Reference for OpenID authentication

OpenID configuration implements the following requirements:

Outlook 365 E-Mail integration,
When tia® Viewer Core must not display documents before user was authenticated.

A provider name and an registration name have to be choosen:

Parent	Place holder in table below	Best practice

Parent

Place holder in table below

Best practice

spring.security.oauth2.client.provider

<provider>

azure

(respective aws etc. as applies)

spring.security.oauth2.client.registration

<registration>

tiaviewer

Spring security parameters for OAuth2:

Parent	Configuration	Required	Description

Parent	Configuration	Description
`spring.security.oauth2.client.provider.<provider>`	`issuer-uri`	Usually `https://login.microsoftonline.com/<tenant>/v2.0`
`spring.security.oauth2.client.provider.<provider>`	`user-name-attribute`	Defines where in the token the username can be found, usually `name`
`spring.security.oauth2.client.registration.<registration>`	`provider`	The provider that should be used. Should be `<provider>`
`spring.security.oauth2.client.registration.<registration>`	`client-id`	The public identification of the application, the ClientId
`spring.security.oauth2.client.registration.<registration>`	`client-secret`	The client secret for the application
`spring.security.oauth2.client.registration.<registration>`	`scope[0]`	fixed value `openid`
`spring.security.oauth2.client.registration.<registration>`	`scope[1]`	fixed value `email`
`spring.security.oauth2.client.registration.<registration>`	`scope[2]`	fixed value `profile`
`tia.security.oidc`	`type`	Usually `authorization_code`

In addition to this configuration following parameter is to be set at instance level:

Parent	Configuration	Required	Default	Description

Parent	Configuration	Required	Default	Description
`tia.security.<instance>`	`securityEnabled`		`false`	`true`: Require authentication
`tia.security.<instance>`	`authenticatedActions`		`all`	`all` - viewing and sending documents by mail need authorisation `only_send_mail`- viewing is allowed without external authentication, email requires authentication

Example Outlook 365 OpenID YAML configuration:

spring:
  security:
    oauth2:
      client:
        provider:
          azure:
            issuer-uri: https://login.microsoftonline.com/<tenant>/v2.0 
            user-name-attribute: name
        registration:
          tiaviewer:
            provider: azure
            client-id: <clientId>
            client-secret: <clientSecret>
            scope:
              - openid
              - email
              - profile

tia:
  security:
    oidc:
      type: authorization_code
  instances:
    default:
      authenticatedActions: all
      securityEnabled: true

The redirect URL to enter into Azure Portal has the format:
http(s)://<host>:<port>/login/oauth2/code/<registrationNameFromViewerConfig>

So for the configuration in above example (=> line 10), this would be:

https://<host>:<port>/login/oauth2/code/tiaviewer