OAuth2

Generic configuration

In general, the structure of the Oauth2 config looks as follows:

auth:
  type: OAUTH2
  oauth2:
    client:
      <unique_name>:
        clientId: xxx
        clientSecret: yyy
        scope: openid
        client-name: cognito # will be displayed on the login page
        provider: <provider>
        redirect-uri: http://localhost:8080/login/oauth2/code/<provider>
        authorization-grant-type: authorization_code
        issuer-uri: https://xxx
        jwk-set-uri: https://yyy/.well-known/jwks.json
        user-name-attribute: <zzz>
        custom-params:
          type: <provider_type> # fill this if you're gonna use RBAC. Supported values: cognito, google, github, oauth (for other generic providers)
          roles-field: groups # required for RBAC, a field name in OAuth token which will contain user's roles/groups

Service Discovery

For specific providers like Github (non-enterprise) and Google (see the current list), you don't have to specify URIs as they're well known.

Furthermore, other providers that support OIDC Service Discovery allow fetching URIs configuration from a /.well-known/openid-configuration endpoint. Depending on your setup, you may only have to set the issuer-uri of your provider to enable OIDC Service Discovery.

Provider config examples

Cognito

Google

Azure

GitHub

Example of callback URL for github OAuth app settings:

https://kafbat.io/login/oauth2/code/github

For the self-hosted installation find the properties a little bit below.

Self-hosted/Cloud (GitHub Enterprise Server)

Replace HOSTNAME by your self-hosted platform FQDN.

Okta

Keycloak

GoAuthentic