Configuring OAuth 2.0 for TIBCO JasperReports® Server

Code and Implementations

OAuth 2.0 implementations using Apache Oltu are available at the following repo:

Links below refer to JRS 6.4, if you need it for an older version, go to the root of the repo and find the version you need.

Please note, the 7.5 folder in that same repo only updates the SAML customization.

The current implementation uses the Authorization Grant Code Flow.

OAuth 2.0 Primer

A primer on the OAuth 2.0 specification and Authorization Grant Code Flow is recommended. 

Please see the following links for more information:

OAuth External Authentication Setup

  1. Download the pre-compiled binaries located here

  2. Copy them to webapps/jasperserver-pro/WEB-INF/lib

  3. Download the applicationContext file for the SSO setup at the following location:

  4. Copy the applicationContext file to webapps/jasperserver-pro/WEB-INF

  5. Configure the applicationContext file as follows:

    Once you have an Oauth 2.0 authorization server setup you will register Jasperserver as a client and have the following information:

    • authorization location   (ex:  http://myoauthserver:8080/oauth2/authorize)
    • client_id (name with which you register jasperserver as a client, ex: jasperserver61)
    • client_secret (secret you specify or that gets generated when your register jasperserver as a client with your authorization server)
    • token location (endpoint exposed by authorization server for exchanging grant codes for access or refresh tokens  ex:  http://myoauthserver:8080/oauth2/token)
    • redirect url (location that authorization server will redirect back to with a grant code and this will be your jasperserver url plus /oauth on the end  ex:  http://localhost:8080/jasperserver-pro/oauth)
    • scope (optional scope if you defined a scope for client access)

    You will need to take these values and configure the following bean in the applicationContext file with them:

     <bean id="proxyPreAuthenticatedProcessingFilter" class="">
    <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>
      <property name="authenticationManager" ref="oAuthAuthenticationManager"/>
      <property name="authenticationFailureUrl">
            <property name="defaultTargetUrl">
            <property name="filterProcessesUrl">
            <property name="authorization_location" >
            <property name="client_id" >
            <property name="redirecturl" >
            <property name="token_location" >
            <property name="clientsecret" >
      <property name="scopes">

Once you have setup a Resource server that returns user detail information (see section below on response type for this endpoint) and registering it with the authorization server you will have the following:

  • user detail location (url to your resource server endpoint for user detail information ex: http://myresourceserver:8080/v1/tokeninfo)
  • user detail key (entered or generated when registering the user detail service as a resource server with the authorization server)
  • user detail secret (entered or generated when registering the user detail service as a resource server with the authorization server)

You will need to take these values and configure the following bean in the applicationContext file with them:

<bean id="OAuthAccessTokenValidator" class="">
       <property name="userdetails_location">
    <property name="userdetails_key">
    <property name="userdetails_secret">

User Detail Resource Server Service

The current and compiled code expects a JSON response from your user detail information service endpoint on your Resource Server with the following fields:


  • name (username)


  • organization (id and name of the user's organization--if not present defaults to jasperserver default organization)
  • roles (comma separated string of role names)

Possible Customization

If you require a different response type or user detail information parsing from your user detail information service you will need to potentially modify/customize the following classes:

You will then need to add your compiled libraries to WEB-INF/lib and inject your new classes into the bean definitions in the applicationContext file.


Hi there,

this code available at the github repo is for version 5.6 and 6.0. Is the 6.0 code compatible with latest versions of Jaspersoft?

Best regards


Can you help me on keycloak intigration with jasper. i am able to secure the jasper with keycloak but not able to go beyond that point

Hi Shreekrishna, this webinar could help with some ideas, have you reviewed it?

Were you able to crack it ? Can I know the steps for the same.

Can you please share the steps you followed till now.


Hi Johannes, the code will definitely need to be updated to work with 7.x and 8.x. Best

Hi Kamal,

are there any steps planned on the part of TIBCO Jaspersoft?
SSO using OAuth 2 and OpenID is already almost a standard.

It would be really nice if this could be done out-of-the-box.

Kind regards

Hi Johannes,

not that I'm aware of, but this is for our Product Management to confirm (or not).

Happy to get you on a call with them, just send me an email.