OAuth2 / OpenID-Connect#
Configuration#
Authenticate the user using an external OAuth2 authenticator server. It accepts the following configuration parameters:
| Parameter | Description |
|---|---|
| Client ID | client ID in the OAuth2 server |
| Client secret | client secret in the OAuth2 server |
| TheHive redirect URL | the url of TheHive AOuth2 page ( https://xxx/api/ssoLogin) |
| Authorization URL | the url of the OAuth2 server |
| Token URL | the token url of the OAuth2 server |
| User information URL | the url to get user information in OAuth2 server |
| List of scope | list of scope |
| Field that contains the id of the user in user info | the field that contains the id of the user in user info |
Examples#
| Parameter | Value |
|---|---|
| Client ID | CLIENT_ID |
| Client secret | CLIENT_SECRET |
| TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
| Authorization URL | http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/auth |
| Token URL | http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/token |
| User information URL | http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/userinfo |
| List of scope | ["openid", "email"] |
| Field that contains the id of the user in user info | "email" |
| Parameter | Value |
|---|---|
| Client ID | CLIENT_ID |
| Client secret | CLIENT_SECRET |
| TheHive redirect URL | http://THEHIVE_URL/api/ssoLogin |
| Authorization URL | https://OKTA/oauth2/v1/authorize |
| Token URL | http://OKTA/oauth2/v1/token |
| User information URL | http://OKTA/oauth2/v1/userinfo |
| List of scope | ["openid", "email"] |
| Field that contains the id of the user in user info | "email" |
| Parameter | Value |
|---|---|
| Client ID | CLIENT_ID |
| Client secret | CLIENT_SECRET |
| TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
| Authorization URL | https://github.com/login/oauth/authorize |
| Token URL | https://github.com/login/oauth/access_token |
| User information URL | https://api.github.com/user |
| List of scope | ["user"] |
| Field that contains the id of the user in user info | "email" |
Note
CLIENT_IDandCLIENT_SECRETare created in the OAuth Apps section at https://github.com/settings/developers.- this configuration requires that users set the Public email in their Public Profile on https://github.com/settings/profile.
| Parameter | Value |
|---|---|
| Client ID | CLIENT_ID |
| Client secret | CLIENT_SECRET |
| TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
| Authorization URL | https://login.microsoftonline.com/TENANT/oauth2/v2.0/authorize |
| Token URL | https://login.microsoftonline.com/TENANT/oauth2/v2.0/token |
| User information URL | https://graph.microsoft.com/v1.0/me |
| List of scope | ["User.Read"] |
| Field that contains the id of the user in user info | "mail" |
Note
To create CLIENT_ID, CLIENT_SECRET and TENANT, register a new app at https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.
| Parameter | Value |
|---|---|
| Client ID | CLIENT_ID |
| Client secret | CLIENT_SECRET |
| TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
| Authorization URL | https://accounts.google.com/o/oauth2/v2/auth |
| Token URL | https://oauth2.googleapis.com/token |
| User information URL | https://openidconnect.googleapis.com/v1/userinfo |
| List of scope | ["email", "profile", "openid"] |
| Field that contains the id of the user in user info | "email" |
Note
CLIENT_IDandCLIENT_SECRETare created in the_APIs & Services_ > _Credentials_section of the GCP Console- Instructions on how to create Oauth2 credentials at https://support.google.com/cloud/answer/6158849
- For the latest reference for Google auth URLs please check Google's .well-known/openid-configuration
User autocreation#
To allow users to login without previously creating them, you can enable autocreation, and specify few options:
- Field that contains the name of the user in user info
- Field that contains the name of the organisation in user info
- Default organisation applied to new users
- Default profile applied to new users
