mirror of
https://github.com/open-metadata/OpenMetadata.git
synced 2025-10-31 10:39:30 +00:00
301 lines
12 KiB
Markdown
301 lines
12 KiB
Markdown
|
---
|
||
|
|
title: OIDC Based Authentication
|
||
|
|
slug: /deployment/security/configuration-parameters
|
||
|
|
collate: false
|
||
|
|
---
|
||
|
|
|
||
|
|
# Configuration Reference Parameters
|
||
|
|
|
||
|
|
## Public Key Url (publicKeyUrls):
|
||
|
|
This needs to be updated as per different SSO providers. The default value is `http://localhost:8585/api/v1/system/config/jwks`. This is the URL where the public keys are stored. The public keys are used to verify the signature of the JWT token.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
**Google**: https://www.googleapis.com/oauth2/v3/certs
|
||
|
|
|
||
|
|
**Okta**: https://dev-19259000.okta.com/oauth2/aus5836ihy7o8ivuJ5d7/v1/keys
|
||
|
|
|
||
|
|
**Auth0**: https://dev-3e0nwcqx.us.auth0.com/.well-known/jwks.json
|
||
|
|
|
||
|
|
**Azure**: https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys
|
||
|
|
|
||
|
|
Also if you have enabled [JWT Tokens](/deployment/security/enable-jwt-tokens) then http://localhost:8585/api/v1/system/config/jwks also needs to be there in the list with proper server url.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
## Client ID (id):
|
||
|
|
The client ID provided by your OIDC provider. This is typically obtained when you register your application with the OIDC provider.
|
||
|
|
|
||
|
|
## Type (type):
|
||
|
|
Specify the type of OIDC provider you are using (e.g., google, azure). This value is same as `provider` in `authenticationConfiguration`.
|
||
|
|
|
||
|
|
## Client Secret (secret):
|
||
|
|
Replace with the client secret provided by your OIDC provider.
|
||
|
|
|
||
|
|
## Scope (scope):
|
||
|
|
Define the scopes that your application requests during authentication. Update ${OIDC_SCOPE:-"openid email profile"} with the desired scopes.
|
||
|
|
|
||
|
|
{% note %}
|
||
|
|
|
||
|
|
It does not need to be changed in most cases. The default scopes are `openid email profile`. The openid scope is required for OIDC authentication. The email and profile scopes are used to retrieve the user's email address and profile information.
|
||
|
|
Although, some provider only give Refresh Token if `offline_access` scope is provided. So, if you want to use Refresh Token, you need to add `offline_access` scope, like below:
|
||
|
|
`offline_access openid email profile`.
|
||
|
|
|
||
|
|
{% /note %}
|
||
|
|
|
||
|
|
## Discovery URI (discoveryUri):
|
||
|
|
Provide the URL of the OIDC provider's discovery document. This document contains metadata about the provider's configuration.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
It is mostly in the format as below: https://accounts.google.com/.well-known/openid-configuration
|
||
|
|
|
||
|
|
**Google**: https://accounts.google.com/.well-known/openid-configuration
|
||
|
|
|
||
|
|
**Okta**: https://dev-19259000.okta.com/oauth2/aus5836ihy7o8ivuJ5d7/.well-known/openid-configuration
|
||
|
|
|
||
|
|
**Auth0**: https://dev-3e0nwcqx.us.auth0.com/.well-known/openid-configuration
|
||
|
|
|
||
|
|
**Azure**: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
|
||
|
|
|
||
|
|
Normally it's some initial SSO provider URL followed by `.well-known/openid-configuration`
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
## Use Nonce (useNonce):
|
||
|
|
Set to true by Default, if you want to use nonce for replay attack protection during authentication. This does not need to be changed.
|
||
|
|
|
||
|
|
## Preferred JWS Algorithm (preferredJwsAlgorithm):
|
||
|
|
Specify the preferred JSON Web Signature (JWS) algorithm. Default is RS256 and need not be changed .
|
||
|
|
|
||
|
|
## Response Type (responseType):
|
||
|
|
Define the response type for the authentication request. Default is code and need not be changed.
|
||
|
|
|
||
|
|
## Disable PKCE (disablePkce):
|
||
|
|
Set ${OIDC_DISABLE_PKCE:-true} to true if you want to disable Proof Key for Code Exchange (PKCE). If you want to send CodeVerifier and CodeChallenge in the request, set it to false.
|
||
|
|
|
||
|
|
## Callback URL (callbackUrl):
|
||
|
|
Provide the callback URL where the OIDC provider redirects after authentication. Update ${OIDC_CALLBACK:-"http://localhost:8585/callback"} with your actual callback URL.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
The only initial part of the URL should be changed, the rest of the URL should be the same as the default one. The default URL is `http://localhost:8585/callback`.
|
||
|
|
Also, this should match what you have configured in your OIDC provider.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
## Server URL (serverUrl):
|
||
|
|
Specify the URL of your OM Server. Default is http://localhost:8585.
|
||
|
|
|
||
|
|
## Client Authentication Method (clientAuthenticationMethod):
|
||
|
|
Define the method used for client authentication. Default is client_secret_post.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
This does not need to be changed in most cases. The default value is `client_secret_post`.
|
||
|
|
This method is used to send the client ID and client secret in the request body.
|
||
|
|
Another possible value is `client_secret_basic`, which sends the client ID and client secret in the Authorization header.
|
||
|
|
Depending on the OIDC provider, you may need to change this value if only one of them is supported.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
## Tenant (tenant):
|
||
|
|
If applicable, specify the tenant ID for multi-tenant applications. Example in case of Azure.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
This is only applicable for multi-tenant applications. If you are using a single tenant application, you can leave this field empty.
|
||
|
|
For Azure SSO Provider this may be needed.
|
||
|
|
|
||
|
|
{%important%}
|
||
|
|
|
||
|
|
## Max Clock Skew (maxClockSkew):
|
||
|
|
Define the maximum acceptable clock skew between your application server and the OIDC server.
|
||
|
|
|
||
|
|
## Custom Parameters (customParams):
|
||
|
|
If you have any additional custom parameters required for OIDC configuration, specify them here.
|
||
|
|
|
||
|
|
## Config (config):
|
||
|
|
The central configuration block for OpenMetadata.
|
||
|
|
|
||
|
|
## Provider (provider):
|
||
|
|
Specifies the authentication method to be used.
|
||
|
|
The default is `ldap`, but you can change it to another supported provider. Example: `google`, `azure`.
|
||
|
|
|
||
|
|
## Entity Id (entityId):
|
||
|
|
The unique identifier for the SAML Identity Provider.
|
||
|
|
Example: `"https://mocksaml.com/api/saml/sso"`
|
||
|
|
|
||
|
|
## SSO Login URL (ssoLoginUrl):
|
||
|
|
The URL to which users are redirected for Single Sign-On (SSO) authentication.
|
||
|
|
Example: `"https://saml.example.com/entityid"`
|
||
|
|
|
||
|
|
## IPDX509 Certificate (idpX509Certificate):
|
||
|
|
The public certificate used by the IdP to sign SAML assertions.
|
||
|
|
Example: `""` (empty string means no certificate provided, needs to be set with actual certificate)
|
||
|
|
|
||
|
|
## Authority URL (authorityUrl):
|
||
|
|
The URL used for SAML login, typically a custom endpoint for your SAML provider.
|
||
|
|
Example: `"http://localhost:8585/api/v1/saml/login"`
|
||
|
|
|
||
|
|
## Name ID (nameId):
|
||
|
|
The format for the NameID element in the SAML response, usually representing the unique identifier of the user.
|
||
|
|
Example: `"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"`
|
||
|
|
|
||
|
|
## ACS (acs):
|
||
|
|
The Assertion Consumer Service (ACS) URL, where the IdP sends the SAML response after authentication.
|
||
|
|
Example: `"http://localhost:8585/api/v1/saml/acs"`
|
||
|
|
|
||
|
|
## SPX509 Certificate (spX509Certificate):
|
||
|
|
The public certificate used by the Service Provider to verify the IdP's SAML response.
|
||
|
|
Example: `""` (empty string means no certificate provided, needs to be set with actual certificate)
|
||
|
|
|
||
|
|
## Strict Mode (strictMode):
|
||
|
|
Whether to enforce strict compliance with the SAML standard, ensuring the response is fully validated.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Token Validity (tokenValidity):
|
||
|
|
The validity period of the SAML token in seconds.
|
||
|
|
Default: `"3600"` (1 hour)
|
||
|
|
|
||
|
|
## Send Encrypted Name ID (sendEncryptedNameId):
|
||
|
|
Whether to send the NameID in an encrypted format in the SAML response.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Send Signed Auth Request (sendSignedAuthRequest):
|
||
|
|
Whether to sign the authentication request sent to the IdP.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Sign SP Metadata (signSpMetadata):
|
||
|
|
Whether to sign the Service Provider's metadata when exchanging SAML metadata with the IdP.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Want Messages Signed (wantMessagesSigned):
|
||
|
|
Whether the Service Provider expects SAML messages to be signed.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Want Assertions Signed (wantAssertionsSigned):
|
||
|
|
Whether the Service Provider expects SAML assertions to be signed.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Want Assertion Encrypted (wantAssertionEncrypted):
|
||
|
|
Whether to encrypt the SAML assertion before sending it to the Service Provider.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Want Name ID Encrypted (wantNameIdEncrypted):
|
||
|
|
Whether to encrypt the NameID element in the SAML response.
|
||
|
|
Default: `false`
|
||
|
|
|
||
|
|
## Key Store File Path (keyStoreFilePath):
|
||
|
|
The file path to the keystore file containing certificates and private keys used for signing and encryption.
|
||
|
|
Example: `""` (empty string means no keystore file provided)
|
||
|
|
|
||
|
|
## KeyStore Alias (keyStoreAlias):
|
||
|
|
The alias used to refer to the key inside the keystore file.
|
||
|
|
Example: `""` (empty string means no alias provided)
|
||
|
|
|
||
|
|
## KeyStore Password (keyStorePassword):
|
||
|
|
The password used to access the keystore file.
|
||
|
|
Example: `""` (empty string means no password provided)
|
||
|
|
|
||
|
|
## Class Name (className):
|
||
|
|
Specifies the class that handles the authorization logic.
|
||
|
|
Default: `"org.openmetadata.service.security.DefaultAuthorizer"`
|
||
|
|
|
||
|
|
## Container Request Filter (containerRequestFilter):
|
||
|
|
Specifies the request filter used to process authentication, especially for handling JWT tokens.
|
||
|
|
Default: `"org.openmetadata.service.security.JwtFilter"`
|
||
|
|
|
||
|
|
## Initial Admins (initialAdmins):
|
||
|
|
A list of users who will be granted administrative privileges during the initial setup.
|
||
|
|
Example: `["suresh"]`
|
||
|
|
|
||
|
|
## Principal Domain (principalDomain):
|
||
|
|
The domain that is associated with user accounts.
|
||
|
|
Default: `"open-metadata.org"`
|
||
|
|
|
||
|
|
## Authority (authority):
|
||
|
|
The base URL of the OIDC authority.
|
||
|
|
Example: Replace `{IssuerUrl}` with the URL of your custom OIDC provider.
|
||
|
|
|
||
|
|
## Client ID (clientId):
|
||
|
|
The client ID for the application registered with the custom OIDC provider.
|
||
|
|
Replace `{client id}` with the actual client ID.
|
||
|
|
|
||
|
|
## Host (host):
|
||
|
|
The hostname of the LDAP server. Defaults to `localhost`.
|
||
|
|
|
||
|
|
## Port (port):
|
||
|
|
The port number to connect to the LDAP server. Defaults to `10636`.
|
||
|
|
|
||
|
|
## DN Admin Principal (dnAdminPrincipal):
|
||
|
|
The distinguished name (DN) of the admin user used for lookup operations in LDAP. Defaults to `"cn=admin,dc=example,dc=com"`.
|
||
|
|
|
||
|
|
## DN Admin Password (dnAdminPassword):
|
||
|
|
The password for the admin user. Defaults to `"secret"`.
|
||
|
|
|
||
|
|
## Userbase DN (userBaseDN):
|
||
|
|
The base DN for user lookup in LDAP. Defaults to `"ou=people,dc=example,dc=com"`.
|
||
|
|
|
||
|
|
## Mail Attribute Name (mailAttributeName):
|
||
|
|
The attribute name in LDAP that stores user email addresses. Defaults to `email`.
|
||
|
|
|
||
|
|
## Maximum Pool Size (maxPoolSize) (Optional):
|
||
|
|
Defines the maximum number of connections in the LDAP connection pool. Defaults to `3`.
|
||
|
|
|
||
|
|
## SSL Enabled (sslEnabled):
|
||
|
|
Indicates if SSL is enabled for connecting to the LDAP server. Defaults to `true`.
|
||
|
|
|
||
|
|
## Custom Trust Manager Configuration (customTrustManagerConfig):
|
||
|
|
- ### TrustStore FilePath (trustStoreFilePath):
|
||
|
|
Path to the custom trust store file. Default is empty.
|
||
|
|
- ### TrustStore File Password (trustStoreFilePassword):
|
||
|
|
Password for the trust store file. Default is empty.
|
||
|
|
- ### TrustStore File Format (trustStoreFileFormat):
|
||
|
|
Format of the trust store file. Default is empty.
|
||
|
|
- ### Verify Host Name (verifyHostname):
|
||
|
|
If hostname verification is enabled. Default is empty.
|
||
|
|
- ### Examine Validity Dates (examineValidityDates):
|
||
|
|
Whether to check validity dates for certificates. Default is empty.
|
||
|
|
|
||
|
|
## Host Name Configuration (hostNameConfig):
|
||
|
|
- ### Allow Wild Cards (allowWildCards):
|
||
|
|
Allows wildcard certificates in hostnames. Default is empty.
|
||
|
|
- ### Acceptable Host Names (acceptableHostNames):
|
||
|
|
A list of acceptable hostnames. Default is an empty list.
|
||
|
|
|
||
|
|
## JVM Default Configurations (jvmDefaultConfig):
|
||
|
|
- ### Verify Host Name (verifyHostname):
|
||
|
|
Enables hostname verification using JVM defaults. Default is empty.
|
||
|
|
|
||
|
|
## Trust All Configurations (trustAllConfig):
|
||
|
|
- ### Examine Validity Dates (examineValidityDates):
|
||
|
|
Checks the validity dates of certificates when using `TrustAll` mode. Defaults to `true`.
|
||
|
|
|
||
|
|
## Enforce Principal Domain (enforcePrincipalDomain):
|
||
|
|
Whether to enforce user principal matching with the defined principal domain
|
||
|
|
|
||
|
|
## Enable Secure Socket Connection (enableSecureSocketConnection):
|
||
|
|
If true, enables secure connections (SSL/TLS)
|
||
|
|
|
||
|
|
## Use Roles From Provider (useRolesFromProvider):
|
||
|
|
Whether to derive roles from the authentication provider
|
||
|
|
|
||
|
|
## Initial Admins (initialAdmins):
|
||
|
|
List of initial admin users for the system
|
||
|
|
|
||
|
|
## JWT Principal Claims (jwtPrincipalClaims):
|
||
|
|
JWT claims used to identify the principal (user)
|
||
|
|
|
||
|
|
## JWT Principal Claims Mapping (jwtPrincipalClaimsMapping):
|
||
|
|
Mapping of JWT claims to application-specific claims
|
||
|
|
|
||
|
|
## Enable Self Signup (enableSelfSignup):
|
||
|
|
Allows users to sign up themselves if not already registered
|
||
|
|
|
||
|
|
## Preferred JWT Algorithms (preferredJwsAlgorithm):
|
||
|
|
Preferred algorithm for JWT signature validation
|
||
|
|
|
||
|
|
## Allowed Email Registration Domains (allowedEmailRegistrationDomains):
|
||
|
|
Specifies allowed domains for email registration
|