Altair® Panopticon


OAuth 2.0

This section discusses how to configure Panopticon Real Time to use the OAuth 2.0 for authorization. Upon a logon request, the Panopticon Real Time will redirect the user to the Login page provided by the OAuth 2.0.

Note that OAuth 2.0 does not normally provide support on how to authenticate the user, Panopticon Real Time will only know if the user is authorized or not. To authenticate the user, Panopticon Real Time can be configured to use a REST service to extract the user identity with an access token retrieved from the OAuth 2.0 provider. In addition to the standard OAuth 2.0 configurations, the server includes properties (i.e., authentication.oauth2.*) that are specifically used to extract the user details.

If user roles are configured, the user identity attribute (i.e., authentication.oauth2.identity.attribute.roles=<Name of role attribute in OAuth2 server>) will expect a list of roles that enable role based access restrictions on workbook folders.

For example: "roles": ["VIEWER","DESIGNER"]

If this attribute is not set, the default role VIEWER is used.


To use OAuth2.0, change the authentication type:



Afterwards, go through the following properties to be configured with respect to your OAuth server configuration.



The ID of the OAuth 2.0 client.


The secret used by the OAuth 2.0 client.


The attribute that will be extracted from the identity response and used as the role.


Takes regex used to extract the roles from the OAuth 2.0 server identity response.

For example, the returned string:


contains two roles, admin and designer

The regex to extract the roles is cn=([^,]+).


The attribute that will be extracted from the identity response and used as the username.


The URL to the REST service that provides details about the authenticated user.


The callback URL. The URL should be the same as one of the specified callback URLs used by the client. The URL should refer to Panopticon Real Time


The response type. The only response type that is currently supported is code. The value can also be left blank.


Redirects the user to the specified URL after successfully logging in. This property can be left blank, in which case the user is redirected to the URL they requested to access.


The requested scope. The property can be left blank.


The requested state. The property can be left blank.


The URL to the OAuth 2.0 login resource. This field can be left blank.


Logging out revokes the token from the authentication server if the property authentication.oauth2.logout.url is set to the revocation URL. If this property is not set, the server will only remove its own token.

If none of these properties are set, the server will attempt to redirect to the start page of the Panopticon when logging out.


The URL to the OAuth 2.0 logout resource. This property can be left blank.


The method on how the token should be retrieved. Supported values are QUERY, BODY, and HEADER.


The URL to the OAuth 2.0 token resource.


The default role that will be assigned to everyone to execute a specific service. The field can be left blank. If left blank, VIEWER role is used.


The list of administrator roles authenticated by the OAuth2.0 server.


The list of designer roles authenticated by the OAuth2.0 server.


The list of viewer roles authenticated by the OAuth2.0 server.