OAuth2 Authentication

For authentication using Google Apps accounts, use the following properties:

This optional value can be used to configure the URI that will trigger the authentication using OAuth2. The default value is “/oauth2/authorization” and should work fine.

This should be set to the client-id provided by the Google Developer Console where you registered the cluster.

This should be set to the secret provided by the Google Developer Console where you registered the cluster.

This setting is used to configure what information Google should share with the Axon Server cluster. A good value to use is “email”, which will allow you to use the email address as username, as is common with Google accounts.

Controls what value to use as username. Requires that this value is provided by Google using the “scope” setting described above. If the email address is to be used, as suggested above, the value should be “email”.

This setting defines a map of parameters to add to the redirect URL, to customize the behavior of the provider’s integration. For Google, if the users use the same browser with multiple Google accounts, a good setting to add is “prompt”, with value “select_account”:

`properties axoniq.axonserver.enterprise.oauth2.request-params.prompt=select_account `

This will force Google to always ask which account must be used to continue, even if there is only a single account in use, and that account is currently active.

For authentication using KeyCloak, you need to configure a realm and, in it, configure Axon Server as a client. You can use the following properties:

Setting this property to “true” will ensure that, when the user logs out from the Axon Server UI, a logout request will also be sent to KeyCloak. If set to “false” (the default), the user will still have a valid session in KeyCloak, and a subsequent login attempt using the same browser window may immediately succeed, without a prompt for a password. Naturally this is dependent on session validity settings within KeyCloak.

This should be set to the client ID configured for Axon Server.

This should be set to the client secret configured for Axon Server.

This should be set to the client name configured for Axon Server.

This should be set to the value “keycloak”.

This should be set to a (comma separated) list of the information that needs to be shared, typically “openid,email,profile”.

This should be set to the realm’s URL on KeyCloak. For example, if the realm is named “test-realm” and KeyCloak is exposed at “http://keycloak-test:8090”;, then the value is “http://keycloak-test:8090/realms/test-realm”;.

Controls what value to use as username. The suggested value is “username”, which refers to that value from the “profile” scope. Alternatively, just as with the Google Apps integration mentioned above, you can use “email”.

Toggle automatic redirects to the IDP. This will cause AxonServer to skip the login page of AxonServer and users won’t be able to choose a login mechanism. This setting does not disable logins via password though. Only one authentication provider may specify automatic redirects.