OpenID Connect
OpenID Connect is available only in the self-hosted version of Allure TestOps.
Allure TestOps implements the standard Spring Boot OpenID Connect client. Configuration is done at the deployment level — in environment variables, Helm values, or the Linux package config file.
Prerequisites
Before configuring any OpenID provider, make sure the following conditions are met:
- Allure TestOps is deployed and accessible via an HTTPS URL. Both Allure TestOps and the identity provider must use the same protocol — if one is behind HTTPS, the other must be too.
- You have access to the Allure TestOps configuration files.
- You are able to apply configuration changes, which may require a service restart.
- You have administrative access to your identity provider.
Configuration parameters
Configure OpenID in the auth.openid section of values.yaml:
auth:
primary: openid
openid:
enabled: true
providerName: <provider> # shown on the sign-in page; one word, no spaces
clientName: testops # TestOps app name as registered in the IdP
clientId: <your-client-id>
clientSecret: <your-client-secret>
redirectUri: https://testops.example.com/login/oauth2/code/<providerName>
scope: openid, email, profile
authorizationGrantType: authorization_code
authorizationUri: <idp-authorization-endpoint>
jwksSetUri: <idp-jwks-endpoint>
tokenUri: <idp-token-endpoint>
usernameAttribute: preferred_username
firstNameAttribute: # leave blank to use standard OIDC claim
lastNameAttribute: # leave blank to use standard OIDC claim
defaultRole: ROLE_GUEST # ROLE_GUEST | ROLE_USER | ROLE_ADMIN
syncRoles: false
groupRoleAttribute: <claim-name> # claim that contains group names
roleUserGroups: <list> # groups that grant ROLE_USER
roleAdminGroups: <list> # groups that grant ROLE_ADMIN
issuerUri: # optional, generally not used
userinfoUri: # optional, generally not used
Configure OpenID in the .env file. No changes to docker-compose.yml are required.
TESTOPS_OPENID_CLIENTNAME=testops
TESTOPS_OPENID_CLIENTID=<your-client-id>
TESTOPS_OPENID_CLIENTSECRET=<your-client-secret>
TESTOPS_OPENID_REDIRECTURI=https://testops.example.com/login/oauth2/code/openid
TESTOPS_OPENID_SCOPE=openid,email,profile
TESTOPS_OPENID_AUTHORIZATIONGRANTTYPE=authorization_code
TESTOPS_OPENID_AUTHORIZATIONURI=<idp-authorization-endpoint>
TESTOPS_OPENID_JWKSETURI=<idp-jwks-endpoint>
TESTOPS_OPENID_TOKENURI=<idp-token-endpoint>
TESTOPS_OPENID_USERNAMEATTRIBUTE=preferred_username
TESTOPS_OPENID_FIRSTNAMEATTRIBUTE=first_name
TESTOPS_OPENID_LASTNAMEATTRIBUTE=last_name
TESTOPS_OPENID_DEFAULTROLE=ROLE_GUEST
TESTOPS_OPENID_SYNCROLES=false
TESTOPS_OPENID_GROUPROLEATTRIBUTE=group
TESTOPS_OPENID_GROUPAUTHORITIES_ROLEUSERGROUPS=<list>
TESTOPS_OPENID_GROUPAUTHORITIES_ROLEADMINGROUPS=<list>
# Uncomment only if required by your IdP:
# TESTOPS_OPENID_ISSUERURI=<idp-issuer-uri>
# TESTOPS_OPENID_USERINFOURI=<idp-userinfo-uri>
Configure OpenID in /opt/testops/conf/testops.conf:
ALLURE_LOGIN_PRIMARY=openid
ALLURE_LOGIN_OPENID_DEFAULTROLE=ROLE_GUEST
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_CLIENTNAME=openid
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_CLIENTID=<your-client-id>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_CLIENTSECRET=<your-client-secret>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_REDIRECTURI=https://testops.example.com/login/oauth2/code/openid
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_SCOPE=openid,email,profile
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_AUTHORIZATIONGRANTTYPE=authorization_code
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_AUTHORIZATIONURI=<idp-authorization-endpoint>
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_JWKSETURI=<idp-jwks-endpoint>
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_TOKENURI=<idp-token-endpoint>
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_USERNAMEATTRIBUTE=preferred_username
Redirect URI format
The redirect URI must follow this pattern:
https://<your-testops-domain>/login/oauth2/code/<providerName>
- For Compose and Linux packages: the provider name suffix is always
openid. - For Kubernetes: the suffix is the value of
providerNameinvalues.yaml.
defaultRole options
| Value | Instance-wide role |
|---|---|
ROLE_GUEST |
Guest — recommended for controlling license consumption |
ROLE_USER |
User |
ROLE_ADMIN |
Administrator |
Provider-specific guides
Session duration control
By default, Allure TestOps respects the idle session timeout sent by the OpenID provider. If those settings are too aggressive, you can override them and let Allure TestOps manage session duration instead.
This feature is available from release 25.3.3.
Set USE_OPENID_REFRESH_TOKEN=false in your Compose environment file.
Update the Helm chart to 5.25.6 or later and set:
openid:
ignoreOpenIDSessionDurationControl: true
When true, idle session duration is controlled by inactiveUserSessionDuration in Allure TestOps instead.
Add to testops.conf and restart the service:
ALLURE_LOGIN_OPENID_REFRESHTOKEN="false"
Sign in as system account
When the primary authentication method is set to OpenID, you can still reach the built-in login page at:
https://<your-testops-domain>/login/system
Use this path when the identity provider is unavailable, during license renewal, or when recovering administrator access.