# OIDC / OAuth 2.0

## Prerequisites <a href="#prerequisite" id="prerequisite"></a>

The security provider must have users, roles, and passwords correctly established by the Administrator prior to implementation.

The newly integrated OAuth authentication mechanism utilizes OIDC-based `authorization_code` authentication, while the security provider will handle the authorization.

Users have the flexibility to configure multiple OAuth providers.

To enable OAuth functionality with Pentaho login, make the following changes:

1. Enable OAuth & specify Security Provider
2. Update OIDC Configuration

## Enable OAuth & Specify Security Provider <a href="#importance-of-the-applicationcontext-spring-security-oauth.properties-file" id="importance-of-the-applicationcontext-spring-security-oauth.properties-file"></a>

For this Step you will be updating `<PENTAHO_HOME>/pentaho-server/pentaho-solutions/system/security.properties`.

OAuth is disabled by default with `enable-oauth-authentication=false`. Administrators can enable it by setting this flag to true: `enable-oauth-authentication=true`.

Next, you will need to establish the security provider.

#### Specify Security Provider

Jackrabbit and LDAP serve as **security providers** while OAuth functions solely as an **authentication mechanism** in Pentaho Server. Please contact support to understand why these choices were made.

**OIDC Endpoints:**

1. `token-uri` - IdP's token endpoint
2. `authorization-uri` - IdP's authorization endpoint
3. `jwk-set-uri` - IdP's public keys for token validation
4. `user-info-uri` - IdP's user information endpoint
5. `redirect-uri` - Callback URL after IdP authentication
6. `end-session-endpoint` - Logout endpoint for IdP
7. `post-logout-redirect-uri` - Redirection uri after IDP session is logged out

Once the above steps are completed and you restart Pentaho Server, the login screen should show options to login via the IdP(s) you have configured above. For example, if Azure Entra, Keycloak, and Okta are all configured you will see the following:

OR (if you have the new experience configured):


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pentaho.com/pdia-admin/secure-the-pentaho-system/user-security/advanced-security-providers/oidc-oauth-2.0.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.