Skip to content

docs: Add OAUTH authentication module documentation #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 13 commits into
base: master
Choose a base branch
from
+174 −1
Open

docs: Add OAUTH authentication module documentation #136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7d0f045
Initial plan
Copilot Mar 26, 2026
6ac1a1d
docs: Add OAUTH authentication module documentation
Copilot Mar 26, 2026
51db01d
Update openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
vharseko Mar 26, 2026
97c3581
docs: Fix inconsistent authenticationId in OAUTH sample config
Copilot Mar 26, 2026
93cfe4a
docs: Add resolvers row to OAUTH module properties table
Copilot Mar 26, 2026
0950d37
Update openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
vharseko Mar 26, 2026
2643401
Update openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-…
vharseko Mar 26, 2026
80818d2
docs: Clarify authenticationId distinction in OAUTH sample config
Copilot Mar 26, 2026
67d1349
docs: Clarify authenticationId distinction in appendix module-level t…
Copilot Mar 26, 2026
bab62db
docs: Fix scope example and expand authenticationId note per review
Copilot Mar 26, 2026
b9c62c4
docs: Restructure OAUTH tables to match OPENAM_SESSION 4-column format
Copilot Mar 27, 2026
d06c60f
docs: Restructure OAUTH tables to match OPENAM_SESSION Basic/Advanced…
Copilot Mar 27, 2026
08daefd
docs: update copyright year to 2024-2026 for 3A Systems LLC
Copilot Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 112 additions & 1 deletion openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
information: "Portions copyright [year] [name of copyright owner]".

Copyright 2017 ForgeRock AS.
Portions Copyright 2024-2025 3A Systems LLC.
Portions Copyright 2024-2026 3A Systems LLC.
////

:figure-caption!:
Expand Down Expand Up @@ -291,4 +291,115 @@ a|authentication.json
|===
In general, if you add a custom property, the Admin UI writes changes to the `authentication.json` or `ui-configuration.json` files.

[#oauth-module-details]
=== OAUTH Module Configuration Options

The `OAUTH` module authenticates users via a generic OAuth 2.0 provider. It validates an OAuth 2.0 `access_token` by calling the provider's `userinfo_endpoint`. For more information, see xref:chap-auth.adoc#oauth-module["OAUTH"].

The options shown in the Admin UI are subdivided into basic and advanced properties. You may need to click Advanced Properties to review those details.

[#table-oauth-basic]
.OAUTH Module Basic Properties
[cols="18%,27%,27%,28%"]
|===
|Admin UI Label |Default |Description |Configuration File

a|Module Enabled
a|false
a|Whether to enable the module
a|authentication.json

a|Client ID
a|blank
a|OAuth 2.0 client ID registered with the provider (`resolvers[].client_id`)
a|authentication.json

a|Client Secret
a|blank
a|OAuth 2.0 client secret registered with the provider (`resolvers[].client_secret`)
a|authentication.json

a|Scope
a|blank
a|OAuth 2.0 scopes needed to access provider APIs (`resolvers[].scope`)
a|authentication.json

a|Authorization Endpoint
a|https://openam.example.com/openam/oauth2/authorize
a|Provider's authorization endpoint URL (`resolvers[].authorization_endpoint`)
a|authentication.json

a|Token Endpoint
a|https://openam.example.com/openam/oauth2/access_token
a|Provider's token endpoint URL (`resolvers[].token_endpoint`)
a|authentication.json

a|User Info Endpoint
a|https://openam.example.com/openam/oauth2/userinfo
a|Provider's userinfo endpoint URL (`resolvers[].userinfo_endpoint`). The access token is validated by calling this endpoint.
a|authentication.json

a|Authentication ID attribute for the User ID
a|sub
a|Attribute name in the provider's userinfo response that contains the user identifier (`resolvers[].authenticationId`)
a|authentication.json

a|Sign-In Button HTML
a|(HTML button markup)
a|HTML markup for the social login button displayed in the UI (`resolvers[].icon`)
a|authentication.json

a|Query on Resource
a|managed/user
a|Managed object endpoint to query after the token is validated against the provider (`queryOnResource`)
a|authentication.json

a|Default User Roles
a|openidm-authorized
a|Roles assigned to all users who authenticate successfully through this module (`defaultUserRoles`)
a|authentication.json

a|Authentication ID
a|userName
a|Attribute in the managed object used as the authentication identifier when querying the resource (`propertyMapping.authenticationId`)
a|authentication.json

a|Method for Determining Roles
a|User Roles Property
a|How roles are determined for the authenticated user (`propertyMapping`)
a|authentication.json

a|User Roles Property
a|authzRoles
a|Attribute in the managed object used for authorization roles (`propertyMapping.userRoles`)
a|authentication.json
|===

[#table-oauth-advanced]
.OAUTH Module Advanced Properties
[cols="18%,27%,27%,28%"]
|===
|Admin UI Label |Default |Description |Configuration File

a|Use Query ID
a|blank
a|A defined `queryId` used to search against the `queryOnResource` endpoint (`queryId`)
a|authentication.json

a|OAuth Token Header
a|authToken
a|Name of the HTTP request header that carries the OAuth 2.0 access token (`authTokenHeader`). This header is required; authentication fails if it is absent.
a|authentication.json

a|OAuth Resolver Header
a|provider
a|Name of the HTTP request header that identifies the provider resolver to use (`authResolverHeader`). The value must match the resolver name.
a|authentication.json

a|Augment Security Context
a|JavaScript
a|Type of script executed after a successful authentication request (`augmentSecurityContext`). Supports JavaScript or Groovy.
a|authentication.json
|===


62 changes: 62 additions & 0 deletions openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -480,6 +480,68 @@ Set up logins with OpenAM, to work with the related login session cookie, known
IWA::
The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"].

[#oauth-module]
OAUTH::
The `OAUTH` module authenticates users via a generic OAuth 2.0 provider by validating an OAuth 2.0 `access_token` against the provider's `userinfo_endpoint`. Unlike the `OPENID_CONNECT` module, it does not use JWT identity tokens.
+
The module requires two HTTP request headers. Their names are configured by the following properties:
+
* `authTokenHeader` — configuration property that specifies the name of the HTTP header carrying the OAuth 2.0 access token (for example, `authToken` in the sample below).
* `authResolverHeader` — configuration property that specifies the name of the HTTP header that identifies the provider resolver (from the `resolvers` list) that should validate the token (for example, `provider` in the sample below).
+
Using two headers allows a single module instance to support multiple OAuth providers simultaneously, each defined as a separate entry in the `resolvers` array.
+
The following sample configuration shows the `OAUTH` module with a single provider resolver:
+
[source, json]
----
{
"name" : "OAUTH",
"enabled" : true,
"properties" : {
"augmentSecurityContext": {
"type" : "text/javascript",
"file" : "auth/populateAsManagedUserFromRelationship.js"
},
"propertyMapping" : {
"userRoles" : "authzRoles",
"authenticationId" : "userName"
},
"defaultUserRoles" : [
"openidm-authorized"
],
"resolvers" : [
{
"name" : "myProvider",
"type" : "OAUTH",
"icon" : "<button class=\"btn btn-lg btn-default btn-block btn-social-provider\"><img src=\"images/provider.png\">Sign in with Provider</button>",
"scope" : ["profile", "email"],
"authenticationId" : "sub",
"propertyMap" : [
{
"source" : "sub",
"target" : "userName"
}
],
Comment on lines +514 to +525
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sample mixes two different “identity” fields without explaining how they relate: resolver authenticationId/propertyMap.source uses sub, but propertyMapping.authenticationId is set to _id while the mapped managed attribute target is userName. This makes it unclear which managed attribute is intended to be the effective authentication identifier. Consider aligning the example (e.g., set propertyMapping.authenticationId to userName if that’s the mapped identifier) and/or adding a short note explaining the distinction between resolver authenticationId (userinfo response field) and propertyMapping.authenticationId (managed object field).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member

@vharseko vharseko Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot apply changes based on this feedback

Copy link
Copy Markdown
Contributor Author

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 80818d2propertyMapping.authenticationId is already "userName" (consistent with the propertyMap target userName), and added a note after the sample explaining that authenticationId means different things at the two levels: inside resolvers[] it refers to the provider's userinfo response field (e.g., sub), while at propertyMapping level it refers to the managed object attribute used as the authentication identifier (e.g., userName).

"enabled" : true,
"client_id" : "your-client-id",
"client_secret" : "your-client-secret",
"authorization_endpoint" : "https://provider.example.com/oauth2/authorize",
"token_endpoint" : "https://provider.example.com/oauth2/access_token",
"userinfo_endpoint" : "https://provider.example.com/oauth2/userinfo"
}
],
"queryOnResource" : "managed/oauth",
"authTokenHeader" : "authToken",
"authResolverHeader" : "provider"
}
}
----
+
Note that `authenticationId` appears at two different levels with different meanings: inside each `resolvers[]` entry it names the field in the provider's userinfo response that identifies the user (for example, `sub`); at the `propertyMapping` level it names the attribute in the managed object (for example, `userName`) that OpenIDM uses as the authentication identifier after the userinfo fields have been mapped via `propertyMap`. The resolver-level `authenticationId` userinfo field must therefore be included in `propertyMap` and mapped into the managed-object attribute referenced by `propertyMapping.authenticationId`, so that OpenIDM can correlate the resolved user to the `queryOnResource` entry.
+
For detailed property descriptions, see xref:appendix-auth-modules.adoc#oauth-module-details["OAUTH Module Configuration Options"].

--


Expand Down
Loading