# OIDC / OAuth 2.0

## Prerequisites <a href="#prerequisite" id="prerequisite"></a>

The security provider must have users, roles, and passwords correctly established by the Administrator prior to implementation.

The newly integrated OAuth authentication mechanism utilizes OIDC-based `authorization_code` authentication, while the security provider will handle the authorization.

Users have the flexibility to configure multiple OAuth providers.

To enable OAuth functionality with Pentaho login, make the following changes:

1. Enable OAuth & specify Security Provider
2. Update OIDC Configuration

## Enable OAuth & Specify Security Provider <a href="#importance-of-the-applicationcontext-spring-security-oauth.properties-file" id="importance-of-the-applicationcontext-spring-security-oauth.properties-file"></a>

For this Step you will be updating `<PENTAHO_HOME>/pentaho-server/pentaho-solutions/system/security.properties`.

OAuth is disabled by default with `enable-oauth-authentication=false`. Administrators can enable it by setting this flag to true: `enable-oauth-authentication=true`.

Next, you will need to establish the security provider.&#x20;

#### Specify Security Provider

Jackrabbit and LDAP serve as **security providers** while OAuth functions solely as an **authentication mechanism** in Pentaho Server. Please contact support to understand why these choices were made.

In order to specify the security provider, you must first decide the approach for managing user-role mappings.

1. If you expect to **manage user roles in Pentaho, then set `provider=jackrabbit`.** You will then have to assign roles to users in Pentaho User Console. See \<link> for details.
2. If you expect to manager user roles in LDAP, then \<waiting for input from Sathish and Vamsi to complete this>.

**OIDC Endpoints:**

1. `token-uri` - IdP's token endpoint
2. `authorization-uri` - IdP's authorization endpoint
3. `jwk-set-uri` - IdP's public keys for token validation
4. `user-info-uri` - IdP's user information endpoint
5. `redirect-uri` - Callback URL after IdP authentication
6. `end-session-endpoint` - Logout endpoint for IdP
7. `post-logout-redirect-uri` - Redirection uri after IDP session is logged out

Once the above steps are completed and you restart Pentaho Server, the login screen should show options to login via the IdP(s) you have configured above. For example, if Azure Entra, Keycloak, and Okta are all configured you will see the following:

<figure><img src="https://1041214956-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiFWuQjAZNxh1EoQbRnsT%2Fuploads%2FJ2uiQybN1dCMlCcnAlRg%2Fimage.png?alt=media&#x26;token=20479b50-b48e-45d2-aded-1b45585475a6" alt=""><figcaption></figcaption></figure>

OR (if you have the new experience configured):

<figure><img src="https://1041214956-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiFWuQjAZNxh1EoQbRnsT%2Fuploads%2FUkbGxXVodUk0LgqFAkWK%2Fimage.png?alt=media&#x26;token=0f53fb2a-736d-4718-a130-647df3396bf1" alt=""><figcaption></figcaption></figure>