Configuration Guide

The Provisioning Application is configured via spring boot profiles. Default configuration properties are definded in

Authentication Configuration

There are to separate authentication options to authenticated a user for the provisioning app.

  • CROWD (default)

  • OAUTH2

Note that the current OAUTH2 implementation is only used for authentication the user to the provisioning app. To authentication that is used for the REST - API calls of Atlassian Crowd, Jira, Confluence, Bitbucket and Rundeck is done eighter via the logged in uses credentials (user name and password) or via the technical users, that are configured in the used spring boot profile.

Authentication Crowd Configuration
provision.auth.provider=crowd (1) (2)
1 configures crowd authentication provider
2 include crowd profile per default.

The crowd specific configuration is done in the included profile crowd, see property documentation inside the profile file The provided example configuration is appropriate for a locally installed OpenDevStack environment.

Authentication OAUTH2 Configuration

A default oauth2 configuration is given in spring boot profile The provided example configuration is appropriate for a locally installed OpenDevStack environment, when the idmanager vagrant box is used.
provision.auth.provider=oauth2 (1)

idmanager.url= (2)
idmanager.realm=provisioning-app (3)

oauth2.user.roles.jsonpointerexpression=/claims/roles (4)


1 configures oauth2 authentication provider
2 URL to idmanager. The value defaults to opendevstack idmanager box with keycloak installation
3 Name of realm that is used
4 The application reads the user roles from the claim that is inside the oauth2 ID-Token. The property oauth2.user.roles.jsonpointerexpression is a JsonPointer - Expression that defines a path to the roles that are extracted from the id token. Details regarding pointer expression can be found at Jackson-core JsonPointer Documentation
5 Defines the OAUTH2 client registration properties, in particular the client name and client secret. See OAUTH2 Spring Boot 2.x Property Mappings for details.
6 Defines the OAUTH2 client.provider properties. These properties correspond to the well-known OAUTH2-URIs. In case of keycloak, this URIs can be read out using the .well-known/openid-configuration-link

Authentication to third party apps via technical users

The rest api calles use HTTP basic access authentication to communicate with Jira, Confluence, Bitbucket and Rundeck. The used credentials are read from a pair of properties. For Example, rundeck.admin_password and rundeck.admin_user properties are used for Rundeck, confluence.admin_user and confluence.admin_password are used for confluence, etc.
# configure technical user for rundeck. Do not authenticate via oauth2, since not implemented.

# configure technical user for bitbucket. Do not authenticate via oauth2, since not implemented.

# configure technical user for confluence. Do not authenticate via oauth2, since not implemented.

# configure technical user for jira. Do not authenticate via oauth2, since not implemented.
Note: if the pair of properties is not defined for a third party tool, the logged in user’s credentials are used to authenticate against the application. The credentials are read by caling the method getUserName and getUserPassword from IODSAuthnzAdapter]. See also implementation of