticated users. The name of the claim is case sensitive. |
|
Optional | 'iss' | The name of the claim to use as the domain
name for the authenticated users. The name of the claim is case-sensitive. Can
be specified only if the value of the
--provider-domain-option is
'use_domain_claim'.
|
|
Optional | sub | The name of the claim to use as username
for the authenticated users. Can be
email, for example.
Note: Only
sub is guaranteed to be a unique and stable
identifier.
|
|
Optional | By default, all algorithms listed as supported in the Discovery Document is accepted. | The ID token signature algorithm to expect. |
|
Optional | false | Indicates that signature verification of ID tokens should be disabled. This should normally only be specified if the provider does not sign the ID tokens. |
|
Optional | By default, one of the algorithms listed as supported in the Discovery Document is used. | The authentication method to use when
communicating with the provider's Token Endpoint. Can be one of the following.
private_key_jwt is not supported.
|
|
Optional | By default, one of the algorithms listed as supported in the Discovery Document is used. | The authentication method to use when
communicating with the provider's Revocation Endpoint. May be one of the
following:
private_key_jwt is not supported.
|
|
Optional | openid,
profile,
email
|
A scope to include in the authentication
request (besides
openid, which is always included). This
argument can be specified multiple times with different values.
|
|
Optional | By default, the parameter is omitted from the request. | The value to give the
prompt request parameter when making the
authentication request. Controls how the provider prompts the end user. Can be
one of the following.
The value
|
|
Optional | false | By specifying this flag, the resource
indicators are cleared from the provider configuration. Use this flag with the
-R flag to remove all old resource indicators
before adding the new.
|
|
Optional | A resource indicator (as defined in RFC
8707) that should be included (using the
'request' parameter) in authorization
requests. This argument is optional and can be specified multiple times with
different values.
|
|
|
Optional | false | Specifies whether an RFC 8707 resource
indicator (when available) should be included as a
'resource' parameter in requests to the
Authorization Endpoint.
|
|
Optional | false | Specifies whether an RFC 8707 resource
indicator (when available) should be included as a
'resource' parameter in requests to the Token
Endpoint. This argument is optional. The default value is 'false'.
|
|
Optional | none | Custom parameters are cleared from the
provider configuration. This flag can be used together with the
-Pkey flag to remove all old custom parameters
before adding the new.
|
|
Optional | none | A custom parameter included in the
authentication request. Must not be any of the parameters controlled through
other settings (such as
scope or
prompt). Can be specified multiple times with
different keys.
|
|
Optional | false | Indicates whether the
id_token_hint parameter should be included in
the authentication request (when an ID token is available - for example, when
users re-authenticate after an absolute session timeout). The
id_token_hint parameter should not be used
together with the
login_hint parameter.
|
|
Optional | false | Indicates whether the
login_hint parameter should be included in the
authentication request (when a value is available -for example, when users
re-authenticate after an absolute session timeout). The
login_hint parameter should not be used
together with the
id_token_hint
parameter.
|
|
Optional unless
--provider-include-login-hint has been
specified.
|
none | The name of the claim to include as value
for the
login_hint. Typical values are
email,
sub or preferred_username.
|
|
Optional | none | The background color of the provider's button on the login page (when applicable), as a hexadecimal color value. |
|
Optional | true |
Specifies whether to use RFC 9126 pushed authorization requests (PAR), if they are supported by the provider. |
|
Optional | true |
Specifies whether PKCE (RFC 7636) should be used (if they are supported by the provider, according to the Discovery Document). |
|
Optional | true | Specifies whether tokens from the provider should be available to data sources (besides being used for authentication). |