AppAuth/OIDC

AppAuth/Generic OAuth2 configuration will support login through the BlueFletch Browser, as well as Chrome Custom Tabs. The authenticating browser is defined by the browser value.

FieldDescription

issuer_url

string The configured issuer URL for the identity provider.

client_id

string The configured client ID for this application.

redirect_url

string The configured redirect callback URL for this application. The recommended callback URL is "com.bluefletch.launcher:/callback". However, if the identity provider only supports HTTPS redirect URLs, use "https://us-central1-bluefletch-ems.cloudfunctions.net/launcherRedirect/auth". Starting in Auth4, the redirect callback URL should be com.bluefletch.ems.auth://callback

redirect_url_verify

string Specifies the redirect URL used when refreshing cookies during the verification after reauthentication. Always set the value as "com.bluefletch.ems.auth://verified". Requires the Launcher settings configuration to also have verifyIdpOnReauth set to true.

scopes

string The OpenID scope values required for the identity provider.

baseUrl

string Base URL for the identity provider.

authorize_url

string The full URL for the authorize endpoint for the identity provider.

token_url

string The full URL for the token endpoint for the identity provider.

logout_url

string The full URL for the logout endpoint for the identity provider.

logout_redirect

string The full URL for the logout redirection location for your IdP. Default is "com.bluefletch.ems.auth://logout".

userinfo_url

string The full URL of the userInfo endpoint for the identity provider.

resource

string Specifies the host to access for a token during login when the IdP does not provide it through userinfo_url. Used in Azure AD authentication (e.g "https://graph.microsoft.com").

alternateResource

string Specifies an additional resource for which the access token should be valid. By default, Azure generates an encrypted access token for use with Microsoft Graph. By specifying an alternate host, the token becomes a standard access token. (e.g. https://graph.windows.net or api://com.bluefletch.ems.auth). Available starting version 4.8.17.

login_hint

string Hint to be displayed for the username field on the identity provider login page.

ignoreExpiresIn

boolean If true, instructs the launcher to refresh the token based on the refreshThresholdInMins value instead of the expiration indicated in the token.

browser

string Specifies the browser package name to execute the authorize call. Default is "com.android.chrome".

refreshThresholdInMins

integer The number of minutes after which the launcher will automatically refresh the token if ignoreExpiresIn is set to true.

auth_location_field

string An optional setting that tells authorization which field in the auth provider response contains location information. Used in conjunction with auth_location_regex.

auth_location_regex

string A regular expression to extract the location value from the location field. Used in conjunction with auth_location_field.

auth_group_field

string An optional setting that tells authorization which field in the authentication provider response contains group information. Used in conjunction with auth_group_regex.

auth_group_regex

string A regular expression to match against the group information. Used in conjunction with auth_group_field.

auth_group_regex_true

string If the regular expression auth_group_regex returns true (found a value), will use this group value.

auth_default_group

string A default group.

auth_role_field

string An optional setting that tells authorization which field in the authentication provider response contains user role information. Used in conjunction with auth_role_regex. Available in Auth 1.1.x.

auth_role_regex

string A regular expression to match against the role information. Used in conjunction with auth_role_field.

auth_role_regex_true

string If the regular expression auth_role_regex returns true (found a value), will use this role value.

auth_default_role

string A default user role.

claim_userId

string The claim in the access token that contains the user ID of the logged-in user.

claim_username

string The claim in the access token that contains the display name of the logged-in user.

claim_groups

string The claim in the access token that contains the logged-in user's membership groups.

userinfo_attrs

string A comma-delimited list of names indicating the field names within the userInfo response that should be copied into the session extended attributes collection. This provides the ability to get optional data points.

fieldForProfileManagerOAuth

string Identifies the field to use when building the Profile Manager / PTT Pro OAuth value. By default, OAuth is set to the logged-in user id. Setting this key to another field allows for using another claim in the Access token or User Information request object. Supports replacement format, for example: 

"${userId}@domainhere.com"

Example:

...
  "auth_oauth2": {
    "client_id": "com.bluefletch.ems.auth",
    "redirect_url": "com.bluefletch.launcher:/callback",
    "baseUrl": "https://oauth2server.bluefletch.com",
    "authorize_url": "https://oauth2server.bluefletch.com/oauth2/authorize",
    "token_url": "https://oauth2server.bluefletch.com/oauth2/token",
    "userinfo_url": "https://oauth2server.bluefletch.com/oauth2/userinfo",
    "logout_url": "https://oauth2server.bluefletch.com/oauth2/logout",
    "scopes": "openid profile offline_access groups",
    "claim_userId": "upn",
    "claim_username": "commonname",
    "claim_groups": "memberof",
    "browser": "com.bluefletch.ems.browser"
}
...

Okta Example:

"auth_oauth2": {
        "issuer_url": "https://dev.oktapreview.com",
        "client_id": "0o5o9hn89wN4AAhhJ0h7",
        "redirect_url": "com.bluefletch.ems.auth://callback",
        "browser": "com.bluefletch.ems.browser",
        "scopes": "openid profile offline_access groups",
        "logout_redirect": "com.bluefletch.ems.auth://logout"
    },
PreviousLDAPNextOkta (Session)

Last updated