Skip to main content
Skip table of contents

OAuth Providers


OAuth is an open standard developed for access delegation, in which EJBCA allows a trusted third party to provide user authentication while still retaining authorization rights. OAuth authentication can be used alongside or instead of client certificate authentication (see Authentication Methods) and provides a powerful tool for managing all users of a PKI from a single source while not needing to handle individual client credentials in the shape of client key pairs. 

The following page provides an overview of OAuth providers in EJBCA. For instructions on setting up OAuth providers, see OAuth Provider Management.

Supported Providers

EJBCA has been tested with the OAuth providers KeycloakMicrosoft Azure, and Ping ID. For instructions on how to set up the providers, see OAuth Provider Management.

Other providers conforming to OAuth 2.0 and OpenID Connect (OIDC) may work with EJBCA, but these have not yet been tested and evaluated by Keyfactor.

Provider Configuration Overview

The OAuth configuration page is found under the Trusted OAuth Providers tab in System Configuration.

Default Trusted OAuth ProviderIf the received token does not have a Key ID, the Default Trusted OAuth Provider may be used to verify the signature. If authorization succeeds the token is accepted, otherwise, authorization fails.

Generic Values

When adding an OAuth Provider, the following values exist as general options:

OAuth Provider TypeThe OAuth implementation, some of which may have distinct configuration values.
OAuth Provider NameA human readable name for this OAuth provider.

The base login URL of the provider.

Fetch UserInfoWhether the configured UserInfo endpoint should be used to fetch claims.
UserInfo URLThe URL of the UserInfo endpoint.
Skew LimitThe allowed clock difference, in milliseconds, between the OAuth provider and EJBCA.
ScopeThe scope of the provider.
Client NameThe client name EJBCA uses to access the OAuth provider.
Client SecretThe client password EJBCA uses to access the OAuth provider, if required. 

At the bottom of the page is a form for providing the OAuth public key:

The key may be provided using three methods:

  • File Upload
  • Upload as text
  • Providing a Key Configuration URL

Implementation Specific Values

Besides the generic values, each supported OAuth implementation may support additional vendor specific configuration values:


Realm NameThe desired Keycloak realm.

Microsoft Azure 

TenantThe specified tenant for this provider.
ScopeSet the scope. In the Azure Active Directory, this is configured in Expose an API → Add a scope.

Role Member Configuration Overview

Claims in OAuth tokens may be mapped to roles. A claim can represent a group of users or an individual user. EJBCA allows any combination of claims and even different authentication methods in a single role.

The following claims are supported. Exact usage depends on the provider, refer to the providers' documentation.

subPermanent unique identifier of the subject. When using KeyCloak, this identifies a specific user.
issIssuer of the token.
oidAzure specific claim that represents a user.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.