Altair Panopticon Real Time Installation and Reference Help

OAuth 2.0

This section discusses how to configure Panopticon Real Time to use the OAuth 2.0 for authorization. Upon a logon request, the Panopticon Real Time will redirect the user to the Login page provided by the OAuth 2.0.

Note that OAuth 2.0 does not normally provide support on how to authenticate the user, Panopticon Real Time will only know if the user is authorized or not. To authenticate the user, Panopticon Real Time can be configured to use a REST service to extract the user identity with an access token retrieved from the OAuth 2.0 provider. In addition to the standard OAuth 2.0 configurations, the server includes properties (i.e., authentication.oauth2.*) that are specifically used to extract the user details.

If user roles are configured, the user identity attribute (i.e., authentication.oauth2.identity.attribute.roles=<Name of role attribute in OAuth2 server>) will expect a list of roles that enable role based access restrictions on workbook folders.

For example: "roles": ["VIEWER","DESIGNER"]

If this attribute is not set, the default role VIEWER is used.

To use OAuth2.0, change the authentication type:

authentication.type=OAUTH2

Afterwards, go through the following properties to be configured with respect to your OAuth server configuration.

Property	Description
authentication.oauth2.client.id	The ID of the OAuth 2.0 client.
authentication.oauth2.client.secret	The secret used by the OAuth 2.0 client.
authentication.oauth2.identity.attribute.roles	The attribute that will be extracted from the identity response and used as the role.
authentication.oauth2.identity.attribute.roles.pattern	Takes regex used to extract the roles from the OAuth 2.0 server identity response. For example, the returned string: cn=admin,ou=groups,dc=openam,dc=openidentityplatform,dc=org,cn=designer,ou=groups,dc=openam,dc=openidentityplatform,dc=org contains two roles, admin and designer The regex to extract the roles is cn=([^,]+).
authentication.oauth2.identity.attribute.username	The attribute that will be extracted from the identity response and used as the username.
authentication.oauth2.identity.url	The URL to the REST service that provides details about the authenticated user.
authentication.oauth2.login.callback.url	The callback URL. The URL should be the same as one of the specified callback URLs used by the client. The URL should refer to Panopticon Real Time
authentication.oauth2.login.response.type	The response type. The only response type that is currently supported is code. The value can also be left blank.
authentication.oauth2.login.redirect.url	Redirects the user to the specified URL after successfully logging in. This property can be left blank, in which case the user is redirected to the URL they requested to access.
authentication.oauth2.login.scope	The requested scope. The property can be left blank.
authentication.oauth2.login.state	The requested state. The property can be left blank.
authentication.oauth2.login.url	The URL to the OAuth 2.0 login resource. This field can be left blank.
authentication.oauth2.logout.redirect.url	Logging out revokes the token from the authentication server if the property authentication.oauth2.logout.url is set to the revocation URL. If this property is not set, the server will only remove its own token. If none of these properties are set, the server will attempt to redirect to the start page of the Panopticon when logging out.
authentication.oauth2.logout.url	The URL to the OAuth 2.0 logout resource. This property can be left blank.
authentication.oauth2.token.method	The method on how the token should be retrieved. Supported values are QUERY, BODY, and HEADER.
authentication.oauth2.token.url	The URL to the OAuth 2.0 token resource.
access.default.roles	The default role that will be assigned to everyone to execute a specific service. The field can be left blank. If left blank, VIEWER role is used.
access.administrator.groups	The list of administrator roles authenticated by the OAuth2.0 server.
access.designer.groups	The list of designer roles authenticated by the OAuth2.0 server.
access.viewer.groups	The list of viewer roles authenticated by the OAuth2.0 server.