OAuth 2.0 Auth Module
An OAuth 2.0 authentication module lets users log in to YouTrack and any connected services with credentials that are stored in an external authorization service. YouTrack provides pre-configured authentication modules for Amazon, Azure AD 2.0, Bitbucket Cloud, Facebook, GitLab, Keycloak, Microsoft Live, Okta, and PayPal.
Use the generic OAuth 2.0 authentication module to let users log in to YouTrack with accounts from other third-party services that support OAuth 2.0, like Basecamp, Stack Exchange, and Zendesk.
When you enable an OAuth 2.0 authentication module in YouTrack:
Your users log in to YouTrack with the credentials they use in an external service.
Your YouTrack users have fewer accounts and passwords to remember.
New users with accounts in the connected service can create their own accounts in YouTrack.
Enable OAuth 2.0 Authentication
To let users with existing accounts in an external authorization service to log in to YouTrack, enable an OAuth 2.0 authentication module.
To create an OAuth 2.0 auth module:
From the main navigation menu, select Auth Modules.
Click the New module button.
The Select an identity provider dialog opens.
In the Select an identity provider dialog, select OAuth 2.0.
The Configure Login with OAuth 2.0 wizard opens.
Enter the Auth module name, Authorization URL, Token URL, and User info URL, then click Next.
Copy the generated redirect URI.
Register the authorized redirect URI for YouTrack in the authorization service. This process varies by service. You can refer to the setup instructions for any of the pre-configured authentication modules, like Amazon, Bitbucket Cloud, Facebook, GitLab, Microsoft Entra ID, Microsoft Live, and PayPal. The procedures for other third-party authorization services are similar.
Make sure to update the Redirect URI in the authorization service when you change the base URL of your YouTrack instance. For example, after changing proxy settings.
Copy the Client ID and Client secret from the authorization services and paste them into the corresponding fields in YouTrack.
Click Finish.
The OAuth 2.0 authentication module is created and its configuration page opens.
To enable the OAuth 2.0 auth module:
Review and configure optional settings for the authentication module. For more information, see Additional Settings.
Click Save to apply the settings.
Click Enable.
The OAuth 2.0 authentication module is enabled.
The auth module icon is added to the login dialog window. Users can click this icon to log in to YouTrack with their credentials.
To verify that the authentication module is configured correctly, click the Test login button.
YouTrack opens the authentication flow with the configured identity provider.
If you are authenticated successfully, the configuration is correct.
Settings
In the header of the settings page, you can find the general information about the authentication module.
Setting | Description |
|---|---|
Name | Stores the name of the authentication module. Use this setting to distinguish this module from other authentication modules in the Auth Modules list. You can change the name and icon of the authentication module using the Rename action. For more details, see Actions. |
Accounts imported to YouTrack | Displays the number of users that have been imported to YouTrack. |
On the General Settings tab, you find the general settings for the authentication module. This includes the redirect URI used to register YouTrack in the authorization service and the client credentials generated in the authorization service.
Setting | Description |
|---|---|
Default | Designates the authentication module as the default for your installation. Only one authentication module can be set as the default at any time. If another module is currently set as the default, that state is cleared. If none of the available authentication modules are designated as the default, unauthenticated users are always directed to the YouTrack login page. |
Redirect URI | Displays the authorized redirect URI used to register the connection to YouTrack in the authorization service. |
Client ID | Stores the identifier that the authorization service uses to validate a login request. You generate this value in the authorization service when you configure the authorization settings for a web application and enter an authorized redirect URI. |
Client Secret | Stores the secret or password used to validate the client ID. You generate this value in the authorization service together with the client ID. |
Scopes | A space-separated list of scopes YouTrack requests from the identity provider. Scopes determine which claim groups the identity provider returns. |
Authorization URL | Stores the endpoint used to start the OAuth 2.0 authentication flow. YouTrack redirects the user to this URL to obtain authorization grant from the resource owner. |
Token URL | Stores the endpoint that YouTrack uses to obtain an access token. |
User info URL | Stores the endpoint used to locate profile data for the authenticated user. When a user profile response object is returned by the authorization service, values from the specified field paths are copied to the user profile in YouTrack. |
Logout URL | Stores the endpoint used to invalidate the authorization service session when the user logs out. This setting is optional, but must be configured for single sign-out to work. |
Email URL | Stores the endpoint used to locate the email address of the authenticated user. Use only when the email address is not stored in the user profile. |
Avatar URL | Stores the endpoint used to locate the binary file used as the avatar for the authenticated user. Use only when the avatar is not stored directly in the user profile. |
Attribute Mapping
When a user profile response object is returned by the authorization service, values from the specified field paths are copied to the user profile in YouTrack. Use the following settings to define the endpoint that locates profile data for the authenticated user and map fields that are stored in the authorization service to user accounts in YouTrack.
For pre-configured OAuth 2.0 modules, the values that are used by the selected authorization service are set automatically.
To specify paths to fields inside nested objects, enter a sequence of segments separated by the slash character (
/).To reference values that may be stored in more than one location, use the "Elvis operator" (
?:) as a delimiter for multiple paths. With this option, YouTrack uses the first non-empty value it encounters in the specified field.
Field | Description |
|---|---|
User ID | Maps to the field that stores the value to copy to the User ID property in YouTrack. |
Username | Maps to the field that stores the value to copy to the Username field in the YouTrack profile. This option is available in YouTrack versions 2023.1.15453 and later. |
Full name | Maps to the field that stores the value to copy to the Full name field in the YouTrack profile. |
Maps to the field that stores the value to copy to the Email field in the YouTrack profile. | |
Email verification state | Maps to the field that stores the value to copy to the verified email property in YouTrack. |
Avatar | Maps to the field that stores the image to use as the Avatar in the YouTrack profile. |
Image URL pattern | Generates an image URL for avatars that are referenced by an ID. Use the <picture-id> placeholder to reference the field that stores the avatar. |
Groups | Maps to the attribute that stores group membership assignments in the connected authorization service. When this value is specified, you can map and sync group memberships in the authorization service with corresponding groups in YouTrack. For details, see Group Mappings. |
Group Mappings
On the Group Mappings tab, you can map existing groups in the authorization service to the groups in YouTrack.
If you want to map groups in the OAuth 2.0 service to groups in YouTrack, you need to specify the Groups attribute that stores group memberships from the OAuth 2.0 service in the Attribute Mapping section of the settings for this auth module.
When group mappings are configured, YouTrack checks for group memberships when users log in with accounts that are managed in the directory service. YouTrack performs the following operations for each group from the OAuth 2.0 service that is mapped to a YouTrack group:
Users who are members of a mapped OAuth 2.0 group and are not members of the mapped YouTrack group are added to the group in YouTrack.
Users who are not members of a mapped OAuth 2.0 group and are members of the mapped YouTrack group are removed from the group in YouTrack.
Changes to group memberships in the authorization service are only applied in YouTrack when users log in using their accounts from the OAuth 2.0 service.
You can map multiple OAuth 2.0 groups to a single target group in YouTrack. You can't map OAuth 2.0 groups to more than one YouTrack group.
To map a group from an OAuth 2.0 authorization service to a group in YouTrack:
Open your OAuth 2.0 auth module.
Select the Group Mappings tab.
Click the Add mapping button.
The Add Mapping dialog opens.
Enter the name of the group from OAuth 2.0 in the OAuth group name field.
Select a group from the Target group list.
Click the Add button.
The mapping is added to the list.
SCIM 2.0
The tab lets you enable System for Cross-domain Identity Management (SCIM) provisioning for the OAuth 2.0 authentication module. When SCIM provisioning is enabled, an external identity provider can create, update, and deactivate Hub user accounts using the SCIM 2.0 protocol.
The OAuth 2.0 authentication module synchronizes user data only during login. When a user signs in, YouTrack reads the user attributes and group memberships returned by the identity provider.
Changes made in the identity provider are not synchronized automatically while the user is inactive. For example, updates to user attributes or group memberships are applied only after the user signs in again.
To keep user accounts and groups synchronized automatically, enable SCIM 2.0 provisioning and create a SCIM 2.0 token for the authentication module.
Enable SCIM 2.0 provisioning
To allow an external identity provider to provision users through SCIM:
Open your OAuth 2.0 auth module.
Select the SCIM 2.0 tab.
Enable the Enable SCIM 2.0 provisioning option.
YouTrack generates a SCIM 2.0 base URI for this authentication module.
Create a SCIM 2.0 token and copy its value.
Specify both the SCIM 2.0 base URI and SCIM 2.0 token generated in YouTrack when configuring SCIM provisioning in your identity provider. The base URI identifies the provisioning endpoint, while the token authenticates provisioning requests sent by the identity provider.
Create a SCIM 2.0 Token
In the SCIM 2.0 Tokens section, click New Token.
In the New SCIM 2.0 Token dialog, enter a name for the token.
Click Create.
Hub generates the token and displays its value in the SCIM 2.0 Token Created dialog.
Copy the token value and store it in a secure location before closing the dialog. The token value cannot be viewed again after the dialog is closed.
Delete a SCIM 2.0 Token
Select one or more tokens in the SCIM 2.0 Tokens table.
Click Delete and confirm the action in the Delete SCIM 2.0 token dialog.
Additional Settings
The settings on the Additional Settings tab let you manage account creation, group membership, authentication mode, extension grants, and connection timeouts.
Setting | Description |
|---|---|
User creation | Enables creation of YouTrack accounts for unregistered users who log in with an account that is stored in the connected authorization service. YouTrack uses the email address to determine whether the user has an existing account. |
Auto-join groups | Adds users to a group when they log in with an account that is stored in the connected authorization service. You can select one or more groups. New users that auto-join a group inherit all the permissions assigned to this group. We recommend that you add users to at least one group. Otherwise, a new user is only granted the permissions that are currently assigned to the All Users group. |
Authentication | Determines how credentials are passed to the authorization service. When enabled, credentials are passed in the HTTP header. When disabled, credentials are passed in the request body. |
Email auto-verification | Determines how YouTrack sets the verification status of an email address when the authentication service does not return a value for this attribute. |
Extension grant type | Saves the value used for the To learn how to exchange access tokens using the YouTrack REST API, see Extension Grants. |
Connection timeout | Sets the period of time to wait to establish a connection to the authorization service. The default setting is 5000 milliseconds (5 seconds). Use 0 for an infinite timeout. |
Read timeout | Sets the period of time to wait to read and retrieve user profile data from the authorization service. The default setting is 5000 milliseconds (5 seconds). Use 0 for an infinite timeout. |
Changes made to OAuth 2.0 | Links to the Audit Events page in YouTrack. There, you can view changes that were applied to this authentication module. |
Actions
The following actions are available in the header:
Action | Description |
|---|---|
Enable | Enables the authentication module. This option is only shown when the authentication module is currently disabled. |
Disable | Disables the authentication module. This option is only shown when the authentication module is currently enabled. |
Test login | Lets you test the connection with the authentication service. |
Rename | Changes the name and the button image of the authentication module. |
Delete | Removes the authentication module from YouTrack. Use only when you have configured additional authentication modules that let users log into YouTrack. |