AppAuth/OIDC

AppAuth/Generic OAuth2 configuration will support login through the BlueFletch Browser, as well as Chrome Custom Tabs. The authenticating browser is defined by the browser value.

Field Description

Field	Description
issuer_url	string The configured issuer URL for the identity provider.
client_id	string The configured client ID for this application.
redirect_url	string The configured redirect callback URL for this application. The recommended callback URL is `"com.bluefletch.launcher:/callback"`. However, if the identity provider only supports HTTPS redirect URLs, use "https://us-central1-bluefletch-ems.cloudfunctions.net/launcherRedirect/auth". Starting in Auth4, the redirect callback URL should be `com.bluefletch.ems.auth://callback`
redirect_url_verify	string Specifies the redirect URL used when refreshing cookies during the verification after reauthentication. Always set the value as `"com.bluefletch.ems.auth://verified"`. Requires the Launcher `settings` configuration to also have `verifyIdpOnReauth` set to `true`.
scopes	string The OpenID scope values required for the identity provider.
baseUrl	string Base URL for the identity provider.
authorize_url	string The full URL for the `authorize` endpoint for the identity provider.
token_url	string The full URL for the `token` endpoint for the identity provider.
logout_url	string The full URL for the `logout` endpoint for the identity provider.
logout_redirect	string The full URL for the logout redirection location for your IdP. Default is `"com.bluefletch.ems.auth://logout"`.
userinfo_url	string The full URL of the `userInfo` endpoint for the identity provider.
resource	string Specifies the host to access for a token during login when the IdP does not provide it through `userinfo_url`. Used in Azure AD authentication (e.g `"https://graph.microsoft.com"`).
alternateResource	string Specifies an additional resource for which the access token should be valid. By default, Azure generates an encrypted access token for use with Microsoft Graph. By specifying an alternate host, the token becomes a standard access token. (e.g. `https://graph.windows.net` or `api://com.bluefletch.ems.auth`). Available starting version 4.8.17.
login_hint	string Hint to be displayed for the username field on the identity provider login page.
ignoreExpiresIn	boolean If `true`, instructs the launcher to refresh the token based on the `refreshThresholdInMins` value instead of the expiration indicated in the token.
browser	string Specifies the browser package name to execute the `authorize` call. Default is `"com.android.chrome"`.
refreshThresholdInMins	integer The number of minutes after which the launcher will automatically refresh the token if `ignoreExpiresIn` is set to `true`.
auth_location_field	string An optional setting that tells authorization which field in the auth provider response contains location information. Used in conjunction with `auth_location_regex`.
auth_location_regex	string A regular expression to extract the location value from the location field. Used in conjunction with `auth_location_field`.
auth_group_field	string An optional setting that tells authorization which field in the authentication provider response contains group information. Used in conjunction with `auth_group_regex`.
auth_group_regex	string A regular expression to match against the group information. Used in conjunction with `auth_group_field`.
auth_group_regex_true	string If the regular expression `auth_group_regex` returns `true` (found a value), will use this group value.
auth_default_group	string A default group.
auth_role_field	string An optional setting that tells authorization which field in the authentication provider response contains user role information. Used in conjunction with `auth_role_regex`. Available in Auth 1.1.x.
auth_role_regex	string A regular expression to match against the role information. Used in conjunction with `auth_role_field`.
auth_role_regex_true	string If the regular expression `auth_role_regex` returns `true` (found a value), will use this role value.
auth_default_role	string A default user role.
claim_userId	string The claim in the access token that contains the user ID of the logged-in user.
claim_username	string The claim in the access token that contains the display name of the logged-in user.
claim_groups	string The claim in the access token that contains the logged-in user's membership groups.
userinfo_attrs	string A comma-delimited list of names indicating the field names within the `userInfo` response that should be copied into the session extended attributes collection. This provides the ability to get optional data points.

issuer_url

string The configured issuer URL for the identity provider.

client_id

string The configured client ID for this application.

redirect_url

string The configured redirect callback URL for this application. The recommended callback URL is "com.bluefletch.launcher:/callback". However, if the identity provider only supports HTTPS redirect URLs, use "https://us-central1-bluefletch-ems.cloudfunctions.net/launcherRedirect/auth". Starting in Auth4, the redirect callback URL should be com.bluefletch.ems.auth://callback

redirect_url_verify

string Specifies the redirect URL used when refreshing cookies during the verification after reauthentication. Always set the value as "com.bluefletch.ems.auth://verified". Requires the Launcher settings configuration to also have verifyIdpOnReauth set to true.

scopes

string The OpenID scope values required for the identity provider.

baseUrl

string Base URL for the identity provider.

authorize_url

string The full URL for the authorize endpoint for the identity provider.

token_url

string The full URL for the token endpoint for the identity provider.

logout_url

string The full URL for the logout endpoint for the identity provider.

logout_redirect

string The full URL for the logout redirection location for your IdP. Default is "com.bluefletch.ems.auth://logout".

userinfo_url

string The full URL of the userInfo endpoint for the identity provider.

resource

string Specifies the host to access for a token during login when the IdP does not provide it through userinfo_url. Used in Azure AD authentication (e.g "https://graph.microsoft.com").

alternateResource

string Specifies an additional resource for which the access token should be valid. By default, Azure generates an encrypted access token for use with Microsoft Graph. By specifying an alternate host, the token becomes a standard access token. (e.g. https://graph.windows.net or api://com.bluefletch.ems.auth). Available starting version 4.8.17.

login_hint

string Hint to be displayed for the username field on the identity provider login page.

ignoreExpiresIn

boolean If true, instructs the launcher to refresh the token based on the refreshThresholdInMins value instead of the expiration indicated in the token.

browser

string Specifies the browser package name to execute the authorize call. Default is "com.android.chrome".

refreshThresholdInMins

integer The number of minutes after which the launcher will automatically refresh the token if ignoreExpiresIn is set to true.

auth_location_field

string An optional setting that tells authorization which field in the auth provider response contains location information. Used in conjunction with auth_location_regex.

auth_location_regex

string A regular expression to extract the location value from the location field. Used in conjunction with auth_location_field.

auth_group_field

string An optional setting that tells authorization which field in the authentication provider response contains group information. Used in conjunction with auth_group_regex.

auth_group_regex

string A regular expression to match against the group information. Used in conjunction with auth_group_field.

auth_group_regex_true

string If the regular expression auth_group_regex returns true (found a value), will use this group value.

auth_default_group

string A default group.

auth_role_field

string An optional setting that tells authorization which field in the authentication provider response contains user role information. Used in conjunction with auth_role_regex. Available in Auth 1.1.x.

auth_role_regex

string A regular expression to match against the role information. Used in conjunction with auth_role_field.

auth_role_regex_true

string If the regular expression auth_role_regex returns true (found a value), will use this role value.

auth_default_role

string A default user role.

claim_userId

string The claim in the access token that contains the user ID of the logged-in user.

claim_username

string The claim in the access token that contains the display name of the logged-in user.

claim_groups

string The claim in the access token that contains the logged-in user's membership groups.

userinfo_attrs

string A comma-delimited list of names indicating the field names within the userInfo response that should be copied into the session extended attributes collection. This provides the ability to get optional data points.

Example:

...
  "auth_oauth2": {
    "client_id": "com.bluefletch.ems.auth",
    "redirect_url": "com.bluefletch.launcher:/callback",
    "baseUrl": "https://oauth2server.bluefletch.com",
    "authorize_url": "https://oauth2server.bluefletch.com/oauth2/authorize",
    "token_url": "https://oauth2server.bluefletch.com/oauth2/token",
    "userinfo_url": "https://oauth2server.bluefletch.com/oauth2/userinfo",
    "logout_url": "https://oauth2server.bluefletch.com/oauth2/logout",
    "scopes": "openid profile offline_access groups",
    "claim_userId": "upn",
    "claim_username": "commonname",
    "claim_groups": "memberof",
    "browser": "com.bluefletch.ems.browser"
}
...

Okta Example:

"auth_oauth2": {
        "issuer_url": "https://dev.oktapreview.com",
        "client_id": "0o5o9hn89wN4AAhhJ0h7",
        "redirect_url": "com.bluefletch.ems.auth://callback",
        "browser": "com.bluefletch.ems.browser",
        "scopes": "openid profile offline_access groups",
        "logout_redirect": "com.bluefletch.ems.auth://logout"
    },

PreviousLDAP NextOkta (Session)

Last updated 6 months ago