Versions Compared

Old Version 51

changes.mady.by.user Rudie Ekkelenkamp

Saved on

compared with

New Version Current

changes.mady.by.user Rudie Ekkelenkamp

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Environment VariableDescriptionValue
FEWS_WS_AUTHENTICATION_TYPETo enable Oauth2 with OIDC, this ENV variable is required.

AuthenticationOpenIdConnect

FEWS_WS_AUTHENTICATION_OAUTH2_KEYS_URIProvider specific URI that is used to get public certificates to validate JWT tokens. ENV is required if FEWS_WS_AUTHENTICATION_TYPE is configured with value AuthenticationOpenIdConnect.MS Entry ID: https://login.microsoftonline.com/<tenantid>/discovery/v2.0/keys
FEWS_WS_AUTHENTICATION_EDITOR_GROUPSOptional ENV variable. List of groups that have edit permissions to the Web Services. If the provided JWT token containes a roles claim with one of the configured groups, access to all HTTP endpoints is allowed. Recommended name is: WS_EDITOR. If the WebServices.xml configuration readOnly mode is set to false, it is reccomended to configure the EDITORS group.One or more application roles, comma seprated. In Azure AD theres are typically configured in an App Registration. 
FEWS_WS_AUTHENTICATION_VIEWER_GROUPSOptional ENV variable. List of groups that have view permissions to the Web Services. If the proveded JWT token containes a roles claim with one of the configured groups, only access to GET HTTP endpoints is allowed. Recommended name is: WS_VIEWEROne or more application roles, comma seprated. In Azure AD theres are typically configured in an App Registration.
FEWS_WS_AUTHENTICATION_OAUTH2_USER_INFO_URIUserinfo URL that can be used to determine email address of user. Only to be used if access token doesn't contain email address. For Microsoft Entra ID this ENV variable is obsolete and shouldn't be set, since the email adres is set in the access token.https://my-identity-provider/oidc/userinfo
FEWS_WS_AUTHENTICATION_OAUTH2_AUDIENCESince 2025.01. Optional and used to validate the audience in the JWT access token. Typically set with api://backend-client-id where the backend-client-id is the client id of the backed app registration.api://dc86310b-xxxxx-4bd6-xxxx-65e0937cec32
FEWS_WS_AUTHENTICATION_OAUTH2_LOG_USER_ID

Since 2025.02. Optional. If set to true, the user id is extracted from the access token and set in the HTTP response header: User-Id. Can be usefull for adding to access log in NGINX or Tomcat.yes


Info

If either FEWS_WS_AUTHENTICATION_ADMIN_GROUPS or FEWS_WS_AUTHENTICATION_VIEWER_GROUPS has been configured it is required to have roles in the JWT token or mapped in the Admin Interface to be able to access the Web Services. These groups are intended to have a high level role based access control if only authentication isn't sufficient. For fine grained access control, integration with UserGroups and Permissions can be used. Permissions have to be enabled in the WebServices.xml configuration.

If only the FEWS_WS_AUTHENTICATION_VIEWER_GROUPS env variable has been configured, only GET requests are allowed. 

...