client_secretvalues that Google displayed to you, we'll need to put them into the configuration file later.
Application (client) ID,
Application (tenant) IDand the created secret value, we will need them later.
preferred_usernameclaim instead for getting an email (see the "Configuration file" section). However, depending on your setup this claim might contain a non-email value which will result in error while login.
<your-org-slug>is a "slug" name of your organization in Contiamo Platform (you can see it as the last segment of the URL path when you login).
emailPatternis a regular expression that every user's email must match in order to be authenticated.
^.*@contiamo.com$means all emails in
parameters.discoveryEndpointis a provider-specific URL for the Open ID Connect protocol. Mind the presence of the tenant ID in the URL for Azure.
scopesis a set of scopes that the provider requires in order to authenticate a user via Open ID Connect and get its email and name.
is a set of overrides for claim names used to extract the information about the user. By default,email
claim is used for getting an email andname
claim is used for getting the full name of the user. For reasons mentioned in the "Create an OAuth 2.0 app" section you might need to changeemail
topreferred_username` or depending on your configuration map the claims to something else.
--auth-providers-config-fileflag (empty string by default) to a full path to the configuration file from the previous section. If the file is missing required values or the path is wrong, the server will crash on startup and you'll see the error message in logs. This makes it easier to debug and troubleshoot the configuration problems before the users face them during login. It's safe to use an empty value which disables external authentication and runs the server normally.
Invalid authentication state— the state is an encoded string in the URL that an external authentication provider must return back to Contiamo after performing its checks on the user. The state is encrypted, signed and can expire. This error occurs when the state is either corrupted or expired which normally should not happen.
Failed to exchange the authorization code— this error most likely occurs because of misconfiguration or when the external authentication provider is unavailable.
Failed to extract user's identity— this error occurs when IDP is not able to verify and parse the identity token returned by the authentication provider. It should not happen if the authentication provider is running normally and the discovery URL is valid.
Failed to validate user's email— this error occurs when it's not possible to extract an email or name of the user from the identity token. It can happen because of misconfiguration of your OAuth 2.0 app, you might want to check the granted scopes, enabled claims and
claimMappingin the IDP configuration file described in the "Configuration file" section.
This user is not allowed to login— this error occurs when there is no existing user with such email in IDP or when the email didn't pass the
Failed to create user's session— this error occurs when the IDP database is unavailable, the server is running in a faulty state.