PlantUML supports two grant types for OAuth2:
client_credentials
and
password
(Resource Owner Password Credentials).
An OAuth2 credentials configuration file must be stored in the folder configured by the property
plantuml.security.credentials.path
. The file extension is
.credential
, the file content is structured in JSON, the charset encoding is UTF-8, the filename must match the UserInfo part of the URL.
FlowOAuth2 client_credentials JSON structure:
{
"name": "<name of the configuration>",
"type": "oauth",
"identifier": "<principal identifier>",
"secret": "<principal secret>",
"properties": {
"grantType": "client_credentials",
"accessTokenUri": "<URL to token access controler>",
"scope": "<access scopes>"
},
"proxy": {
"type": "<proxy type>",
"address": "<proxy server address>",
"port": "<proxy server port>"
}
}
![](http://cdn-0.plantuml.com/plantuml/png/XLB1QiCm3BtdAuHt2uFUir3ATjsfjETX73Nnwbb1LiVAwB_FTfosQmU319BtdfwaXrP1DCjx85-rGOuEbzLW-y75L-2x0dZMPjyp7NptGewuWM3T9_9JTQhQHQbuk9GehpzG_KBaEDuW8zE8B1Q3WWMedhMNpNygRGo6iA4z-YtRE-dNCQl-R5OutNKSBLILzfe6RK2rwGDe1p8W6F8xsnzOYoM_L8z9c2sZiAv97sIewmcs7NgnEukSNKQstjXHExWGnI2WOPGRrGGMnTMgJKuThbF9lOspqVOj5cLxxK8P1EwYIOsswrSGYa_4OEBJSiBavhdIP8Oc_xP8CX2MAjAdURAOtdceEOisuv1-psPpl1Sw8CTJWKASXIEntAiIEZMEfxL2t-MZ_040)
name
: required- The name of the configuration and should be similar to the file name
type
: oauth
requiredidentifier
: required- Principal identifier name
secret
: - Secret for the principal (not encrypted)
properties
.grantType
: client_credentials
required- Defines the OAuth2 client credentials flow
properties
.accessTokenUri
: required- URI to the AuthServer token access controller. If PlantUML is configured to work with an allow-list, this controller URI must be added to the list (see also security configuration)
properties
.scope
: - Access tokens to request (e.g.
read write
)
proxy
: - Optional proxy configuration (overrides system proxy settings)
proxy
.type
: required (direct
, socks
, http
)proxy
.address
: required- Proxy server address (hostname, IP address)
proxy
.port
:
Examples:
{
"name": "curity-demo",
"type": "oauth",
"identifier": "demo-backend-client",
"secret": "MJlO3binatD9jk1",
"properties": {
"grantType": "client_credentials",
"scope": "read write",
"accessTokenUri": "https://login-demo.curity.io/oauth/v2/oauth-token"
}
}
FlowOAuth2 password JSON structure:
{
"name": "<name of the configuration>",
"type": "oauth",
"identifier": "<principal identifier>",
"secret": "<principal secret>",
"properties": {
"grantType": "password",
"accessTokenUri": "<URL to token access controler>",
"scope": "<access scopes>",
"resourceOwner": {
"identifier": "<resource owner name>",
"secret": "<resource owner secret>"
}
},
"proxy": {
"type": "<proxy type>",
"address": "<proxy server address>",
"port": "<proxy server port>"
}
}
![](http://cdn-0.plantuml.com/plantuml/png/RLFBReCm4Bpp5LjwGvLoJr4KjTTAbQha0oop0RV4QwsNfb75lzSsZpoe10XcPySxOxFrebW-FTdiGHey8hXM6PkLNiujRhB6r4qRRe7V3E15wQ-QgRFLAxN4Q_2c_KP-plgiN8qTZvUMtAeZvZU8dDqTOYgqOWu6-HPtJ0vP3FeSLf3NhApi5jrtBAKrUh-ZBxHxDWlgppcnv3-PiQQgYeD4daM_Wu4rv6Ly0Jf0o0WqsOEfErPYo6xofqXCae5O5AGwQOfYWA_CHHN7nchZL0kNmYZWKJFA7Mi0HyQLrNNQ3RXE9QtjbFSducfS7XQ1HFdznni8XIjWCDIZ9M5gfsdYF9e6rNAa9C3FzH0ITQpn_MIJkM6WfUM91nI947ESD6vTtn4dwudPXsS_XH0sQlO_nLuc7EBdFE6qavUoHmwd5SR2J7J4icH5D2tVXzEzHLkbd-GF)
name
: required- The name of the configuration and should be similar to the file name
type
: oauth
requiredidentifier
: required- Principal identifier name
secret
: - Secret for the principal (not encrypted)
properties
.grantType
: password
required- Defines the OAuth2 resource owner password credentials flow
properties
.accessTokenUri
: required- URI to the AuthServer token access controller. If PlantUML is configured to work with an allow-list, this controller URI must be added to the list (see also security configuration)
properties
.scope
: - Access tokens to request (e.g.
read write
)
properties
.resourceOwner
.identifier
: - Resource owner name, who requests the access
properties
.resourceOwner
.secret
: proxy
: - Optional proxy configuration (overrides system proxy settings)
proxy
.type
: required (direct
, socks
, http
)proxy
.address
: required- Proxy server address (hostname, IP address)
proxy
.port
:
Examples:
{
"name": "oauth-example",
"type": "oauth",
"identifier": "demo-backend-client",
"secret": "MJlO3binatD9jk1",
"properties": {
"grantType": "password",
"scope": "read write",
"accessTokenUri": "https://login-demo.curity.io/oauth/v2/oauth-token",
"resourceOwner": {
"identifier": "alice",
"secret": "secret"
}
}
}
(Please note, login-demo.curity.io actually stopped the support for 'password' grant type)