OAuth2 / OpenID-Connect#
Configuration#
Authenticate the user using an external OAuth2 authenticator server. It accepts the following configuration parameters:
Parameter | Description |
---|---|
Client ID | client ID in the OAuth2 server |
Client secret | client secret in the OAuth2 server |
TheHive redirect URL | the url of TheHive AOuth2 page ( https://xxx/api/ssoLogin ) |
Authorization URL | the url of the OAuth2 server |
Token URL | the token url of the OAuth2 server |
User information URL | the url to get user information in OAuth2 server |
List of scope | list of scope |
Field that contains the id of the user in user info | the field that contains the id of the user in user info |
Examples#
Parameter | Value |
---|---|
Client ID | CLIENT_ID |
Client secret | CLIENT_SECRET |
TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
Authorization URL | http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/auth |
Token URL | http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/token |
User information URL | http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/userinfo |
List of scope | ["openid", "email"] |
Field that contains the id of the user in user info | "email" |
Parameter | Value |
---|---|
Client ID | CLIENT_ID |
Client secret | CLIENT_SECRET |
TheHive redirect URL | http://THEHIVE_URL/api/ssoLogin |
Authorization URL | https://OKTA/oauth2/v1/authorize |
Token URL | http://OKTA/oauth2/v1/token |
User information URL | http://OKTA/oauth2/v1/userinfo |
List of scope | ["openid", "email"] |
Field that contains the id of the user in user info | "email" |
Parameter | Value |
---|---|
Client ID | CLIENT_ID |
Client secret | CLIENT_SECRET |
TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
Authorization URL | https://github.com/login/oauth/authorize |
Token URL | https://github.com/login/oauth/access_token |
User information URL | https://api.github.com/user |
List of scope | ["user"] |
Field that contains the id of the user in user info | "email" |
Note
CLIENT_ID
andCLIENT_SECRET
are created in the OAuth Apps section at https://github.com/settings/developers.- this configuration requires that users set the Public email in their Public Profile on https://github.com/settings/profile.
Parameter | Value |
---|---|
Client ID | CLIENT_ID |
Client secret | CLIENT_SECRET |
TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
Authorization URL | https://login.microsoftonline.com/TENANT/oauth2/v2.0/authorize |
Token URL | https://login.microsoftonline.com/TENANT/oauth2/v2.0/token |
User information URL | https://graph.microsoft.com/v1.0/me |
List of scope | ["User.Read"] |
Field that contains the id of the user in user info | "mail" |
Note
To create CLIENT_ID
, CLIENT_SECRET
and TENANT
, register a new app at https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.
Parameter | Value |
---|---|
Client ID | CLIENT_ID |
Client secret | CLIENT_SECRET |
TheHive redirect URL | https://THEHIVE_URL/api/ssoLogin |
Authorization URL | https://accounts.google.com/o/oauth2/v2/auth |
Token URL | https://oauth2.googleapis.com/token |
User information URL | https://openidconnect.googleapis.com/v1/userinfo |
List of scope | ["email", "profile", "openid"] |
Field that contains the id of the user in user info | "email" |
Note
CLIENT_ID
andCLIENT_SECRET
are created in the_APIs & Services_ > _Credentials_
section of the GCP Console- Instructions on how to create Oauth2 credentials at https://support.google.com/cloud/answer/6158849
- For the latest reference for Google auth URLs please check Google's .well-known/openid-configuration
User autocreation#
To allow users to login without previously creating them, you can enable autocreation, and specify few options:
- Field that contains the name of the user in user info
- Field that contains the name of the organisation in user info
- Default organisation applied to new users
- Default profile applied to new users