|
...
|
...
|
@@ -100,34 +100,52 @@ security: |
|
100
|
100
|
basic:
|
|
101
|
101
|
enabled: "${SECURITY_BASIC_ENABLED:false}"
|
|
102
|
102
|
oauth2:
|
|
|
103
|
+ # Enable/disable OAuth 2 login functionality
|
|
|
104
|
+ # For details please refer to https://thingsboard.io/docs/user-guide/oauth-2-support/
|
|
103
|
105
|
enabled: "${SECURITY_OAUTH2_ENABLED:false}"
|
|
|
106
|
+ # Redirect URL where access code from external user management system will be processed
|
|
104
|
107
|
loginProcessingUrl: "${SECURITY_OAUTH2_LOGIN_PROCESSING_URL:/login/oauth2/code/}"
|
|
|
108
|
+ # List of SSO clients
|
|
105
|
109
|
clients:
|
|
106
|
110
|
default:
|
|
107
|
|
- loginButtonLabel: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_LABEL:Default}" # Label that going to be show on login screen
|
|
108
|
|
- loginButtonIcon: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_ICON:}" # Icon that going to be show on login screen. Material design icon ID (https://material.angularjs.org/latest/api/directive/mdIcon)
|
|
|
111
|
+ # Label that going to be show on login button - 'Login with {loginButtonLabel}'
|
|
|
112
|
+ loginButtonLabel: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_LABEL:Default}"
|
|
|
113
|
+ # Icon that going to be show on login button. Material design icon ID (https://material.angularjs.org/latest/api/directive/mdIcon)
|
|
|
114
|
+ loginButtonIcon: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_ICON:}"
|
|
109
|
115
|
clientName: "${SECURITY_OAUTH2_DEFAULT_CLIENT_NAME:ClientName}"
|
|
110
|
116
|
clientId: "${SECURITY_OAUTH2_DEFAULT_CLIENT_ID:}"
|
|
111
|
117
|
clientSecret: "${SECURITY_OAUTH2_DEFAULT_CLIENT_SECRET:}"
|
|
112
|
118
|
accessTokenUri: "${SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI:}"
|
|
113
|
119
|
authorizationUri: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI:}"
|
|
114
|
120
|
scope: "${SECURITY_OAUTH2_DEFAULT_SCOPE:}"
|
|
115
|
|
- redirectUriTemplate: "${SECURITY_OAUTH2_DEFAULT_REDIRECT_URI_TEMPLATE:http://localhost:8080/login/oauth2/code/}" # Must be in sync with security.oauth2.loginProcessingUrl
|
|
|
121
|
+ # Redirect URL that must be in sync with 'security.oauth2.loginProcessingUrl', but domain name added
|
|
|
122
|
+ redirectUriTemplate: "${SECURITY_OAUTH2_DEFAULT_REDIRECT_URI_TEMPLATE:http://localhost:8080/login/oauth2/code/}"
|
|
116
|
123
|
jwkSetUri: "${SECURITY_OAUTH2_DEFAULT_JWK_SET_URI:}"
|
|
117
|
|
- authorizationGrantType: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_GRANT_TYPE:authorization_code}" # authorization_code, implicit, refresh_token or client_credentials
|
|
|
124
|
+ # 'authorization_code', 'implicit', 'refresh_token' or 'client_credentials'
|
|
|
125
|
+ authorizationGrantType: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_GRANT_TYPE:authorization_code}"
|
|
118
|
126
|
clientAuthenticationMethod: "${SECURITY_OAUTH2_DEFAULT_CLIENT_AUTHENTICATION_METHOD:post}" # basic or post
|
|
119
|
127
|
userInfoUri: "${SECURITY_OAUTH2_DEFAULT_USER_INFO_URI:}"
|
|
120
|
128
|
userNameAttributeName: "${SECURITY_OAUTH2_DEFAULT_USER_NAME_ATTRIBUTE_NAME:email}"
|
|
121
|
129
|
mapperConfig:
|
|
122
|
|
- type: "${SECURITY_OAUTH2_DEFAULT_MAPPER_TYPE:basic}" # basic or custom
|
|
|
130
|
+ # Mapper type of converter from external user into internal - 'basic' or 'custom'
|
|
|
131
|
+ type: "${SECURITY_OAUTH2_DEFAULT_MAPPER_TYPE:basic}"
|
|
123
|
132
|
basic:
|
|
124
|
|
- allowUserCreation: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_ALLOW_USER_CREATION:true}" # Allows to create user if it not exists
|
|
125
|
|
- emailAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_EMAIL_ATTRIBUTE_KEY:email}" # Attribute key to use as email for the user
|
|
|
133
|
+ # Allows to create user if it not exists
|
|
|
134
|
+ allowUserCreation: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_ALLOW_USER_CREATION:true}"
|
|
|
135
|
+ # Key from attributes of external user object to use as email
|
|
|
136
|
+ emailAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_EMAIL_ATTRIBUTE_KEY:email}"
|
|
126
|
137
|
firstNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_FIRST_NAME_ATTRIBUTE_KEY:}"
|
|
127
|
138
|
lastNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_LAST_NAME_ATTRIBUTE_KEY:}"
|
|
128
|
|
- tenantNameStrategy: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_STRATEGY:domain}" # domain, email or custom
|
|
129
|
|
- tenantNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_PATTERN:}" # %{attribute_key} as placeholder for attributes value by key
|
|
130
|
|
- customerNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_CUSTOMER_NAME_PATTERN:}" # %{attribute_key} as placeholder for attributes value by key
|
|
|
139
|
+ # Strategy for generating Tenant from external user object - 'domain', 'email' or 'custom'
|
|
|
140
|
+ # 'domain' - name of the Tenant will be extracted as domain from the email of the user
|
|
|
141
|
+ # 'email' - name of the Tenant will email of the user
|
|
|
142
|
+ # 'custom' - please configure 'tenantNamePattern' for custom mapping
|
|
|
143
|
+ tenantNameStrategy: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_STRATEGY:domain}"
|
|
|
144
|
+ # %{attribute_key} as placeholder for attribute value of attributes of external user object
|
|
|
145
|
+ tenantNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_PATTERN:}"
|
|
|
146
|
+ # If this field is not empty, user will be created as a user under defined Customer
|
|
|
147
|
+ # %{attribute_key} as placeholder for attribute value of attributes of external user object
|
|
|
148
|
+ customerNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_CUSTOMER_NAME_PATTERN:}"
|
|
131
|
149
|
custom:
|
|
132
|
150
|
url: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_URL:}"
|
|
133
|
151
|
username: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_USERNAME:}"
|
...
|
...
|
|
