Page History

...

Name	Value	Description	Example
`OIDC Name`	The name of the OIDC Identity Service.	The name of the Identity Service is used by JOC Cockpit to show the caption of the assigned login button.	`Google, Keycloak`
`OIDC Authentication URL`	The URL used by the Client to login to the OIDC Identity Provider.	This URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It is similarly used when reading settings of the OIDC Identity Provider with the `/.well-known/openid-configuration` URL and is used as the issuer during token verification.	Keycloak: https://keycloak:8283/auth/realms/JOC Azure: https://sts.windows.net/<tenant-id>/.well-known/openid-configuration
`OIDC Client ID`	The Client ID is configured in the OIDC Identity Provider.	The Client ID is used for a number of calls to to the OIDC Identity Provider.	`joc-cockpit` `63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com`
`OIDC Client Secret`	The Client Secret is configured in the OIDC Identity Provider.	The Client Secret is used for a number of calls to the OIDC Identity Provider.	`iAMNDlDLorpa7pdbGORDe6vylztVhTiq` `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`
`OIDC User Name Attribute`	The attribute is configured with the OIDC Identity Service.	The attribute is returned by the OIDC Identity Service and identifies the user account. The following strategy is applied to identify the attribute used to map to the JOC Cockpit account: the URL https://<identity-provider>/.well-known/openid-configuration is called. the response is checked for the object claims_supported if not available or empty then the email attribute will be used if available and if it includes the preferred_username attribute then this attribute will be used. if no attribute has been identified then the email attribute is used. Should this not result in an identifiable user account then users can specify the name attribute such with the OIDC settings. Frequently OIDC Identity Providers support attribute names such as `username` or `email`.	`username` `email`
`OIDC Image`	An image can be uploaded that is displayed with the login page.	Optionally an image can be uploaded. .
`OIDC Truststore Path`	The Path to a truststore.	A truststore can be indicated and has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication for the Identity Provider. For connections to well known OIDC Identity Providers such as Azure® users should specify the path to the Java `cacerts` truststore file that ships with the Java JDK used with JOC Cockpit. The truststore can include a Self-signed Certificate from a Private CA or Public CA. Typically the Root CA Certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore. If this setting is not specified then the JOC Cockpit will use the truststore that is configured with the `JETTY_BASE/resources/joc/joc.properties` configuration file. This includes use of settings for the truststore password and truststore type. The path to the truststore can be specified relative to the `JETTY_BASE/resources/joc` directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 or .pfx extension. Other relative locations can be specified using, for example, `../../joc-truststore.p12` if the truststore is located in the `JETTY_BASE` directory. An absolute path can be specified.	Use of Java truststore: `/usr/lib/jvm/java-17-openjdk/lib/security/cacerts`
`OIDC Truststore Password`	Truststore password	If the indicated truststore is protected by a password then the password has to be specified.	Use of Java truststore: `changeit`
`OIDC Truststore Type`	Truststore type	The type of the truststore is either `PKCS12` or `JKS` (deprecated).	Use of Java truststore: `PKCS12`

...

Space shortcuts

Page tree

Versions Compared

Old Version 30

New Version 31

Key