# AppAuth/OIDC

<table><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr><td>issuer_url</td><td><strong>string</strong> The configured issuer URL for the identity provider.</td></tr><tr><td>client_id</td><td><strong>string</strong> The configured client ID for this application.</td></tr><tr><td>redirect_url</td><td><strong>string</strong> The configured redirect callback URL for this application. The recommended callback URL is <code>"com.bluefletch.launcher:/callback"</code>. However, if the identity provider only supports HTTPS redirect URLs, use "<a href="#urls">https://us-central1-bluefletch-ems.cloudfunctions.net/launcherRedirect/auth</a>".<br>Starting in Auth4, the redirect callback URL should be <code>com.bluefletch.ems.auth://callback</code></td></tr><tr><td>redirect_url_verify</td><td><strong>string</strong> Specifies the redirect URL used when refreshing cookies during the verification after reauthentication. Always set the value as <code>"com.bluefletch.ems.auth://verified"</code>. Requires the Launcher <code>settings</code> configuration to also have <code>verifyIdpOnReauth</code> set to <code>true</code>.</td></tr><tr><td>scopes</td><td><strong>string</strong> The OpenID scope values required for the identity provider.</td></tr><tr><td>baseUrl</td><td><strong>string</strong> Base URL for the identity provider.</td></tr><tr><td>authorize_url</td><td><strong>string</strong> The full URL for the <code>authorize</code> endpoint for the identity provider.</td></tr><tr><td>token_url</td><td><strong>string</strong> The full URL for the <code>token</code> endpoint for the identity provider.</td></tr><tr><td>logout_url</td><td><strong>string</strong> The full URL for the <code>logout</code> endpoint for the identity provider.</td></tr><tr><td>logout_redirect</td><td><strong>string</strong> The full URL for the logout redirection location for your IdP. Default is <code>"com.bluefletch.ems.auth://logout"</code>.</td></tr><tr><td>userinfo_url</td><td><strong>string</strong> The full URL of the <code>userInfo</code> endpoint for the identity provider.</td></tr><tr><td>resource</td><td><strong>string</strong> Specifies the host to access for a token during login when the IdP does not provide it through <code>userinfo_url</code>. Used in Azure AD authentication (e.g <code>"https://graph.microsoft.com"</code>).</td></tr><tr><td>alternateResource</td><td><strong>string</strong> Specifies an additional resource for which the access token should be valid.  By default, Azure generates an encrypted access token for use with Microsoft Graph. By specifying an alternate host, the token becomes a standard access token.  (e.g. <code>https://graph.windows.net</code> or <code>api://com.bluefletch.ems.auth</code>).   Available starting version 4.8.17.</td></tr><tr><td>login_hint</td><td><strong>string</strong> Hint to be displayed for the username field on the identity provider login page.</td></tr><tr><td>ignoreExpiresIn</td><td><strong>boolean</strong> If <code>true</code>, instructs the launcher to refresh the token based on the <code>refreshThresholdInMins</code> value instead of the expiration indicated in the token.</td></tr><tr><td>browser</td><td><strong>string</strong> Specifies the browser package name to execute the <code>authorize</code> call. Default is <code>"com.android.chrome"</code>.</td></tr><tr><td>refreshThresholdInMins</td><td><strong>integer</strong> The number of minutes after which the launcher will automatically refresh the token if <code>ignoreExpiresIn</code> is set to <code>true</code>.</td></tr><tr><td>auth_location_field</td><td><strong>string</strong> An optional setting that tells authorization which field in the auth provider response contains location information. Used in conjunction with <code>auth_location_regex</code>.</td></tr><tr><td>auth_location_regex</td><td><strong>string</strong> A regular expression to extract the location value from the location field. Used in conjunction with <code>auth_location_field</code>.</td></tr><tr><td>auth_group_field</td><td><strong>string</strong> An optional setting that tells authorization which field in the authentication provider response contains group information. Used in conjunction with <code>auth_group_regex</code>.</td></tr><tr><td>auth_group_regex</td><td><strong>string</strong> A regular expression to match against the group information. Used in conjunction with <code>auth_group_field</code>.</td></tr><tr><td>auth_group_regex_true</td><td><strong>string</strong> If the regular expression <code>auth_group_regex</code> returns <code>true</code> (found a value), will use this group value.</td></tr><tr><td>auth_default_group</td><td><strong>string</strong> A default group.</td></tr><tr><td>auth_role_field</td><td><strong>string</strong> An optional setting that tells authorization which field in the authentication provider response contains user role information. Used in conjunction with <code>auth_role_regex</code>. Available in Auth 1.1.x.</td></tr><tr><td>auth_role_regex</td><td><strong>string</strong> A regular expression to match against the role information. Used in conjunction with <code>auth_role_field</code>.</td></tr><tr><td>auth_role_regex_true</td><td><strong>string</strong> If the regular expression <code>auth_role_regex</code> returns <code>true</code> (found a value), will use this role value.</td></tr><tr><td>auth_default_role</td><td><strong>string</strong> A default user role.</td></tr><tr><td>claim_userId</td><td><strong>string</strong> The claim in the access token that contains the user ID of the logged-in user.</td></tr><tr><td>claim_username</td><td><strong>string</strong> The claim in the access token that contains the display name of the logged-in user.</td></tr><tr><td>claim_groups</td><td><strong>string</strong> The claim in the access token that contains the logged-in user's membership groups.</td></tr><tr><td>userinfo_attrs</td><td><strong>string</strong> A comma-delimited list of names indicating the field names within the <code>userInfo</code> response that should be copied into the session extended attributes collection. This provides the ability to get optional data points.</td></tr><tr><td>fieldForProfileManagerOAuth</td><td><p><strong>string</strong> Identifies the field to use when building the Profile Manager / PTT Pro OAuth value. By default, OAuth is set to the logged-in user id.  Setting this key to another field allows for using another claim in the Access token or User Information request object. Supports replacement format, for example:  </p><pre><code><strong>"${userId}@domainhere.com"
</strong></code></pre></td></tr></tbody></table>

**Example:**

```
...
  "auth_oauth2": {
    "client_id": "com.bluefletch.ems.auth",
    "redirect_url": "com.bluefletch.launcher:/callback",
    "baseUrl": "https://oauth2server.bluefletch.com",
    "authorize_url": "https://oauth2server.bluefletch.com/oauth2/authorize",
    "token_url": "https://oauth2server.bluefletch.com/oauth2/token",
    "userinfo_url": "https://oauth2server.bluefletch.com/oauth2/userinfo",
    "logout_url": "https://oauth2server.bluefletch.com/oauth2/logout",
    "scopes": "openid profile offline_access groups",
    "claim_userId": "upn",
    "claim_username": "commonname",
    "claim_groups": "memberof",
    "browser": "com.bluefletch.ems.browser"
}
...
```

**Okta Example:**

```
"auth_oauth2": {
        "issuer_url": "https://dev.oktapreview.com",
        "client_id": "0o5o9hn89wN4AAhhJ0h7",
        "redirect_url": "com.bluefletch.ems.auth://callback",
        "browser": "com.bluefletch.ems.browser",
        "scopes": "openid profile offline_access groups",
        "logout_redirect": "com.bluefletch.ems.auth://logout"
    },
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluefletch.com/bluefletch-enterprise/product-guides/authentication-and-sso/technical-guide/appauth-oidc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.