Configuration Guide

The User Tasks Bridge supports any OpenID Connect (OIDC) compliant Identity Provider, and you can configure multiple providers simultaneously. The configuration structure follows this general pattern:

config/oidc-properties.yaml

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
          # First OIDC provider configuration
          - iss: <issuer-url-1>
            label-name: <some-name-used-during-login>
            username-claim: <username-claim-field>
            user-id-claim: <user-id-claim-field>
            authorities:
              - path: $.jsonPath1WhereRolesAre
              - path: $.jsonPath2WhereRolesAre
            vendor: <vendor-1>
            tenant-id: <tenant-id-1>
            client-id-claim: <client-id-claim-field>
            clients:
              - <client-id-1>
              - <client-id-2>

          # Second OIDC provider configuration
          - iss: <issuer-url-2>
            label-name: <some-other-name-used-during-login>
            username-claim: <username-claim-field>
            user-id-claim: <user-id-claim-field>
            authorities:
              - path: $.jsonPath1WhereRolesAre
              - path: $.jsonPath2WhereRolesAre
            vendor: <vendor-2>
            tenant-id: <tenant-id-2>
            client-id-claim: <client-id-claim-field>
            clients:
              - <client-id-3>

Configuration Fields Explained

• iss (Issuer URL): The URL of your Identity Provider that issues the JWT tokens. This is the base URL where your authentication server is hosted.

• label-name (Label Name Field): This field allows you to set a string that can be used in your UI to differentiate your identity providers configured with the same tenant.

• username-claim (Username Claim Field): The JWT claim field that contains the username. Common values include:

  • preferred_username
  • email

• user-id-claim (User Identifier Claim Field): The JWT claim field that you set to be used as userId when performing assignments. You MUST set 1 of the following values:

  • EMAIL
  • PREFERRED_USERNAME
  • SUB

• authorities (Authorities Field): Within this property you MUST set at least 1 JSON path that indicates from where the roles are going to be found within the token's claims, and this is important to help the API differentiate between ADMIN and NON-ADMIN users.

• vendor (Identity Provider Vendor): The name of your Identity Provider vendor. Any OIDC-compliant provider can be used.

• tenant-id (Tenant ID): The unique identifier for your organization's tenant in LittleHorse Kernel.

• client-id-claim (Client ID Claim Field): The JWT claim field that contains the client ID. This helps identify which application the token was issued for.

• clients (Authorized Clients): A list of client IDs that are authorized to access the User Tasks Bridge. Each client ID should match the client ID registered in your Identity Provider.

Multiple OIDC Providers

You can configure multiple OIDC providers by adding additional entries under the ops list. Each entry represents a separate Identity Provider configuration with its own issuer URL, clients, and settings. This allows you to support authentication from different providers simultaneously.

While we provide specific configuration guides for some popular providers, you can use any OIDC-compliant Identity Provider. Here are some example configurations:

• Keycloak Configuration
• Okta Configuration
• For other OIDC providers, follow their documentation for obtaining the necessary configuration values.