VMware Tanzu Local Authorization Server can be further customized with the following configuration properties. When a user is defined through custom configuration, the default user will not be registered. When a client is defined through custom configuration, the default client is not configured. Clients registered through configuration can be configured to enable redirect_uri and scope validation.
The following configuration can also be created by running the Tanzu Local Authorization Server with the --print-sample-config flag.
server: # OPTIONAL
# The port on which Tanzu Local Authorization Server runs. Defaults to 9000.
port: 9000
tanzu:
local-authorization-server:
# OPTIONAL: whether to use a hardcoded RSA key for JWT signing, or a randomly generated one.
# Hardcoded keys mean faster startup time.
jwk:
# Defaults to false
random: false
# OPTIONAL: custom users for logging in
users:
- username: my-user # REQUIRED
password: clear-text-password # REQUIRED
# Attributes are added to the id_token based on requested scopes.
# All attributes are optional.
attributes: # OPTIONAL
# standard OpenID Connect attributes:
# scope: profile
name: "Jane T. Spring"
given_name: "Jane"
family_name: "Spring"
middle_name: "Team"
nickname: "Spring"
preferred_username: "jtspring"
profile: "https://spring.io/team"
picture: "https://spring.io/img/spring-2.svg"
website: "https://spring.io"
gender: "unspecified"
birthdate: "1970-01-01"
zoneinfo: "Europe/Paris"
locale: "fr-FR"
# scope: email
email: "jane.spring@example.com"
email_verified: true
# scope: phone_number
phone_number: "+1 (555) 555-1234"
phone_number_verified: true
# scope: address
address:
formatted: "1, OpenID St., Openid.net City, 1234 Identity Realm, Internet"
street_address: "1, OpenID St."
locality: "Openid.net City"
region: "Identity Realm"
postal_code: "1234"
country: "Internet"
# all other attributes are custom ("user-defined"), and added to the id_token claims when
# the "profile" scope is requested
some-claim: "some-value"
custom-age: 42
- username: other-user
password: other-password
# OPTIONAL: custom client registrations, which must match the client application's
# spring.security.oauth2.client.registration.<id>.* properties
clients:
- client-id: "custom-client"
client-secret: "custom-secret"
# MUST be one or more of the following
client-authentication-methods:
- "client_secret_basic"
- "client_secret_post"
- "none"
# MUST be one or more of the following
authorization-grant-types:
- "authorization_code"
- "client_credentials"
- "refresh_token"
# OPTIONAL, can be anything
scope:
- "openid"
- "email"
- "profile"
- "address"
- "phone"
- "message.read"
- "message.write"
# REQUIRED when authorization-grant-type contains authorization_code, otherwise OPTIONAL
redirect-uris:
# This is default Spring Boot redirect URI for the tanzu-local-authorization-server provider
- "http://127.0.0.1:8080/login/oauth2/code/tanzu-local-authorization-server"
- "http://localhost:8080/login/oauth2/code/tanzu-local-authorization-server"
# Here are other examples:
- "http://127.0.0.1:8081/authorized"
- "http://127.0.0.1:8082/callback"
# OPTIONAL: show the "consent" screen on the /oauth2/authorize call. Defaults to false.
require-consent: false
# OPTIONAL: enforce redirect_uri validation. When set to true, Clients may only use one of
# the redirect_uris defined for this client. Defaults to false.
validate-redirect-uri: false
# OPTIONAL: enforce scope validation. When set to true, clients may only request
# the scopes defined for this client. Defaults to false.
validate-scope: false
- client-id: "other-client"
client-secret: "other-secret"
client-authentication-methods:
- "client_secret_basic"
authorization-grant-types:
- "client_credentials"
Content feedback and comments