OAuth2 / OIDC Configuration

Axoniq Insights supports single sign-on (SSO) through OAuth2 and OpenID Connect (OIDC). Two modes are available: Google OAuth2 for Google Workspace environments, and OIDC for generic identity providers such as Keycloak, Okta, or Azure AD.

Insights OAuth2 properties

Parameter Default Description

Parameter	Default	Description
`insights.oauth2.enabled`	`false`	Set to `true` to enable OAuth2/OIDC authentication.
`insights.oauth2.mode`	`google`	The authentication mode. Use `google` for Google OAuth2 or `oidc` for a generic OpenID Connect provider.
`insights.oauth2.authorization-uri`	`/oauth2/authorization`	The URI that Insights redirects to when initiating the OAuth2 authorization flow. Normally does not need to be changed.
`insights.oauth2.force-oidc-logout`	`false`	When set to `true` and using OIDC mode, logging out of Insights also triggers a logout at the identity provider. Useful when you want to force re-authentication on the next login.
`insights.oauth2.auto-redirect`	`false`	When set to `true`, users visiting the login page are automatically redirected to the OAuth2 provider instead of seeing the Insights login form. Enable this when OAuth2 is the only authentication method.
`insights.oauth2.request-params.<key>`	(none)	Additional query parameters to include in the authorization request sent to the OAuth2 provider. For example, `insights.oauth2.request-params.prompt=select_account` asks Google to always show the account chooser.
`insights.oauth2.username-map.<registration>`	(none)	Maps an OAuth2 client registration name to the claim used as the Insights username. The value is typically `email` to use the user’s email address. The `<registration>` key must match the Spring Security client registration name (for example, `google` or `oidcclient`).
`insights.oauth2.id-token-signature-algorithm`	`RS256`	The signature algorithm used to verify OIDC ID tokens. Change this only if your identity provider uses a different algorithm (for example, `ES256`).

insights.oauth2.enabled

false

Set to true to enable OAuth2/OIDC authentication.

insights.oauth2.mode

google

The authentication mode. Use google for Google OAuth2 or oidc for a generic OpenID Connect provider.

insights.oauth2.authorization-uri

/oauth2/authorization

The URI that Insights redirects to when initiating the OAuth2 authorization flow. Normally does not need to be changed.

insights.oauth2.force-oidc-logout

false

When set to true and using OIDC mode, logging out of Insights also triggers a logout at the identity provider. Useful when you want to force re-authentication on the next login.

insights.oauth2.auto-redirect

false

When set to true, users visiting the login page are automatically redirected to the OAuth2 provider instead of seeing the Insights login form. Enable this when OAuth2 is the only authentication method.

insights.oauth2.request-params.<key>

(none)

Additional query parameters to include in the authorization request sent to the OAuth2 provider. For example, insights.oauth2.request-params.prompt=select_account asks Google to always show the account chooser.

insights.oauth2.username-map.<registration>

(none)

Maps an OAuth2 client registration name to the claim used as the Insights username. The value is typically email to use the user’s email address. The <registration> key must match the Spring Security client registration name (for example, google or oidcclient).

insights.oauth2.id-token-signature-algorithm

RS256

The signature algorithm used to verify OIDC ID tokens. Change this only if your identity provider uses a different algorithm (for example, ES256).

Google OAuth2

Use this mode to authenticate users with their Google accounts.

Prerequisites

Go to the Google Cloud Console and create an OAuth 2.0 Client ID.
Set the authorized redirect URI to http://<insights-host>:8080/login/oauth2/code/google.
Note the generated Client ID and Client Secret.

Configuration

# Enable OAuth2 with Google mode
insights.oauth2.enabled=true
insights.oauth2.mode=google

# Map Google accounts to Insights usernames using the email claim
insights.oauth2.username-map.google=email

# Show account chooser on every login
insights.oauth2.request-params.prompt=select_account

# Spring Security OAuth2 client registration
spring.security.oauth2.client.registration.google.client-id=<your-google-client-id>
spring.security.oauth2.client.registration.google.client-secret=<your-google-client-secret>
spring.security.oauth2.client.registration.google.scope=email

The scope=email setting requests only the user’s email address. Add profile to the scope if you also want to retrieve the user’s name.

OIDC (Keycloak, Okta, Azure AD, etc.)

Use this mode to integrate with any OpenID Connect-compliant identity provider.

Prerequisites

Register a new client application in your identity provider.
Set the valid redirect URI to http://<insights-host>:8080/login/oauth2/code/oidcclient.
Note the Client ID, Client Secret, and the Issuer URI of your provider.

Configuration with Keycloak

The following example configures Insights to authenticate against a Keycloak realm:

# Enable OAuth2 with OIDC mode
insights.oauth2.enabled=true
insights.oauth2.mode=oidc

# Map the OIDC client to Insights usernames using the email claim
insights.oauth2.username-map.oidcclient=email

# Spring Security OAuth2 client registration
spring.security.oauth2.client.registration.oidcclient.client-id=<your-client-id>
spring.security.oauth2.client.registration.oidcclient.client-secret=<your-client-secret>
spring.security.oauth2.client.registration.oidcclient.client-name=My Application
spring.security.oauth2.client.registration.oidcclient.provider=keycloak
spring.security.oauth2.client.registration.oidcclient.scope=openid,profile,email

# Keycloak provider discovery
spring.security.oauth2.client.provider.keycloak.issuer-uri=http://keycloak-host:8081/realms/your-realm

The issuer-uri enables automatic discovery of the provider’s endpoints via the .well-known/openid-configuration document. Spring Security uses this to configure the authorization, token, and user info endpoints automatically.

Configuration with other providers

For any OIDC-compliant provider, follow the same pattern. Replace the provider name and issuer-uri with values specific to your identity provider:

Provider Issuer URI format

Provider	Issuer URI format
Keycloak	`http://<host>/realms/<realm>;`
Okta	`https://<your-domain>.okta.com`
Azure AD	`https://login.microsoftonline.com/<tenant-id>/v2.0`
Auth0	`https://<your-domain>.auth0.com/`

Keycloak

http://<host>/realms/<realm>;

Okta

https://<your-domain>.okta.com

Azure AD

https://login.microsoftonline.com/<tenant-id>/v2.0

Auth0

https://<your-domain>.auth0.com/

Forcing provider logout

By default, logging out of Insights only ends the local session. The user remains authenticated at the identity provider and will be logged in again automatically on the next visit.

To also log the user out of the identity provider:

insights.oauth2.force-oidc-logout=true

This is particularly useful in shared or public environments.

Auto-redirect

When OAuth2 is the sole authentication method, you can skip the Insights login page entirely:

insights.oauth2.auto-redirect=true

With this setting, unauthenticated users are sent directly to the OAuth2 provider. Disable this if you also want to allow local username/password logins.