diff --git a/_data/guides-data.yml b/_data/guides-data.yml
index 81e400adb9..375cc21e84 100644
--- a/_data/guides-data.yml
+++ b/_data/guides-data.yml
@@ -382,10 +382,13 @@
- path: /docs/user-guide/oauth-2-support/#login-with-auth0
title: OAuth0 OAuth example
subtitle: Learn how to step-by-step setup OAuth with OAuth0.
- - path: /docs/user-guide/oauth-2-support
+ - path: /docs/user-guide/oauth-2-support/#login-with-okta
title: OAuth0 Okta example
subtitle: Learn how to step-by-step setup OAuth with Okta.
- - path: /docs/user-guide/oauth-2-support
+ - path: /docs/user-guide/oauth-2-support/#login-with-keycloak
+ title: OAuth0 Keycloak example
+ subtitle: Learn how to step-by-step setup OAuth with Keycloak.
+ - path: /docs/user-guide/oauth-2-support/#login-with-azure
title: OAuth0 Azure Active Directory example
subtitle: Learn how to step-by-step setup OAuth with Azure Active Directory.
diff --git a/_data/paas-eu/guides-data.yml b/_data/paas-eu/guides-data.yml
index 02c1bf9e62..440ede8171 100644
--- a/_data/paas-eu/guides-data.yml
+++ b/_data/paas-eu/guides-data.yml
@@ -364,10 +364,13 @@
- path: /docs/paas/eu/user-guide/oauth-2-support/#login-with-auth0
title: OAuth0 OAuth example
subtitle: Learn how to step-by-step setup OAuth with OAuth0.
- - path: /docs/paas/eu/user-guide/oauth-2-support
+ - path: /docs/paas/eu/user-guide/oauth-2-support/#login-with-keycloak
+ title: OAuth0 Keycloak example
+ subtitle: Learn how to step-by-step setup OAuth with Keycloak.
+ - path: /docs/paas/eu/user-guide/oauth-2-support/#login-with-okta
title: OAuth0 Okta example
subtitle: Learn how to step-by-step setup OAuth with Okta.
- - path: /docs/paas/eu/user-guide/oauth-2-support
+ - path: /docs/paas/eu/user-guide/oauth-2-support/#login-with-azure
title: OAuth0 Azure Active Directory example
subtitle: Learn how to step-by-step setup OAuth with Azure Active Directory.
diff --git a/_data/paas/guides-data.yml b/_data/paas/guides-data.yml
index 941baeafce..66f6870068 100644
--- a/_data/paas/guides-data.yml
+++ b/_data/paas/guides-data.yml
@@ -364,10 +364,13 @@
- path: /docs/paas/user-guide/oauth-2-support/#login-with-auth0
title: OAuth0 OAuth example
subtitle: Learn how to step-by-step setup OAuth with OAuth0.
- - path: /docs/paas/user-guide/oauth-2-support
+ - path: /docs/paas/user-guide/oauth-2-support/#login-with-keycloak
+ title: OAuth0 Keycloak example
+ subtitle: Learn how to step-by-step setup OAuth with Keycloak.
+ - path: /docs/paas/user-guide/oauth-2-support/#login-with-okta
title: OAuth0 Okta example
subtitle: Learn how to step-by-step setup OAuth with Okta.
- - path: /docs/paas/user-guide/oauth-2-support
+ - path: /docs/paas/user-guide/oauth-2-support/#login-with-azure
title: OAuth0 Azure Active Directory example
subtitle: Learn how to step-by-step setup OAuth with Azure Active Directory.
diff --git a/_data/pages_info.yml b/_data/pages_info.yml
index 1cabfa14a6..b61a87c7e2 100644
--- a/_data/pages_info.yml
+++ b/_data/pages_info.yml
@@ -6271,15 +6271,6 @@
"/docs/user-guide/notifications/":
url: "/docs/user-guide/notifications/"
redirect_from: []
-"/docs/user-guide/oauth/azure/":
- url: "/docs/user-guide/oauth/azure/"
- redirect_from: []
-"/docs/user-guide/oauth/oauth0/":
- url: "/docs/user-guide/oauth/oauth0/"
- redirect_from: []
-"/docs/user-guide/oauth/okta/":
- url: "/docs/user-guide/oauth/okta/"
- redirect_from: []
"/docs/user-guide/oauth-2-support/":
url: "/docs/user-guide/oauth-2-support/"
redirect_from: []
diff --git a/_data/pe/guides-data.yml b/_data/pe/guides-data.yml
index bea1d87b73..9f7608e054 100644
--- a/_data/pe/guides-data.yml
+++ b/_data/pe/guides-data.yml
@@ -364,10 +364,13 @@
- path: /docs/pe/user-guide/oauth-2-support/#login-with-auth0
title: OAuth0 OAuth example
subtitle: Learn how to step-by-step setup OAuth with OAuth0.
- - path: /docs/pe/user-guide/oauth-2-support
+ - path: /docs/pe/user-guide/oauth-2-support/#login-with-keycloak
+ title: OAuth0 Keycloak example
+ subtitle: Learn how to step-by-step setup OAuth with Keycloak.
+ - path: /docs/pe/user-guide/oauth-2-support/#login-with-okta
title: OAuth0 Okta example
subtitle: Learn how to step-by-step setup OAuth with Okta.
- - path: /docs/pe/user-guide/oauth-2-support
+ - path: /docs/pe/user-guide/oauth-2-support/#login-with-azure
title: OAuth0 Azure Active Directory example
subtitle: Learn how to step-by-step setup OAuth with Azure Active Directory.
diff --git a/_includes/docs/pe/user-guide/domains.md b/_includes/docs/pe/user-guide/domains.md
index cc62ef9a05..4e89fd8247 100644
--- a/_includes/docs/pe/user-guide/domains.md
+++ b/_includes/docs/pe/user-guide/domains.md
@@ -47,18 +47,13 @@ First, on your DNS provider's website, you must add a canonical record for y
Once done, you can start the procedure of adding a domain.
-{% if docsPrefix == "pe/" %}
-{% capture domain_owner_note %}
-Starting from ThingsBoard version 3.9.0, adding your own domain name is available at both the Tenant level and the Customer level.
-{% endcapture %}
-{% include templates/info-banner.md content=domain_owner_note %}
-{% endif %}
-{% if docsPrefix == "paas/" or docsPrefix == "paas/eu/" %}
+## Add domain
+
{% capture domain_owner_note %}
-Registering your own domain name is available at both the Tenant level and the Customer level.
+{% if docsPrefix == "pe/" %} Starting from ThingsBoard version 3.9.0, adding your own domain name is available at both the Tenant level and the Customer level.{% endif %}
+{% if docsPrefix == "paas/" or docsPrefix == "paas/eu/" %}Registering your own domain name is available at both the Tenant level and the Customer level.{% endif %}
{% endcapture %}
{% include templates/info-banner.md content=domain_owner_note %}
-{% endif %}
{% if docsPrefix == "pe/" or docsPrefix == "paas/" or docsPrefix == "paas/eu/" %}
- Log in to your {{THINGSBOARD_WITH_URL}}{:target="_blank"} account;
diff --git a/_includes/docs/user-guide/oauth-2-support.md b/_includes/docs/user-guide/oauth-2-support.md
index 2d309da6eb..b5672c69db 100644
--- a/_includes/docs/user-guide/oauth-2-support.md
+++ b/_includes/docs/user-guide/oauth-2-support.md
@@ -1,309 +1,525 @@
* TOC
{:toc}
-## Overview
+ThingsBoard supports OAuth 2.0–based authentication to provide **Single Sign-On** (**SSO**) for your customers and integrate with external identity providers.
-ThingsBoard allows you to provide Single Sign-On functionality for your customers and automatically create tenants, customers, or sub customers using external user management platforms, that supports the OAuth 2.0 protocol.
-A list of platforms that supports the OAuth 2.0 protocol: [Google](#login-with-google), [Auth0](#login-with-auth0), [Keycloak](#login-with-keycloak), [Okta](/docs/user-guide/oauth/okta/){:target="_blank"}, [Azure](/docs/user-guide/oauth/azure/){:target="_blank"}, etc.
+Using OAuth 2.0, you can allow users to log in using their existing accounts from external platforms and automatically provision tenants, customers, or sub-customers.
+
+ThingsBoard is compatible with most OAuth 2.0 providers, including [Google](#login-with-google), [Facebook](https://developers.facebook.com/docs/facebook-login/web#logindialog){:target="_blank"}, [Github](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app){:target="_blank"}, [Auth0](#login-with-auth0), [Keycloak](#login-with-keycloak), [Okta](#login-with-okta), [Azure](#login-with-azure), etc.
## OAuth 2.0 authentication flow
-ThingsBoard supports the Authorization Code grant type to exchange an authorization code for an access token.
-Once the user returns to the ThingsBoard client via redirect URL, the platform will get the authorization code from the URL and will use it to request an access token from the external user management platform.
-Using the [basic mapper](#basic-mapper) or [custom mapper](#custom-mapper), external user info object will be converted from external platform into ThingsBoard internal OAuth 2.0 user.
-After this, the regular ThingsBoard authorization flow will happen.
+ThingsBoard supports the Authorization Code grant type for OAuth 2.0 authentication. The authentication flow works as follows:
+1. A user opens the ThingsBoard login page and selects an external provider (for example, Google or Keycloak).
+2. The user is redirected to the provider’s login page to authenticate.
+3. After successful login, the provider redirects the user back to ThingsBoard using the configured redirect URI.
+4. ThingsBoard extracts the authorization code from the redirect URL and exchanges it for an access token.
+5. ThingsBoard retrieves the external user information and converts it into a ThingsBoard user using the configured mapper ([Basic](#basic-mapper){:target="_blank"} or [Custom](#custom-mapper){:target="_blank"}).
+6. After the mapping step is completed, the standard ThingsBoard authorization flow is applied.
+
+This process allows ThingsBoard to automatically determine the correct tenant, customer, and user permissions based on identity provider attributes.
## Setting up authentication via an external provider
-Since the 3.8 release, OAuth 2.0 clients are configured separately from the domain allowing to reuse of the configured client and making the settings clearer.
-To use authentication through an external provider, first configure OAuth 2.0 client with all necessary credentials.
-After that, add a new domain or use an existing one and update OAuth 2.0 client list with new oauth 2.0 client.
+To enable OAuth 2.0 authentication through an external provider, you must configure two components:
+- **OAuth 2.0 client** – stores provider credentials, endpoints, scopes, and mapping rules.
+- **Domain configuration** – defines which OAuth clients are available for a specific ThingsBoard domain.
+
+The general setup process includes:
+1. Create an OAuth 2.0 client in the external provider and obtain the **Client ID** and **Client Secret**.
+2. Add a corresponding OAuth 2.0 client in ThingsBoard and configure all required endpoints, scopes, and mapper settings.
+3. Assign the OAuth 2.0 client to a domain in ThingsBoard.
+4. Verify the login flow using the new **Login with ...** option on the ThingsBoard login page.
+
+### Add OAuth 2.0 client
+
+ThingsBoard allows you to configure OAuth 2.0 clients that can be used to authenticate users via external identity providers such as Google, GitHub, Apple, Facebook, Keycloak, Auth0, Okta, Azure AD, and others.
+
+An OAuth 2.0 client stores all required information for authentication, including:
+- client credentials (Client ID / Client Secret)
+- OAuth endpoints (Authorization, Token, UserInfo, JWKS)
+- required scopes
+- user mapping rules (mapper configuration)
+
+Once an OAuth 2.0 client is created, it can be assigned to one or more domains.
+
+To add a new OAuth 2.0 client:
+- Log in to ThingsBoard.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- Open the **OAuth 2.0 clients** tab.
+- Click the **+** (**plus**) icon.
+
+This will open the **Add OAuth 2.0 client** dialog window.
-### Operations with domain
+Step 1. Configure general client information
-**Adding domain**
+In the upper part of the dialog, configure the basic parameters:
+- **Title**
+ Enter a descriptive name for the OAuth 2.0 client (for example: Google, Auth0, Keycloak, GitHub). This field is required.
+- **Provider**
+ Select the authentication provider from the dropdown list. Supported providers include: Apple, Custom, Facebook, GitHub, Google.
+ The provider selection defines default endpoint templates and mapping behavior.
+ > Tip: Select Custom if your provider is not listed (for example, Keycloak, Okta, Azure AD, Auth0, etc.).
+- **Allowed platforms**
+ Select which ThingsBoard platform is allowed to use this OAuth client. For example: Web UI only, Mobile app only, or All platforms (default).
+ This option is useful if you want to restrict authentication methods for specific clients.
+- **Client ID and Client secret**
+ Enter the OAuth 2.0 credentials obtained from your identity provider:
+ - **Client ID** (required)
+ - **Client secret** (required)
-Follow these steps to add a new domain:
-- On the "Domains" tab of the "OAuth 2.0 client" page, click the "plus" icon to add new domain;
-- Provide your domain name and OAuth 2.0 client;
-- Click "Add" to finalize adding the domain.
+Step 2. Configure Advanced settings (General)
-{% include images-gallery.html imageCollection="adding-domain-1" %}
+Expand the **Advanced settings** section and open the **General** tab. This section defines the OAuth 2.0 endpoints used during authentication.
+- **Access token URI**
+ Defines the provider endpoint used by ThingsBoard to exchange the authorization code for an access token. Example (Google): https://oauth2.googleapis.com/token
+- **Authorization URI**
+ Defines the endpoint where the user is redirected to authenticate. Example (Google): https://accounts.google.com/o/oauth2/v2/auth
+- **JSON Web Key URI**
+ Defines the JWKS endpoint that provides the public keys required to validate JWT tokens. Example (Google): https://www.googleapis.com/oauth2/v3/certs
+- **User info URI**
+ Defines the endpoint used by ThingsBoard to request user details. Example (Google): https://openidconnect.googleapis.com/v1/userinfo
+- **Client authentication method**
+ Defines how ThingsBoard sends **client credentials** (**Client ID** and **Client Secret**) when requesting an access token from the OAuth 2.0 provider (during the _authorization code ⇾ access token_ exchange).
+ This parameter must match the method supported (or required) by your identity provider.
+ According to the UI, the following authentication methods are available:
+ - **NONE**. ThingsBoard does not send client credentials when requesting the access token.
+ This option is rarely used and is applicable only for providers that do not require client authentication (typically public clients).
+ - **BASIC** (_recommended for most providers_). ThingsBoard sends the client credentials using **HTTP Basic Authentication** header: Authorization: Basic
+ This is the most common and widely supported option (for example, Google, Keycloak, Auth0, Okta).
+ - **POST**. ThingsBoard sends the client credentials in the **POST request body** together with the token request parameters.
+ This method is required by some OAuth providers depending on their configuration.
+ > **Tip**: If authentication fails during token exchange (for example, due to `invalid_client`), verify that the selected **Client authentication method** matches the identity provider configuration.
+- **Allow user creation**
+ If enabled, ThingsBoard will automatically create a new user account during the first login attempt (if the user does not already exist).
+ This option is useful for fully automated SSO onboarding.
+- **Activate user**
+ If enabled, ThingsBoard automatically activates the created user account.
+ If disabled, the user will be created but remain inactive until manually activated by an administrator.
+- **Scope**
+ Scopes define which information ThingsBoard requests from the identity provider. Example: email openid profile.
+ Scopes directly affect which attributes are available for user mapping (email, name, etc.).
-**Editing domain**
+Step 3. Configure Advanced settings (Mapper)
-To update the settings for an existing domain, follow these steps:
+Switch to the Mapper tab. This section defines how ThingsBoard converts the external user info object into an internal ThingsBoard user and decides:
+- tenant name
+- customer name
+- user authority (Tenant Admin / Customer User)
+- optional user groups (PE only)
+- default dashboard navigation settings
-- Click on the domain to view its details;
-- Switch to editing mode by clicking the large orange button;
-- Make the required modifications;
-- Confirm and save your changes by clicking the "Apply changes" button.
+ThingsBoard supports different mapper types: Basic, Custom, GitHub, Apple
-{% include images-gallery.html imageCollection="editing-domain-1" %}
+> The mapper configuration is a critical part of OAuth setup because it controls automatic tenant/customer provisioning logic.
+> For more details on mapping external user information to a ThingsBoard user, see [here](#mapping-external-user-info-into-a-thingsboard-oauth-20-user).
-**Deleting domain**
+Step 4. Save the OAuth 2.0 client
-To remove domain, following the steps:
+After filling in all required fields, click **Add** to create the OAuth 2.0 client.
-- Click the "trash" icon in the domain's row you wish to remove;
-- Confirm the deletion by clicking "Yes".
+Once created, the OAuth client becomes available for domain assignment.
-{% include images-gallery.html imageCollection="deleting-domain-1" %}
+### Assign OAuth 2.0 client to a domain
-### Operations with OAuth 2.0 client
+After creating an OAuth 2.0 client, you must assign it to a domain.
+This step defines **which authentication providers will be available on the login page** for users accessing ThingsBoard via a specific domain.
-**Adding OAuth 2.0 client**
+In ThingsBoard, the domain configuration acts as a routing layer: when a user opens the login page, ThingsBoard determines the domain and shows the OAuth 2.0 login options assigned to it.
-Follow these steps to add a new OAuth 2.0 client to ThingsBoard:
+Open domain configuration
-- Navigate to the "OAuth 2.0 clients" tab on the "OAuth 2.0" page, and click the "plus" icon to add a new OAuth 2.0 client;
-- Enter a descriptive title for the client;
-- Select the authentication provider from the dropdown menu;
-- Specify which platforms are allowed or select all;
-- Provide the Client ID and Client Secret obtained from your authentication provider;
-- Configure advanced settings as necessary;
-- Click "Add" to finalize the addition of the new OAuth 2.0 client.
+To assign an OAuth 2.0 client to a domain:
+- Log in to your ThingsBoard instance.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- On the **Domains** tab, click the **+** (**plus**) icon.
-{% include images-gallery.html imageCollection="adding-oauth2-client-1" %}
+This opens the **Add domain** dialog window.
-**Editing OAuth 2.0 client**
+Step 1. Configure domain name
-To update the settings for an existing OAuth 2.0 client, follow these steps:
+In the **Domain name** field, enter the domain that users will use to access ThingsBoard. Example: `my.thingsboard.instance`.
+This value must match the actual domain configured in your DNS and used in the browser.
-- Click on the OAuth 2.0 client to view its details;
-- Switch to editing mode by clicking the large orange button;
-- Make the required modifications;
-- Confirm and save your changes by clicking the "Apply changes" button.
+Step 2. Verify Redirect URI template
-{% include images-gallery.html imageCollection="editing-oauth2-client-1" %}
+ThingsBoard automatically generates the Redirect URI template based on the entered domain. Example: https://my.thingsboard.instance/login/oauth2/code/
-**Deleting OAuth 2.0 client**
+This redirect URI must be added to your OAuth provider configuration (Google, Auth0, Keycloak, etc.) as the allowed callback/redirect URL.
-Remove clients that are no longer needed or are obsolete:
+To copy it quickly, click the **copy icon** on the right side of the field.
-- Click the "trash" icon in the client's row you wish to remove;
-- Confirm the deletion by clicking "Yes".
+Step 3. Assign OAuth 2.0 clients
-{% include images-gallery.html imageCollection="deleting-oauth2-client-1" %}
+In the **OAuth 2.0 clients** section, select the OAuth clients that should be available for this domain.
-## Login with Google
+There are two available options:
+
+- Option A. Select an existing OAuth 2.0 client
+ - Click inside the **OAuth 2.0 clients** field.
+ - Select an existing client from the dropdown list.
+
+ Once selected, it will appear as a chip inside the field.
-In this sample, we will be using authentication via [Google](https://developers.google.com/identity/protocols/oauth2/openid-connect){:target="_blank"}.
-The user is going to be logged as the Tenant, and the Tenant name is going to be equal to the user's email.
-If the Tenant does not exist in the system, the new Tenant will be created.
+ You can assign multiple OAuth clients to the same domain (for example, Google + Auth0 + Keycloak).
-To map this external user information from Google and the OAuth platform, we use the built-in [basic mapper](#basic-mapper).
+- Option B. Create a new OAuth 2.0 client
+ - If the required OAuth client does not exist yet, click **Create new**.
+
+ This opens the [Add OAuth 2.0 client](#add-oauth-20-client) dialog, allowing you to create and configure a new OAuth client without leaving the domain setup screen.
-If [basic mapper](#basic-mapper) functionality doesn't fit your business needs, you can configure the [custom mapper](#custom-mapper), so that you are able to add an implementation that fits your specific needs.
+Optional settings
+- **Enable OAuth 2.0**.
+ If this option is disabled, OAuth login will not be available for this domain even if OAuth clients are assigned.
+- **Propagate to Edge**.
+ If you are using [ThingsBoard Edge](/docs/edge/){:target="_blank"} and want OAuth settings to be applied on the Edge side, enable **Propagate to Edge** toggle.
+ This allows the OAuth domain configuration to be synchronized to connected Edge instances.
-### Preparations
+Step 4. Save the domain
-To use Google OAuth 2.0 authentication platform for Login, you need to set up a project in the [Google API Console](https://console.developers.google.com/){:target="_blank"} to obtain OAuth 2.0 credentials.
+Click **Add** to create the domain configuration.
-Please, follow the instructions on the [OpenID Connect](https://developers.google.com/identity/protocols/oauth2/openid-connect){:target="_blank"} page or follow the steps below to configure the OAuth 2.0 Client.
-After completing the instructions above, you should have a new OAuth client with credentials consisting of a Client ID and a Client Secret.
+Result
-- Go to the "Credentials" page in the left menu and select "OAuth client ID" from the "Create credentials" dropdown menu;
-- Enter a OAuth client name, and add the ThingsBoard redirect URI, to the "Authorized Redirect URIs" section using the format:
+Once the domain is created and OAuth 2.0 settings are enabled:
+- ThingsBoard will show the assigned OAuth providers on the login page.
+- Users accessing ThingsBoard via this domain will be able to authenticate using the configured OAuth 2.0 clients.
+- User provisioning and role mapping will follow the mapper settings configured in the assigned OAuth client(s).
-```
-http(s)://domain:port/login/oauth2/code/
+## Mapper section
+
+The **Mapper** section defines how ThingsBoard converts the external identity provider user information into a ThingsBoard user.
+
+After a user successfully authenticates with an OAuth 2.0 provider, ThingsBoard receives an external **user info object** (or ID token claims).
+The mapper is responsible for extracting the required attributes (email, first name, last name) and defining the user representation in ThingsBoard.
+
+Using mapper settings, ThingsBoard can automatically:
+- create users;
+- assign them to a tenant and/or customer;
+- create a tenant/customer if it does not exist;
+- assign default dashboards and user groups.
+
+The mapper configuration is located in the **Advanced settings → Mapper** tab when creating or editing an **OAuth 2.0 client**.
+
+Mapper parameters
+
+- **User name attribute key**
+ Most OAuth providers return the email address as the most stable identifier, therefore the recommended value is: email
+- **Mapper type**
+ ThingsBoard supports multiple mapper types. The available options depend on the selected provider and ThingsBoard version. The following mapper types are supported: **BASIC**, **CUSTOM**, **GITHUB**, **APPLE**.
+ Each mapper defines a different approach for mapping external identity data into ThingsBoard entities.
+
+### Basic mapper
+
+It is designed for standard OpenID Connect providers that return typical user attributes such as **email / firstName / lastName**.
+
+This mapper supports automatic tenant/customer provisioning using configurable strategies and patterns.
+
+What you can configure
+The Basic mapper gives you a set of predictable controls:
+- **Email attribute key**. This field is required because email is typically used as a unique identifier in ThingsBoard. Default value: email
+- **First name / Last name attribute keys** – tells ThingsBoard which external fields to use.
+- **Tenant name strategy**. The Tenant name strategy defines how ThingsBoard determines the tenant name for the authenticated user. Available strategies:
+ - **DOMAIN** - The tenant name is derived from the email domain. This is the best option for SaaS environments where each company uses its own email domain.
+ Example: If the user email is: _john.doe@company.com_ ⇾ then the tenant name will be: _company.com_
+ - **EMAIL** - The tenant name is equal to the full email address. This strategy is usually used for testing or cases where each user should have an isolated tenant.
+ Example: _john.doe@company.com_
+ - **CUSTOM** - The tenant name is generated using a custom pattern. This is the most flexible strategy and is recommended when you want to build tenant names from user attributes.
+ Example: _%{email}_
+
+- **Tenant name pattern**. In case, the *Tenant name strategy* is **Custom** you can specify the name of the Tenant, where the user is going to be created with a help of a custom pattern.
+ You can use attributes from the external user info object to put them into the Tenant's name. Please use %{attribute_key} as placeholder for the attribute value.
+
+ Tenant pattern examples:
+ - **Demo Tenant** *# Hard coded Tenant name*;
+ - **Demo Tenant %{email}** *# if the user's email is "test@demo.com", the Tenant's name will be the "Demo Tenant test@demo.com"*;
+ - **%{givenName}** *# if the user's givenName attribute is "Demo User", the Tenant name will be "Demo User"*.
+
+- The **Customer name pattern** defines the customer name that ThingsBoard should assign for the new user.
+ You can use attributes from the external user info object to put them into the Customer name. Please use %{attribute_key} as placeholder for the attribute value.
+
+ Customer pattern examples:
+ - **Demo Customer** *# Hard coded Customer name*;
+ - **Demo Customer %{email}** *# If the user's "email" attribute is "test@demo.com", the Customer name will be "Demo Customer test@demo.com"*;
+ - **%{city}** *# If the user's "city" attribute is "New York", the Customer name will be "New York"*.
+
+- **Default dashboard name**. allows you to specify which dashboard should be opened after login.
+ If the dashboard exists and is available for the user, it will be opened automatically.
+
+- **Always full screen**. If this option is **enable** and **Default dashboard name** is not empty, the User will be redirected to a specific dashboard in a fullscreen mode.
+
+{% if docsPrefix == "pe/" or docsPrefix contains "paas/" %}
+
+- **Parent customer name pattern** allows you to automatically assign the created customer under a parent customer (sub-customer hierarchy). This is useful when you build multi-level customer structures automatically during OAuth provisioning.
+
+ Parent Customer pattern examples:
+ - **Demo Parent Customer** *# Hard coded Parent Customer name*;
+ - **Demo Parent Customer %{email}** *# If user's "email" attribute is "test@demo.com", Parent Customer name is going to be "Demo Parent Customer test@demo.com"*;
+ - **%{country}** *# If user's "country" attribute is "Top Customer", Parent Customer name is going to be "Parent Customer"*.
+
+- **User groups name pattern** allows ThingsBoard to automatically add the created user to one or more user groups. By default, the newly created user is assigned only to the **All** user's group.
+ You can use attributes from the external user info object to put them into user group names. Please use %{attribute_key} as placeholder for attribute value.
+ If groups don't exist, this group will be created automatically.
+
+ User groups pattern examples:
+ - **Tenant Administrators, Customer Users, Managers..** *# Hard coded user groups*
+ - **%{job_title}** *# If user's "job_title" attribute is "Manager", user is going to be assigned into "Manager" user group*
+
+{% endif %}
+
+### Custom mapper
+
+The Custom mapper is used when the Basic mapper is not enough and you need advanced provisioning logic.
+With the Custom mapper, ThingsBoard delegates mapping logic to an external service.
+
+This allows you to implement:
+- role mapping based on IdP groups/roles;
+- complex tenant/customer creation rules;
+- integration with external CRM/ERP systems;
+- allow-listing, validation, or license checks.
+
+How it works
+1. ThingsBoard receives the external user info object from the provider.
+2. ThingsBoard sends this object to your custom mapping endpoint.
+3. Your service returns a ThingsBoard-compatible user mapping response.
+4. ThingsBoard creates or updates the user according to the response.
+
+The Custom mapper is the best choice for enterprise deployments with strict user provisioning requirements.
+
+## Examples
+
+### Login with Google
+
+This example demonstrates how to configure OAuth 2.0 authentication using [Google OpenID Connect](https://developers.google.com/identity/protocols/oauth2/openid-connect){:target="_blank"}.
+
+After configuration:
+- users can log in using their Google account;
+- ThingsBoard automatically creates a tenant if it does not exist;
+- the tenant name is derived from the user’s email address;
+- the user is logged in as a **Tenant Administrator**.
+
+User mapping is performed using the built-in [Basic mapper](#basic-mapper), but a [Custom mapper](#custom-mapper) can be used if additional provisioning logic is required.
+
+Step 1. Create a project in the Google API Console
+
+To use Google OAuth 2.0 authentication, create a project in the [Google API Console](https://console.developers.google.com/){:target="_blank"} and generate OAuth 2.0 credentials.
+
+Follow the official instructions on the [OpenID Connect documentation page](https://developers.google.com/identity/protocols/oauth2/openid-connect){:target="_blank"}, or follow the steps below:
+- Navigate to the **Credentials**.
+- Click **Create credentials ⇾ OAuth client ID**.
+- Specify a client name (for example, ThingsBoard).
+- Add the [ThingsBoard redirect URI](#-redirect-uri) to the **Authorized Redirect URIs** field:
+
+```bash
+http(s)://$DOMAIN:$PORT/login/oauth2/code/
```
{: .copy-code}
-\* where under the domain, please, specify the current domain of yours and for the port specify the port to have an HTTP access to the ThingsBoard instance of yours.
-For the example reasons, my domain is *my.thingsboard.instance*.
+Where:
+ • $DOMAIN is the ThingsBoard hostname (or IP address)
+ • $PORT is the HTTP/HTTPS port of the ThingsBoard instance
-```
+Example:
+```text
https://my.thingsboard.instance/login/oauth2/code/
```
-- Click "Create".
-
-OAuth client created. You now have credentials consisting of a *Client ID* and a *Client secret*.
+- Click **Create**.
-{% include images-gallery.html imageCollection="google-credentials-for-oauth-1" %}
+Google will generate the OAuth 2.0 credentials. Copy and save the following values:
+- **Client ID**
+- **Client Secret**
+
+You will need them in the next step.
-### Configuring Google as an OAuth 2.0 authentication provider in ThingsBoard
+{% include images-gallery.html imageCollection="google-credentials-for-oauth-1" %}
-To configure OAuth 2.0 authentication in ThingsBoard via Google, follow the steps below:
+Step 2. Add an OAuth 2.0 client in ThingsBoard
-- Login to your ThingsBoard instance;
-- Go to the "OAuth 2.0" page of the "Security" section;
-- While on the "Domains" tab, click the "plus" icon;
-- Enter your domain name or IP address of your ThingsBoard instance;
-- Click "Create new" in the "OAuth 2.0 clients" section to add a new one.
+Now configure OAuth 2.0 authentication via Google in ThingsBoard:
+- Log in to your ThingsBoard instance.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- On the Domains tab, click the + (**plus**) icon.
+- Enter your domain name (or IP address).
+- In the O**Auth 2.0 clients** section, click **Create new**.
{% include images-gallery.html imageCollection="google-configuration-of-thingsboard-google-1" %}
-Adding a new OAuth 2.0 client:
-
-- Enter "Google" as the title;
-- The provider should be set to "Google";
-- If necessary, specify the allowed platforms, or leave all;
-- Enter the "Client ID" and "Client secret" from the [Google API Console](https://console.developers.google.com/){:target="_blank"};
+In the **OAuth 2.0 client** configuration window:
+- Set the title to **Google**.
+- Select **Google** as the provider.
+- Specify allowed platforms if needed (or leave all selected).
+- Enter the **Client ID** and **Client Secret** obtained from the [Google Console](https://console.developers.google.com/){:target="_blank"}.
-Then, expand the "Advanced settings" menu. Let's make the settings for the "General" block:
-- Use this [link](https://developers.google.com/identity/protocols/oauth2/openid-connect#discovery){:target="_blank"} to see the list of up-to-date URLs like "Access Token URI", "Authorization URI", etc.;
-- Select "POST" as the client authentication method;
-- Turn on the "Allow user creation" option;
-- Add to the scope field: "email", "openid", and "profile";
+Now expand **Advanced settings** and configure the following parameters:
+- Use the official discovery endpoint list: [Google Discovery](https://developers.google.com/identity/protocols/oauth2/openid-connect#discovery){:target="_blank"}.
+- Set client authentication method to **POST**.
+- Enable **Allow user creation**.
+- Set scope to: email openid profile.
{% include images-gallery.html imageCollection="google-configuration-of-thingsboard-google-2" %}
-Go to the "Mapper" block:
-- Leave the mapper type "BASIC";
-- Select "CUSTOM" as the tenant name strategy;
-- Specify **%{email}** as tenant name pattern (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part);
+Switch to the **Mapper** section and configure:
+- Mapper type: **BASIC**.
+- Tenant name strategy: **CUSTOM**.
+- Tenant name pattern: **%{email}** (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part).
{% if docsPrefix == "pe/" %}
-- Specify "Tenant Administrators" as the user group name pattern to automatically add a new user to the designated tenant group upon creation;
+- User groups name pattern: **Tenant Administrators** (to automatically assign newly created users to this group).
{% endif %}
-- Click "Add";
+- Click **Add** to create the OAuth 2.0 client.
{% include images-gallery.html imageCollection="google-configuration-of-thingsboard-google-3" %}
-- The OAuth client is added successfully. Click "Add" again to confirm the addition of the domain.
-
-A new domain has been added.
+- Click **Add** again to confirm the domain creation.
{% include images-gallery.html imageCollection="google-configuration-of-thingsboard-google-4" %}
-### Sign in
+Verify login
-Now, navigate to the ThingsBoard login screen. We will see an additional "Login with Google" option.
-Select one of your Google accounts. You are now logged into ThingsBoard using your Google email as a Tenant Administrator.
+Now open the ThingsBoard login page. You will see the **Login with Google button**. Click it and select your Google account.
+
+After successful authentication, you will be logged in to ThingsBoard as a **Tenant Administrator**.
{% include images-gallery.html imageCollection="login-with-google-1" %}
{% if docsPrefix == "pe/" %}
-Go to the "Users" page. There you will find the new user is associated with the Tenant Administrators group; the tenant name corresponds to their email address.
+To verify the result, navigate to **Users**.
+The created user will be assigned to the **Tenant Administrators** group, and the tenant name will match the user's email address.
{% include images-gallery.html imageCollection="login-with-google-2" %}
{% endif %}
-## Login with Auth0
+### Login with Auth0
-In this sample, we will configure **OAuth** using an external provider for authentication - [Auth0](https://auth0.com/){:target="_blank"}.
-The User is going to be logged as the Tenant which name is going to be equal to a user email domain name.
-Additionally, for every user, we are going to create a new Customer and the Customer name is going to be equal to a user email.
+This example demonstrates how to configure OAuth 2.0 authentication using [Auth0](https://auth0.com/){:target="_blank"}.
-To map this external user information from Auth0 and the OAuth platform, we use the built-in [basic mapper](#basic-mapper).
+After configuration:
+- users can log in using their Auth0 credentials;
+- ThingsBoard creates or selects a tenant based on the user’s email domain;
+- for each user, ThingsBoard also creates a customer whose name matches the user’s email address;
+- the user is logged in as a **Customer User**.
-If [basic mapper](#basic-mapper) functionality will not fit your business needs, you can configure the [custom mapper](#custom-mapper) so that you are able to add an implementation that fits under your specific needs.
+User mapping is performed using the built-in [Basic mapper](#basic-mapper), but a [Custom mapper](#custom-mapper) can be used to implement more advanced tenant/customer provisioning rules.
-### Preparations
+Step 1. Create an Auth0 application in OAuth0 Management Console
-Now let's add one more provider to our list - [Auth0](https://auth0.com/){:target="_blank"}.
-This time we are going to create customers for our users inside a single domain tenant.
+Before configuring ThingsBoard, you need to create an [Auth0](https://auth0.com/){:target="_blank"} application and obtain the **Client ID** and **Client Secret**.
-To apply the configurations properly, we first need to obtain OAuth 2.0 credentials:
+To do this:
+- Open the [OAuth0 Management Console](https://manage.auth0.com/){:target="_blank"}.
+- Navigate to **Applications** and click **Create Application**.
+- Name the application **ThingsBoard**.
+- Select **Regular Web Application**.
+- Select the technology **Java Spring Boot**.
+- Open the created application and navigate to the **Settings** tab.
+- Copy the following values:
+ - **Client ID**
+ - **Client Secret**.
-- First, we go to the [OAuth0 management console](https://manage.auth0.com/){:target="_blank"}. Open the "Applications" page, and click "+ Create Application" button;
-- Name your application "ThingBoard", and choose the application type - "Regular Web Applications";
-- Afters, you need to choose the technology being used. Please, choose the "Java Spring Boot" technology;
-- Once your application is created, you are redirected to the application details page. Navigate to the "Settings" tab to find the *Client ID* and *Client Secret*;
-- In the allowed Callback URLs field, update the redirect URI using the format:
+In the **Allowed Callback URLs** field, add the [ThingsBoard redirect URI](#redirect-uri):
-```
-http(s)://domain:port/login/oauth2/code/
+```bash
+http(s)://$DOMAIN:$PORT/login/oauth2/code/
```
{: .copy-code}
-\* where under the domain, please, specify the current domain of yours and for the port specify the port to have an HTTP access to the ThingsBoard instance of yours.
-For the example reasons, my domain is *my.thingsboard.instance*.
+Where:
+ • $DOMAIN is the ThingsBoard hostname (or IP address)
+ • $PORT is the HTTP/HTTPS port of the ThingsBoard instance
-```
+Example:
+```text
https://my.thingsboard.instance/login/oauth2/code/
```
{% capture difference %}
-Please note that it is not necessary to update the Application login URI.
+Please note that it is not necessary to configure the Application Login URI.
{% endcapture %}
{% include templates/info-banner.md content=difference %}
-- In the "Advanced Settings" section, you can find all necessary URLs (endpoints) required for configuring OAuth 2.0;
-- Click "Save Changes" button.
+- In the **Advanced Settings** section, you can find the required endpoints for OAuth configuration.
+- Click **Save Changes**.
{% include images-gallery.html imageCollection="auth0-credentials-1" %}
-### Configuring OAuth0 as an OAuth 2.0 authentication provider in ThingsBoard
+Step 2. Add an OAuth 2.0 client in ThingsBoard
-To configure OAuth 2.0 authentication in ThingsBoard via Auth0, follow the steps below:
-
-- Login to your ThingsBoard instance;
-- Go to the "OAuth 2.0" page of the "Security" section;
-- While on the "Domains" tab, click the "plus" icon;
-- Enter your domain name or IP address of your ThingsBoard instance;
-- Click "Create new" in the "OAuth 2.0 clients" section to add a new one.
+To configure OAuth 2.0 authentication via Auth0 in ThingsBoard:
+- Log in to your ThingsBoard instance.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- On the Domains tab, click the + (**plus**) icon.
+- Enter your domain name (or IP address).
+- Click **Create new** in the **OAuth 2.0 clients** section.
{% include images-gallery.html imageCollection="oauth0-configuration-of-thingsboard-1" %}
-Adding a new OAuth 2.0 client:
-
-- In the opened window, enter "OAuth0" as the title for the client;
-- Select "Custom" as the provider from the dropdown;
-- If necessary, specify the allowed platforms, or leave all;
-- Enter the "Client ID" and "Client secret" obtained from the [OAuth0 management console](https://manage.auth0.com/){:target="_blank"}.
+In the **OAuth 2.0 client** configuration window:
+- Set title to **Auth0**.
+- Select provider **Custom**.
+- Specify allowed platforms if needed (or leave all selected).
+- Enter the **Client ID** and **Client Secret** from [OAuth0 console](https://manage.auth0.com/){:target="_blank"}.
-In the "General" block of the "Advanced settings" section:
-- Fill in all the necessary URLs using the values obtained from the [OAuth0 management console](https://manage.auth0.com/){:target="_blank"};
-- Select "POST" as the client authentication method;
-- Enter "OAuth0" as the provider label;
-- Add the following scopes in the scope field: "openid", "email", "profile".
+Now expand **Advanced settings** and configure:
+- Fill in all required endpoints using values from Auth0 (**Advanced Settings** in Auth0).
+- Set client authentication method to **POST**.
+- Set provider label to **Auth0**.
+- Set scope to: email openid profile.
{% include images-gallery.html imageCollection="oauth0-configuration-of-thingsboard-2" %}
-
-Proceed to the "Mapper" block:
-- Leave the mapper type "BASIC";
-- The tenant name strategy should be "DOMAIN";
-- Specify **%{email}** as the customer name pattern (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part);
+Proceed to the **Mapper** block and configure:
+- Mapper type: **BASIC**.
+- Tenant name strategy: **DOMAIN**.
+- Customer name pattern: **%{email}** (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part).
{% if docsPrefix == "pe/" %}
-- Specify "Customer Users" as the user group name pattern to automatically add a new user to the designated customer group upon creation;
+- User groups name pattern: **Customer Users** (to automatically assign newly created users to this group).
{% endif %}
-- Click "Add" to complete the addition of the new OAuth 2.0 client.
+- Click **Add** to create the OAuth 2.0 client.
{% include images-gallery.html imageCollection="oauth0-configuration-of-thingsboard-3" %}
-- The OAuth0 client has been successfully added. Click "Add" again to confirm the addition of the domain.
+- Finally, click **Add** again to confirm domain creation.
{% include images-gallery.html imageCollection="oauth0-configuration-of-thingsboard-4" %}
-### Sign in
+Step 3. Verify login
+
+Now open the ThingsBoard login page. You will see the **Login with Auth0** button. Click it and authenticate using your Auth0 credentials.
-Navigate to the login screen. You will find two available login methods: Google and Auth0. Click on the "Login with Auth0" button. This method allows you to quickly and securely log in to the system as a Customer User using your Auth0 credentials.
+After successful authentication, you will be logged in to ThingsBoard as a **Customer User**.
{% include images-gallery.html imageCollection="login-with-oauth0-1" %}
{% if docsPrefix == "pe/" %}
-Go to the "Users" page. There you will find the new user is associated with the Customer Users group; the customer name corresponds to their email address.
+To verify the result, navigate to **Users**.
+The created user will be assigned to the **Customer Users** group, and the customer name will match the user’s email address.
{% include images-gallery.html imageCollection="login-with-oauth0-2" %}
{% endif %}
-## Login with Keycloak
+### Login with Keycloak
-In this sample, we will be using authentication via [Keycloak](https://www.keycloak.org/){:target="_blank"}.
-The user is going to be logged as the Tenant, and the Tenant name is going to be equal to the user's email.
-If the Tenant does not exist in the system, the new Tenant will be created.
+This example demonstrates how to configure OAuth 2.0 authentication using [Keycloak](https://www.keycloak.org/){:target="_blank"} (OpenID Connect).
-To map this external user information from Keycloak and the OAuth platform, we use the built-in [basic mapper](#basic-mapper).
+After configuration:
+- users can log in using their Keycloak credentials;
+- ThingsBoard logs the user in as a Tenant Administrator;
+- the tenant name is derived from the user’s email address;
+- if the tenant does not exist, it can be created automatically depending on mapper settings.
-If [basic mapper](#basic-mapper) functionality doesn't fit your business needs, you can configure the [custom mapper](#custom-mapper), so that you are able to add an implementation that fits your specific needs.
+User mapping is performed using the built-in [Basic mapper](#basic-mapper), but a [Custom mapper](#custom-mapper) can be used if additional identity-to-tenant logic is required.
-### Preparations
+Step 1. Create a Keycloak realm and an OpenID Connect client
-To use Keycloak authentication platform for login, you need to set up a project in the [Keycloak](https://www.keycloak.org/){:target="_blank"} to obtain OAuth 2.0 credentials.
-For this, follow the [official instructions](https://www.keycloak.org/guides){:target="_blank"} or follow the steps below.
-By the end, you should have a new Keycloak client with credentials consisting of a Client ID and a Client Secret. Let's start.
+Before configuring ThingsBoard, you need to create a [Keycloak](https://www.keycloak.org/){:target="_blank"} realm and an OpenID Connect client, then obtain the required OAuth 2.0 credentials (**Client ID** and **Client Secret**).
-**Start Keycloak**
+You can follow the [official Keycloak documentation](https://www.keycloak.org/guides){:target="_blank"}, or use the step-by-step instructions below.
-Get started with Keycloak using your [preferred method](https://www.keycloak.org/guides){:target="_blank"}.
-In this example, we will run a test authentication and access management server Keycloak on Docker.
+
Start Keycloak
-- Make sure you have [Docker](https://docs.docker.com/compose/install/){:target="_blank"} installed;
-- Run the command below to start Keycloak on local the port 8081 and create an initial admin user with the username **admin** and password **admin**:
+This example uses Docker to start Keycloak locally.
+- Make sure [Docker](https://docs.docker.com/compose/install/){:target="_blank"} is installed.
+- Run the following command to start Keycloak on port **8081** and create an initial admin user (**admin** / **admin**):
```text
docker run -p 8081:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.0.5 start-dev
@@ -312,240 +528,456 @@ docker run -p 8081:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADM
{% include images-gallery.html imageCollection="terminal-start-keycloak" %}
-**Log in to the admin console**
-- Log in to the [Keycloak Admin Console](http://localhost:8081/admin){:target="_blank"} using "admin" as username and password;
+
Log in to the admin console
+- Open the [Keycloak Admin Console](http://localhost:8081/admin){:target="_blank"}.
+- Log in using:
+ - username: **admin**
+ - password **admin**.
{% include images-gallery.html imageCollection="log-in-to-admin-console" %}
-**Create a realm**
-
-- Click "Keycloak" next to the master realm, then click "Create realm" button;
-- Enter "ThingsBoard" in the realm name field, and click "Create" button.
-
-The new realm has been created.
+
Create a realm
+A realm is a Keycloak "workspace" where you manage applications and users.
+- Click the realm selector (default: **master**).
+- Click **Create realm**.
+- Set realm name to **ThingsBoard**.
+- Click **Create**.
{% include images-gallery.html imageCollection="create-new-realm" %}
-**Create new client**
-
-A client can be considered as an application or service that requests user authentication.
+
Create a new client
+A client represents ThingsBoard as an application that uses Keycloak for authentication.
+- Navigate to **Clients** and click **Create client**.
+- Set client ID to **thingsboard**.
+- Client type: **OpenID Connect**.
+- Click **Next**.
+- Enable **Client authentication**.
+- Ensure **Standard flow** is enabled.
+- Click **Next**.
+- In **Login settings**, add the ThingsBoard redirect URI:
-- Go to the "Clients" page in the left-hand menu, and click the "Create client" button;
-- Enter "thingsboard" as the client ID. Leave the client type as "OpenID Connect". Click "Next";
-- Turn on "Client authentication" option. Confirm that "Standard flow" is enabled. Click "Next";
-- In the "Login settings" section, add the ThingsBoard redirect URI to the "Authorized Redirect URIs" section using the format:
-
-```
-http(s)://domain:port/login/oauth2/code/
+```bash
+http(s)://$DOMAIN:$PORT/login/oauth2/code/
```
{: .copy-code}
-\* where under the domain, please, specify the current domain of yours and for the port specify the port to have an HTTP access to the ThingsBoard instance of yours.
-For the example reasons, my domain is *my.thingsboard.instance*.
+Where:
+ • $DOMAIN is the ThingsBoard hostname (or IP address)
+ • $PORT is the HTTP/HTTPS port of the ThingsBoard instance
-```
+Example:
+```text
https://my.thingsboard.instance/login/oauth2/code/
```
-- Click "Save".
-
-Client created successfully.
+- Click **Save**.
{% include images-gallery.html imageCollection="create-client" %}
-
-You now have credentials consisting of a Client ID and a Client secret. You can find the Client ID on the "Settings" tab. The Client Secret is located on the "Credentials" tab.
+After the client is created, copy the credentials:
+- **Client ID**: available on the **Settings** tab
+- **Client Secret**: available on the **Credentials** tab
{% include images-gallery.html imageCollection="client-id-and-secret" %}
-#### Endpoints
+Endpoints
-As a fully-compliant OpenID Connect Provider implementation, Keycloak exposes a set of endpoints that applications and services can use to authenticate and authorize their users.
+ThingsBoard requires Keycloak endpoints for the OAuth 2.0 client configuration.
+The easiest way to obtain them is from the **OpenID Connect discovery document**.
+- Navigate to **Realm settings**.
+- Find and open **OpenID Endpoint Configuration**.
+- Enable **Pretty-print** for better readability.
-Go to the "Realm settings" page. Scroll down and locate the link to "OpenID Endpoint Configuration", then click on it.
-A new window with OpenID Endpoint Configuration will open. Check the "Pretty-print" option to make the data view more user-friendly.
-Here you found "Access token URI," "Authorization URI," "JSON Web Key URI," and "User info URI," which are necessary for configuring the OAuth 2.0 client in ThingsBoard.
-You can find a description of the available endpoints [here](https://www.keycloak.org/securing-apps/oidc-layers){:target="_blank"}.
+From this document, copy the following endpoints:
+- Authorization endpoint
+- Token endpoint
+- UserInfo endpoint
+- JWKS endpoint
-{% include images-gallery.html imageCollection="endpoint-configuration" %}
+For details about the available endpoints, refer to the Keycloak documentation: [OIDC layers](https://www.keycloak.org/securing-apps/oidc-layers){:target="_blank"}.
-### Create a user
+{% include images-gallery.html imageCollection="endpoint-configuration" %}
-Now add the user. Only the added users will be able to authenticate via Keycloak.
-Use these steps to create a user:
+Create a user
-- Go to the "Users" page in the left-hand menu;
-- Click "Create new user";
-- Enter the username and email address in the form. First name and last name are optional;
-- Click "Create".
+Only users created in Keycloak can authenticate via Keycloak.
-The user has been created.
+To create a user:
+- Navigate to **Users**.
+- Click **Create new user**.
+- Fill in username and email (first and last name are optional).
+- Click **Create**
{% include images-gallery.html imageCollection="create-user" %}
-Set a password for this user:
-
-- Navigate to the "Credentials" tab. Click "Set password".
-- Fill in the "Set password" form with a password. Toggle "Temporary" to "Off" so that the user does not need to update this password at the first login.
-- Click "Save password" to confirm the set password.
-
-The password has been successfully.
+Set a password:
+- Open the **Credentials** tab.
+- Click **Set password**.
+- Enter the password.
+- Disable **Temporary** (so the user is not forced to change password on first login).
+- Click **Save**
{% include images-gallery.html imageCollection="create-password" %}
-### Configuring Keycloak as an OAuth 2.0 authentication provider in ThingsBoard
+Step 3. Assign the OAuth 2.0 client to a domain
-To configure OAuth 2.0 authentication in ThingsBoard via Keycloak, follow the steps below:
+Now configure Keycloak in ThingsBoard:
+- Log in to ThingsBoard.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- Open the **OAuth 2.0 clients** tab and click **+** (**plus**) icon.
+- Set title to **Keycloak**.
+- Select provider **Custom**.
+- Specify allowed platforms if needed (or leave all selected).
+- Enter the **Client ID** and **Client Secret** from the [Keycloak Admin Console](http://localhost:8081/admin){:target="_blank"}
-- Login to your ThingsBoard instance;
-- Go to the "OAuth 2.0" page of the "Security" section;
-- Navigate to the "OAuth 2.0 clients" tab, and click "plus";
-- Enter "Keycloak" as the title.
-- Select the "Custom" from the dropdown menu as the authentication provider;
-- If necessary, specify the allowed platforms, or leave all;
-- Enter the "Client ID" and "Client secret", using the values retrieved from the [Keycloak console](http://localhost:8081/admin){:target="_blank"}.
-
-Then, expand the "Advanced settings" menu. Let's make the settings for the "General" block:
-- Use [endpoint configuration file](#endpoints) to find the current values for "Access Token URI," "Authorization URI", "JSON Web Key URI", and "User info URI". Fill the corresponding fields with these values;
-- The client authentication method should be set to "POST";
-- Enter "Keycloak" as the provider label;
-- Add to the scope field: "email", "openid", and "profile";
+Expand **Advanced settings** and configure:
+- Use the **OpenID Connect discovery document** to fill in: Access Token URI, Authorization URI, JSON Web Key URI, User Info URI.
+- Set:
+ - client authentication method: **POST**
+ - provider label: **Keycloak**
+ - scope: email openid profile.
{% include images-gallery.html imageCollection="keycloak-add-thingsboard-oauth-client-1" %}
-Go to the "Mapper" block:
-- Leave the mapper type "BASIC";
-- Select "CUSTOM" as the tenant name strategy;
-- Specify **%{email}** as tenant name pattern (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part);
+Configure the mapper:
+- Mapper type: **BASIC**.
+- Tenant name strategy: **CUSTOM**.
+- Tenant name pattern: **%{email}** (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part).
+
{% if docsPrefix == "pe/" %}
-- Specify "Tenant Administrators" as the user group name pattern to automatically add a new user to the designated tenant group upon creation;
+- User groups name pattern: **Tenant Administrators**
{% endif %}
-- Click "Add" to confirm adding the OAuth 2 client.
-
-A new OAuth 2.0 client has been added.
+- Click **Add** to create the OAuth 2.0 client.
{% include images-gallery.html imageCollection="keycloak-add-thingsboard-oauth-client-2" %}
-
-Now, add a new domain by following these steps:
-
-- Go to the "Domains" tab of the "OAuth 2.0" page, and click the "plus" icon;
-- Enter your domain name or IP address of your ThingsBoard instance;
-- Specify "Keycloak" as the OAuth 2.0 client;
-- Click "Add" again to confirm the addition of the domain.
-
-A new domain has been added.
+Add a domain:
+Finally, bind the domain to the created OAuth 2.0 client:
+- Open the **Domains** tab and click **+** (plus) icon.
+- Enter the domain name (or IP address).
+- Select **Keycloak** as the OAuth 2.0 client.
+- Click **Add**.
{% include images-gallery.html imageCollection="keycloak-add-domain" %}
-### Sign in
+Step 4. Verify login
-Go to the ThingsBoard login screen. You will see an additional option, "Login with Keycloak". Click this button. A window will open prompting you to sign in to your Keycloak account. Enter your Keycloak credentials, and click "Sign In". You are now logged into ThingsBoard using Keycloak authorization credentials.
+Open the ThingsBoard login page. You will see the **Login with Keycloak** button. Click it and authenticate using your Keycloak credentials.
{% include images-gallery.html imageCollection="login-with-keycloak-1" %}
{% if docsPrefix == "pe/" %}
-Go to the "Users" page. There you will find the new user is associated with the Tenant Administrators group; the tenant name corresponds to their email address.
+To verify the result, navigate to **Users**.
+The created user will be assigned to the **Tenant Administrators** group, and the tenant name will match the user’s email address.
{% include images-gallery.html imageCollection="login-with-keycloak-2" %}
{% endif %}
-## Mapping of the external user into ThingsBoard internal user structure
+### Login with Okta
-Mapping of the external user info object into ThingsBoard user can be achieved using the [Basic](#basic-mapper), [Custom](#custom-mapper), GitHub, and Apple mappers.
+This guide explains how to configure OAuth 2.0 authentication in ThingsBoard using [Okta](https://www.okta.com/){:target="_blank"}.
-### Basic mapper
+After configuration:
+- users will be able to log in to ThingsBoard using their Okta account;
+- the user will be logged in as a **Tenant Administrator**;
+- the tenant name will be equal to the user’s email address;
+- if the tenant does not exist, ThingsBoard will automatically create it (depending on mapper configuration).
-A basic mapper is able to merge an external OAuth 2.0 user info object into the ThingsBoard OAuth 2.0 user with a predefined set of rules.
+User mapping is performed using the built-in [Basic mapper](#basic-mapper), but a [Custom mapper](#custom-mapper) can be used if additional provisioning logic is required.
-To use a basic mapper, set mapper type "Basic".
+Step 1. Create an OAuth 2.0 client in Okta
-{% include images-gallery.html imageCollection="mapper-basic-1" %}
+First, you need to create an OAuth 2.0 application in Okta and obtain the Client ID and Client Secret.
+To do this:
+- Open the [Okta Developer Console](https://developer.okta.com/){:target="_blank"}.
+- Navigate to **Applications**.
+- Click **+ Create Application**.
+- Provide the **application name** (for example, ThingsBoard).
+- Choose an application type: **Regular Web Application**
+- Click **Create**.
+- In the **Application Login URIs** settings, specify the **ThingsBoard redirect URI**:
-Here are the details of other properties:
+```bash
+http(s)://$DOMAIN:$PORT/login/oauth2/code/
+```
+{: .copy-code}
-- **Allow user creation**. If this option is **enable**, then in case, the user account does not exist in the ThingsBoard yet, it will be created.
-If this option is **disable**, the user will get access denied error, in case, he tries to log in with an external OAuth 2.0 provider, but there is no user on ThingsBoard with those credentials.
-
-- **Email attribute key**. This is the key to the attributes from the external OAuth 2.0 user info that is going to be used as ThingsBoard user email property.
-
-- **First name attribute key**. - This is the key to the attributes from the external OAuth 2.0 user info that is going to be used as ThingsBoard user first name property.
-
-- **Last name attribute key**. - This is the key to the attributes from the external OAuth 2.0 user info that is going to be used as ThingsBoard user surname property.
+Where:
+ • $DOMAIN is the ThingsBoard hostname (or IP address)
+ • $PORT is the HTTP/HTTPS port of the ThingsBoard instance
-- **Tenant name strategy**. - this option specifies which tenant is going to be chosen for creating the user. A basic mapper provides three possible options strategy for a generating Tenant name from an external user info object - *domain*, *email*, or *custom*:
- - **DOMAIN** - the name of the Tenant will be extracted as the domain from the email of the user;
- - **EMAIL** - the name of the Tenant will be the user's email;
- - **CUSTOM** - a custom pattern can be set for the Tenant name. Please see *Tenant name pattern*.
+Example:
+```text
+https://my.thingsboard.instance/login/oauth2/code/
+```
-- **Tenant name pattern**. In case, the *Tenant name strategy* is **Custom** you can specify the name of the Tenant, where the user is going to be created with a help of a custom pattern.
- You can use attributes from the external user info object to put them into the Tenant's name. Please use %{attribute_key} as placeholder for the attribute value.
-
- Tenant pattern examples:
- - **Demo Tenant** *# Hard coded Tenant name*;
- - **Demo Tenant %{email}** *# if the user's email is "test@demo.com", the Tenant's name will be the "Demo Tenant test@demo.com"*;
- - **%{givenName}** *# if the user's givenName attribute is "Demo User", the Tenant name will be "Demo User"*.
-
-- **Customer name pattern**. User can be created under specific Customer, and not under the Tenant if this pattern field is not empty.
- You can use attributes from the external user info object to put them into the Customer name. Please use %{attribute_key} as placeholder for the attribute value.
-
- Customer pattern examples:
- - **Demo Customer** *# Hard coded Customer name*;
- - **Demo Customer %{email}** *# If the user's "email" attribute is "test@demo.com", the Customer name will be "Demo Customer test@demo.com"*;
- - **%{city}** *# If the user's "city" attribute is "New York", the Customer name will be "New York"*.
+Click **Create**.
-- **Default dashboard name**. A user will be redirected to a specific Dashboard if this field is not empty.
-
-- **Always full screen**. If this option is **enable** and **Default dashboard name** is not empty, the User will be redirected to a specific dashboard in a fullscreen mode.
+After saving the application, copy the generated values:
+ - **Client ID**
+ - **Client Secret**
-{% if docsPrefix == "pe/" %}
+These values will be required when configuring ThingsBoard.
-- **Parent customer name pattern** The Customer of the user can be created in the hierarchy under this parent Customer if this pattern field is not empty. You can use attributes from the external user info object to put them into the Parent Customer name. Please use %{attribute_key} as a placeholder for the attribute value.
-
- Parent Customer pattern examples:
- - **Demo Parent Customer** *# Hard coded Parent Customer name*;
- - **Demo Parent Customer %{email}** *# If user's "email" attribute is "test@demo.com", Parent Customer name is going to be "Demo Parent Customer test@demo.com"*;
- - **%{country}** *# If user's "country" attribute is "Top Customer", Parent Customer name is going to be "Parent Customer"*.
+Step 2. Add an OAuth 2.0 client in ThingsBoard
+
+Now configure Okta as an OAuth 2.0 client in ThingsBoard.
+- Log in to your ThingsBoard instance.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- Open the **OAuth 2.0 clients** tab.
+- Click the **+** (**plus**) icon.
+
+In the **OAuth 2.0 client** configuration window:
+- Set the title to **Okta**.
+- Select **Custom** as the provider.
+- Specify allowed platforms if needed (or leave All platforms).
+- Enter the **Client ID** and **Client Secret** obtained from Okta.
+
+Now expand **Advanced settings** and configure the following parameters:
+- **Access token URI**. (Example: _https://dev-example.okta.auth0.com/oauth/token_)
+- **Authorization URI**. (Example: _https://dev-example.okta.auth0.com/authorize_)
+- **JSON Web Key URI**. (Example: _https://dev-example.okta.auth0.com/.well-known/jwks.json_)
+- **User info URI**. (Example: _https://dev-example.okta.auth0.com/userinfo_)
+
+> Okta provides the required OAuth endpoints. You can find them in **Okta**:
+ • Open your application (ThingsBoard) in the [Okta Developer Console](https://developer.okta.com/){:target="_blank"}.
+ • Navigate to **Advanced settings** ⇾ **Endpoints**. Here you can find the required endpoint values.
+
+Configure additional parameters:
+- **Client authentication method**: POST or BASIC (Okta usually works with POST).
+- Enable **Allow user creation**.
+- Enable **Activate user** if you want ThingsBoard to activate the user automatically.
+- Set **scope** to: email openid profile.
+
+Switch to the **Mapper** section and configure:
+- Mapper type: **BASIC**.
+- Tenant name strategy: **CUSTOM**.
+- Tenant name pattern: **%{email}** (more details about these properties are described below in the "[Basic mapper](#basic-mapper)" part).
+ {% if docsPrefix == "pe/" %}
+ - User groups name pattern: **Tenant Administrators** (to automatically create a new tenant when a new user logs in).
+ {% endif %}
+- Click **Add** to create the OAuth 2.0 client.
+
+Step 3. Assign the OAuth 2.0 client to a domain
+
+After the OAuth 2.0 client is created, you must assign it to a domain.
+- Navigate to **Security** → **OAuth 2.0**.
+- On the **Domains** tab edit existing or [add new domain](/docs/{{docsPrefix}}domains/#add-domain).
+- In the **OAuth 2.0 clients** field, specify **Okta**.
+- Click **Add** (Save) to save the domain configuration.
+
+Step 4. Verify login
+
+Open the ThingsBoard login page using the configured domain. You should now see the **Login with Okta** button.
+
+Click it and authenticate using your Okta credentials.
+
+After successful authentication:
+- ThingsBoard will create the tenant if it does not exist;
+- the user will be logged in as a **Tenant Administrator**;
+- the tenant name will match the user’s email address.
+
+### Login with Azure
+
+This guide explains how to configure OAuth 2.0 authentication in ThingsBoard using [Azure Active Directory](https://portal.azure.com/){:target="_blank"} (Microsoft Entra ID).
+
+After configuration:
+- users will be able to authenticate using their Azure AD accounts;
+- the user will be logged in as a Tenant Administrator;
+- the tenant name will be equal to the user’s email address;
+- if the tenant does not exist, ThingsBoard will create it automatically (depending on mapper settings).
+
+User mapping is performed using the built-in [Basic mapper](#basic-mapper), but a [Custom mapper](#custom-mapper) can be used if additional identity-to-tenant logic is required.
+
+For advanced identity customization, refer to the official Microsoft documentation: [Microsoft identity platform and OpenID Connect protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc){:target="_blank"}.
+
+Step 1. Create an OAuth 2.0 client in Azure
+
+First, you must register an application in Azure Active Directory.
+To create an application:
+- Open the [Azure Portal](https://portal.azure.com/){:target="_blank"}.
+- Navigate to **Azure Active Directory**.
+- Open **App registrations**.
+- Click **New registration**.
+
+Configure the application:
+- Name: ThingsBoard (or any descriptive name)
+- Supported account types: select according to your organization requirements
+- Redirect URI:
+ - Platform: Web
+ - URL:
+ ```bash
+ http(s)://$DOMAIN:$PORT/login/oauth2/code/
+ ```
+ {: .copy-code}
+
+Where:
+ • $DOMAIN is the ThingsBoard hostname (or IP address)
+ • $PORT is the HTTP/HTTPS port of the ThingsBoard instance
+
+Example:
+```text
+https://my.thingsboard.instance/login/oauth2/code/
+```
+
+- Click **Register**.
+
+{% assign Azure1 = '
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-go-for-ad.png,
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-go-for-and-create-application.png,
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-create-application.png,
+'
+%}
+
+{% include images-gallery.liquid imageCollection=Azure1 %}
+
+Create Client Secret
+
+Now we are on the **Overview** page, where we can find the **Application (client) ID** and the **Client name** that we specified earlier.
+
+Next, open the **Authentication** tab. Make sure to enable authorization on the **access token-based**. **Save** changes.
+
+Finally, open the **Certificates & secrets** tab, and click **+ New client secret**. Save created key **value** (**Client Secret**).
+
+{% assign Azure2 = '
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-application-general-data.png,
+ title: Now we are on the **Overview** page, where we can find the **Application (client) ID** and the **Client name** that we specified earlier.
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-application-authentication.png,
+ title: Next, open the **Authentication** tab. Make sure to enable authorization on the **access token-based**. **Save** changes.
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-application-secrets.png,
+ title: Finally, open the **Certificates & secrets** tab, and click **+ New client secret**. Save created key **value** (**Client Secret**).
+'
+%}
+
+{% include images-gallery.liquid imageCollection=Azure2 %}
+
+Get OAuth endpoints (OpenID configuration)
+
+ThingsBoard requires OAuth endpoints for token exchange and user validation.
+
+Azure provides these endpoints via the OpenID Connect metadata document:
+
+```text
+https://login.microsoftonline.com//v2.0/.well-known/openid-configuration
+```
+
+From this document, you will need the following endpoints:
+- Authorization endpoint
+- Token endpoint
+- JWKS URI
+- UserInfo endpoint (optional)
+
+{% assign Azure2 = '
+ ===
+ image: /images/user-guide/oauth-2-support/azure/azure-application-endpoints.png,
+'
+%}
+
+{% include images-gallery.liquid showListImageTitles="true" imageCollection=Azure2 %}
+
+Step 2. Add an OAuth 2.0 client in ThingsBoard
+
+Now you must create a corresponding OAuth client in ThingsBoard.
+- Log in to ThingsBoard.
+- Navigate to **Security ⇾ OAuth 2.0**.
+- Open the **OAuth 2.0 clients** tab.
+- Click the **+** (**plus**) icon.
-- **User groups name pattern**. By default, the newly created user is assigned only to the **All** user's group. You can customize this behavior by specifying a list of groups, where a user has to be assigned to as well.
-You can use attributes from the external user info object to put them into user group names. Please use %{attribute_key} as placeholder for attribute value.
-If groups don't exist, this group will be created automatically.
+Configure general client settings
+
+In the **OAuth 2.0 client** configuration window:
+- Title: **Azure Active Directory**
+- Provider: **Custom**
+- Allowed platforms: All platforms (or select required platforms)
+- Client ID: paste the Azure **Application (client) ID**
+- Client secret: paste the Azure **Client Secret**
+
+Configure Advanced settings ⇾ General
+
+Expand **Advanced settings** and configure the following parameters:
+
+Fill the following fields:
+- Authorization URI
+- Access token URI
+- JSON Web Key URI
+- User info URI (optional, depending on configuration)
+
+Configure additional settings:
+- **Client authentication method**: POST (recommended for Azure)
+- Enable **Allow user creation**.
+- Enable **Activate user** if you want ThingsBoard to activate the user automatically.
+- Scope: email openid profile.
- User groups pattern examples:
- - **Tenant Administrators, Customer Users, Managers..** *# Hard coded user groups*
- - **%{job_title}** *# If user's "job_title" attribute is "Manager", user is going to be assigned into "Manager" user group*
+Configure Advanced settings ⇾ Mapper
-{% capture difference %}
-**Please note:**
-The **Parent customer name pattern** and **User groups name pattern** configurations available only in [ThingsBoard Professional Edition](/docs/user-guide/install/pe/installation-options/){:target="_blank"}.
-{% endcapture %}
-{% include templates/info-banner.md content=difference %}
+Switch to the **Mapper** tab.
+Recommended Basic mapper configuration:
+- User name attribute key: email
+- Mapper type: **BASIC**
+- Email attribute key: email
-{% endif %}
+Set tenant provisioning strategy:
+- Tenant name strategy: **CUSTOM**
+- Tenant name pattern:
+ ```text
+ %{email}
+ ```
-### Custom mapper
+This configuration ensures:
+- each user will be logged in under a tenant with the same name as the user email;
+- the tenant will be created automatically if it does not exist.
-If the basic mapper functionality doesn't cover your business needs, with the help of the custom mapper you are able to add an implementation that fits your specific goals.
+Click **Add** to create the OAuth 2.0 client.
-A custom mapper designed as a separate microservice that is running nearby the ThingsBoard core microservice.
-ThingsBoard forwards all mapping requests to this microservice and expects as a response ThingsBoard OAuth 2.0 user object.
+Step 3. Assign the OAuth 2.0 client to a domain
-Please refer to this [base implementation](https://github.com/thingsboard/custom-oauth2-mapper){:target="_blank"} as a starting point for your custom mapper.
+After creating the OAuth client, you must assign it to a domain.
+- Navigate to **Security ⇾ OAuth 2.0**
+- On the **Domains** tab, click the **+** (**plus**) icon.
-To use the custom mapper, set mapper type "Custom".
+In the Add domain dialog:
+- Enter your domain name (or IP address).
+- In the **OAuth 2.0 clients** section, select your **Azure OAuth client**.
+- Click **Add**.
-{% include images-gallery.html imageCollection="mapper-custom-1" %}
+Step 4. Verify the login flow
-Here are the details of other properties:
-- **URL**. URL of the custom mapper endpoint;
-- **username**. If the custom mapper endpoint configured with basic authorization, specify the *username* in this property;
-- **password**. If the custom mapper endpoint configured with basic authorization, specify the *password* in this property.
+Open the ThingsBoard login page using your configured domain. You should see the **Login with Azure** option.
+
+Click the button and authenticate using your Azure AD credentials.
+
+After successful authentication:
+- the user will be created automatically (if enabled);
+- the tenant will be created automatically (if missing);
+- the user will be logged in as a **Tenant Administrator**.
+
+## Operations with OAuth 2.0 client
+
+ThingsBoard allows you to manage OAuth 2.0 clients from the **OAuth 2.0 clients** tab.
+- **Add OAuth 2.0 client**: click the **+** (**plus**) icon, enter the client title, select the provider and allowed platforms, specify the **Client ID** and **Client Secret**, configure advanced settings if needed, and click **Add**.
+- **Edit OAuth 2.0 client**: open the client details, click the orange **Edit** button, update the configuration, and click orange **Apply changes**.
+- **Delete OAuth 2.0 client**: click the **trash** icon in the client row and confirm deletion.
+
+## Operations with domain
+
+ThingsBoard allows you to manage OAuth 2.0 domain mappings from the Domains tab.
+- **Add domain**: click the **+** (**plus**) icon, enter the domain name, select one or more OAuth 2.0 clients, and click **Add**.
+- **Edit domain**: open the domain details, click the orange **Edit** button, update the configuration, and click orange **Apply changes**.
+- **Delete domain**: click the **trash** icon in the domain row and confirm deletion.
## HaProxy configuration
-If ThingsBoard is running under a load balancer like HAProxy please configure properly balance algorithm to make sure that the correct session is available on the ThingsBoard instance:
+If ThingsBoard is deployed behind a load balancer such as HAProxy, configure session stickiness to ensure the OAuth flow is handled consistently by the same node.
+
+Example backend configuration:
```bash
backend tb-api-backend
...
@@ -553,8 +985,7 @@ backend tb-api-backend
...
```
-
-As well please configure properly ACL mapping for HTTP and HTTPs requests:
+Also ensure OAuth-related paths are included in the ACL mapping for both HTTP:
```bash
frontend http-in
...
@@ -562,9 +993,14 @@ frontend http-in
...
```
+and HTTPS frontends:
```bash
frontend https_in
...
acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /static/rulenode/ /oauth2/ /login/oauth2/ # '/oauth2/ /login/oauth2/' added
...
```
+
+## Your feedback
+
+If you have any questions about this sample, please [contact us](/docs/contact-us/){:target="_blank"}.
\ No newline at end of file
diff --git a/docs/paas/eu/user-guide/oauth-2-support.md b/docs/paas/eu/user-guide/oauth-2-support.md
index 2b5151f94f..688b5930ce 100644
--- a/docs/paas/eu/user-guide/oauth-2-support.md
+++ b/docs/paas/eu/user-guide/oauth-2-support.md
@@ -3,57 +3,6 @@ layout: docwithnav-paas-eu
title: OAuth 2.0
description: OAuth 2.0
-adding-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-domain-1-paas.png
- title: 'On the "Domains" tab of the "OAuth 2.0 client" page, click the "plus" icon to add a new domain. Provide your domain name and OAuth 2.0 client. Then, click "Add".'
- 1:
- image: /images/user-guide/oauth-2-support/adding-domain-2-paas.png
- title: 'Domain added.'
-
-editing-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-domain-1-paas.png
- title: 'Click on the domain to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-domain-2-paas.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-domain-1-paas.png
- title: 'Click the "trash" icon in the domain's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-domain-2-paas.png
- title: 'Confirm the deletion by clicking "Yes".'
-
-adding-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-1-paas.png
- title: 'Navigate to the "OAuth 2.0 clients" tab on the "OAuth 2.0" page. Click the "plus" icon to add a new OAuth 2.0 client;'
- 1:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-2-paas.png
- title: 'Enter a descriptive title for the client, and select the "Google" from the dropdown menu as the authentication provider. Provide the Client ID and Client Secret obtained from your authentication provider. Configure advanced settings as necessary. Then, click "Add".'
- 2:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-3-paas.png
- title: 'New OAuth 2.0 client added.'
-
-editing-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-1-paas.png
- title: 'Click on the OAuth 2.0 client to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-2-paas.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas.png
- title: 'Click the "trash" icon in the client's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas.png
- title: 'Confirm the deletion by clicking "Yes".'
-
google-credentials-for-oauth-1:
0:
image: /images/user-guide/oauth-2-support/google/google-credentials-for-oauth/google-credentials-for-oauth-1.png
@@ -293,16 +242,6 @@ login-with-keycloak-2:
0:
image: /images/user-guide/oauth-2-support/login-with-oauth-tenant-2-pe.png
title: 'Go to the "Users" page. There you will find the new user is associated with the Tenant Administrators group; the tenant name corresponds to their email address.'
-
-mapper-basic-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-basic-1-pe.png
- title: 'To use a basic mapper, set mapper type "Basic".'
-
-mapper-custom-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-custom-1-pe.png
- title: 'To use the custom mapper, set mapper type "Custom".'
---
diff --git a/docs/paas/user-guide/oauth-2-support.md b/docs/paas/user-guide/oauth-2-support.md
index 29ecf8e745..4baf95241b 100644
--- a/docs/paas/user-guide/oauth-2-support.md
+++ b/docs/paas/user-guide/oauth-2-support.md
@@ -3,57 +3,6 @@ layout: docwithnav-paas
title: OAuth 2.0
description: OAuth 2.0
-adding-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-domain-1-paas.png
- title: 'On the "Domains" tab of the "OAuth 2.0 client" page, click the "plus" icon to add a new domain. Provide your domain name and OAuth 2.0 client. Then, click "Add".'
- 1:
- image: /images/user-guide/oauth-2-support/adding-domain-2-paas.png
- title: 'Domain added.'
-
-editing-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-domain-1-paas.png
- title: 'Click on the domain to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-domain-2-paas.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-domain-1-paas.png
- title: 'Click the "trash" icon in the domain's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-domain-2-paas.png
- title: 'Confirm the deletion by clicking "Yes".'
-
-adding-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-1-paas.png
- title: 'Navigate to the "OAuth 2.0 clients" tab on the "OAuth 2.0" page. Click the "plus" icon to add a new OAuth 2.0 client;'
- 1:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-2-paas.png
- title: 'Enter a descriptive title for the client, and select the "Google" from the dropdown menu as the authentication provider. Provide the Client ID and Client Secret obtained from your authentication provider. Configure advanced settings as necessary. Then, click "Add".'
- 2:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-3-paas.png
- title: 'New OAuth 2.0 client added.'
-
-editing-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-1-paas.png
- title: 'Click on the OAuth 2.0 client to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-2-paas.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas.png
- title: 'Click the "trash" icon in the client's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas.png
- title: 'Confirm the deletion by clicking "Yes".'
-
google-credentials-for-oauth-1:
0:
image: /images/user-guide/oauth-2-support/google/google-credentials-for-oauth/google-credentials-for-oauth-1.png
@@ -293,16 +242,6 @@ login-with-keycloak-2:
0:
image: /images/user-guide/oauth-2-support/login-with-oauth-tenant-2-pe.png
title: 'Go to the "Users" page. There you will find the new user is associated with the Tenant Administrators group; the tenant name corresponds to their email address.'
-
-mapper-basic-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-basic-1-pe.png
- title: 'To use a basic mapper, set mapper type "Basic".'
-
-mapper-custom-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-custom-1-pe.png
- title: 'To use the custom mapper, set mapper type "Custom".'
---
diff --git a/docs/pe/user-guide/oauth-2-support.md b/docs/pe/user-guide/oauth-2-support.md
index e66381db0f..00893905d1 100644
--- a/docs/pe/user-guide/oauth-2-support.md
+++ b/docs/pe/user-guide/oauth-2-support.md
@@ -3,57 +3,6 @@ layout: docwithnav-pe
title: OAuth 2.0
description: OAuth 2.0
-adding-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-domain-1-pe.png
- title: 'On the "Domains" tab of the "OAuth 2.0 client" page, click the "plus" icon to add a new domain. Provide your domain name and OAuth 2.0 client. Then, click "Add".'
- 1:
- image: /images/user-guide/oauth-2-support/adding-domain-2-pe.png
- title: 'Domain added.'
-
-editing-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-domain-1-pe.png
- title: 'Click on the domain to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-domain-2-pe.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-domain-1-pe.png
- title: 'Click the "trash" icon in the domain's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-domain-2-pe.png
- title: 'Confirm the deletion by clicking "Yes".'
-
-adding-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-1-pe.png
- title: 'Navigate to the "OAuth 2.0 clients" tab on the "OAuth 2.0" page. Click the "plus" icon to add a new OAuth 2.0 client;'
- 1:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-2-pe.png
- title: 'Enter a descriptive title for the client, and select the "Google" from the dropdown menu as the authentication provider. Provide the Client ID and Client Secret obtained from your authentication provider. Configure advanced settings as necessary. Then, click "Add".'
- 2:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-3-pe.png
- title: 'New OAuth 2.0 client added.'
-
-editing-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-1-pe.png
- title: 'Click on the OAuth 2.0 client to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-2-pe.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe.png
- title: 'Click the "trash" icon in the client's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe.png
- title: 'Confirm the deletion by clicking "Yes".'
-
google-credentials-for-oauth-1:
0:
image: /images/user-guide/oauth-2-support/google/google-credentials-for-oauth/google-credentials-for-oauth-1.png
@@ -293,16 +242,6 @@ login-with-keycloak-2:
0:
image: /images/user-guide/oauth-2-support/login-with-oauth-tenant-2-pe.png
title: 'Go to the "Users" page. There you will find the new user is associated with the Tenant Administrators group; the tenant name corresponds to their email address.'
-
-mapper-basic-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-basic-1-pe.png
- title: 'To use a basic mapper, set mapper type "Basic".'
-
-mapper-custom-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-custom-1-pe.png
- title: 'To use the custom mapper, set mapper type "Custom".'
---
diff --git a/docs/user-guide/oauth-2-support.md b/docs/user-guide/oauth-2-support.md
index 80bf5c9727..808de790e0 100644
--- a/docs/user-guide/oauth-2-support.md
+++ b/docs/user-guide/oauth-2-support.md
@@ -3,57 +3,6 @@ layout: docwithnav
title: OAuth 2.0
description: OAuth 2.0
-adding-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-domain-1-ce.png
- title: 'On the "Domains" tab of the "OAuth 2.0 client" page, click the "plus" icon to add a new domain. Provide your domain name and OAuth 2.0 client. Then, click "Add".'
- 1:
- image: /images/user-guide/oauth-2-support/adding-domain-2-ce.png
- title: 'Domain added.'
-
-editing-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-domain-1-ce.png
- title: 'Click on the domain to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-domain-2-ce.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply Changes" button.'
-
-deleting-domain-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-domain-1-ce.png
- title: 'Click the "trash" icon in the domain's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-domain-2-ce.png
- title: 'Confirm the deletion by clicking "Yes".'
-
-adding-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-1-ce.png
- title: 'Navigate to the "OAuth 2.0 clients" tab on the "OAuth 2.0" page. Click the "plus" icon to add a new OAuth 2.0 client;'
- 1:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-2-ce.png
- title: 'Enter a descriptive title for the client, and select the authentication provider from the dropdown menu. Provide the Client ID and Client Secret obtained from your authentication provider. Configure advanced settings as necessary. Then, click "Add".'
- 2:
- image: /images/user-guide/oauth-2-support/adding-oauth2-client-3-ce.png
- title: 'New OAuth 2.0 client added.'
-
-editing-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-1-ce.png
- title: 'Click on the OAuth 2.0 client to view its details. Switch to editing mode by clicking the large orange button;'
- 1:
- image: /images/user-guide/oauth-2-support/managing-oauth2-client-2-ce.png
- title: 'Make the required modifications. Then confirm and save the changes by clicking the "Apply changes" button.'
-
-deleting-oauth2-client-1:
- 0:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce.png
- title: 'Click the "trash" icon in the client's row you wish to remove;'
- 1:
- image: /images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce.png
- title: 'Confirm the deletion by clicking "Yes".'
-
google-credentials-for-oauth-1:
0:
image: /images/user-guide/oauth-2-support/google/google-credentials-for-oauth/google-credentials-for-oauth-1.png
@@ -279,15 +228,6 @@ login-with-keycloak-1:
image: /images/user-guide/oauth-2-support/login-with-oauth-tenant-1-ce.png
title: 'You are logged into ThingsBoard using Keycloak authorization credentials.'
-mapper-basic-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-basic-1-ce.png
- title: 'To use a basic mapper, set mapper type "Basic".'
-
-mapper-custom-1:
- 0:
- image: /images/user-guide/oauth-2-support/mapper-custom-1-ce.png
- title: 'To use the custom mapper, set mapper type "Custom".'
---
diff --git a/docs/user-guide/oauth/azure.md b/docs/user-guide/oauth/azure.md
deleted file mode 100644
index 12e4331a3e..0000000000
--- a/docs/user-guide/oauth/azure.md
+++ /dev/null
@@ -1,189 +0,0 @@
----
-layout: docwithnav
-title: OAuth 2.0 Support
-description: OAuth 2.0 Support
-
----
-
-* TOC
-{:toc}
-
-## Overview
-ThingsBoard allows you to provide Single Sign On functionality for your customers and automatically create tenants, customers or subcustomers using external user management platforms, that supports **OAuth 2.0 protocol**.
-This guide is only for the **Azure Active Directory OAuth**.
-## Scenario description
-
-In this guide we will configure the **OAuth** with the [Azure Active Directory](https://portal.azure.com/) for the authentication.
-User is going to be logged into the Tenant and Tenant name is going to be equal to the users email.
-If Tenant does not exist in the system, the new Tenant will be created.
-
-To map those external user infos from Auth0 platform we are going to use built-in [basic mapper](/docs/user-guide/oauth-2-support/#basic-mapper).
-
-If [basic mapper](/docs/user-guide/oauth-2-support/#basic-mapper) functionality will not fit your business needs, you can configure the [custom mapper](/docs/user-guide/oauth-2-support/#custom-mapper) so that you are able to add an implementation that fits under your specific needs.
-
-In case if you require to have an advanced customization you can refer to the [Microsoft identity platform and OpenID Connect protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc) documentation.
-
-## Login with Azure Active Directory
-
-### Preparations
-
-The Azure Active Directory does require to use the SSL. Please, make sure that you have configured the HTTPS for the domain of yours, so that those can be configured with the **Azure Active Directory**.
-
-In case if SSL is not configured please, follow [this guide](/docs/user-guide/install/pe/add-haproxy-ubuntu/) to install HAProxy and generate valid SSL certificate using Let’s Encrypt.
-
-
-
-To apply the configurations properly, we need to obtain the **clientName**, **clientId** and **clientSecret** first.
-
-For those reasons we first go for the [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
-
-Now we need to create the application.
-
-
-
-Then we need to go for the application registration and register the application of ours.
-
-
-
-The platform type equals to **Web** in our case.
-
-The name equals the **clientName**, and the Login Redirect URIs equals to the **redirectUriTemplate** from ours side.
-The **redirectUriTemplate** can be found in the **thingsboard.yml**
-
-```bash
- https://domain:port/login/oauth2/code/
-```
-
-Where under the domain, please, specify the current **domain** of yours and for the **port** please specify the port to have an HTTPS access to the ThingsBoard instance of yours.
-
-For the example of ours, we have the **domain** equals to the tb.tbsupport.xyz and the **port** 443, so that there is no need to specify the port additionally.
-
-
-
-
-Then we need to confirm the registration of the application.
-
-
-
-Now we are on the general page of ours, where we can find the **clientId**, and the **clientName** which we previously specified.
-
-
-
-Now let us go for the **Authentication** tab. Here we can find the **redirectUriTemplate**, and we need to specify the token
-for the authorization endpoint. We will specify the **access token** for the example reasons, and we need to **save the
-changes** which we have applied.
-
-
-
-Then we are going for the **Certificates & secrets** tab and create the **clientSecret**
-
-
-
-We also need to acquire the list of the links for the next variables:
-
-```bash
-SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI
-SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI
-SECURITY_OAUTH2_DEFAULT_JWK_SET_URI
-```
-
-The up to date list of those can be found on **OpenID Connect metadata document** link.
-
-So that we can refer to next values for the variables of ours.
-```bash
-SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI=https://login.microsoftonline.com/example-tenant-id/oauth2/token
-SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI=https://login.microsoftonline.com/example-tenant-id/oauth2/authorize
-SECURITY_OAUTH2_DEFAULT_JWK_SET_URI=https://login.microsoftonline.com/example-tenant-id/discovery/keys
-```
-
-In the example of ours those equals:
-```bash
-clientName=ThingsBoard
-clientId=XXXXXXXX
-clientSecret=YYYYYYYY
-```
-
-
-### Result
-
-So that, the resulted **thingsboard.yml** equals the below one.
-
-```bash
-...
-# Security parameters
-security:
- ...
- oauth2:
- # Enable/disable OAuth 2 login functionality
- # For details please refer to https://thingsboard.io/docs/user-guide/oauth-2-support/
- enabled: "${SECURITY_OAUTH2_ENABLED:true}"
- # Redirect URL where access code from external user management system will be processed
- loginProcessingUrl: "${SECURITY_OAUTH2_LOGIN_PROCESSING_URL:/login/oauth2/code/}"
- # List of SSO clients
- clients:
- default:
- # Label that going to be show on login button - 'Login with {loginButtonLabel}'
- loginButtonLabel: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_LABEL:Azure Active Directory}"
- # Icon that going to be show on login button. Material design icon ID (https://material.angularjs.org/latest/api/directive/mdIcon)
- loginButtonIcon: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_ICON:}"
- clientName: "${SECURITY_OAUTH2_DEFAULT_CLIENT_NAME:ThingsBoard}"
- clientId: "${SECURITY_OAUTH2_DEFAULT_CLIENT_ID:XXXXXXXX}"
- clientSecret: "${SECURITY_OAUTH2_DEFAULT_CLIENT_SECRET:YYYYYYYY}"
- accessTokenUri: "${SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI:https://login.microsoftonline.com/example-tenant-id/oauth2/token}"
- authorizationUri: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI:https://login.microsoftonline.com/example-tenant-id/oauth2/authorize}"
- scope: "${SECURITY_OAUTH2_DEFAULT_SCOPE:openid,email,profile}"
- # Redirect URL that must be in sync with 'security.oauth2.loginProcessingUrl', but domain name added
- redirectUriTemplate: "${SECURITY_OAUTH2_DEFAULT_REDIRECT_URI_TEMPLATE:https://tb.tbsupport.xyz/login/oauth2/code/}"
- jwkSetUri: "${SECURITY_OAUTH2_DEFAULT_JWK_SET_URI:https://login.microsoftonline.com/example-tenant-id/discovery/keys}"
- # 'authorization_code', 'implicit', 'refresh_token' or 'client_credentials'
- authorizationGrantType: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_GRANT_TYPE:authorization_code}"
- clientAuthenticationMethod: "${SECURITY_OAUTH2_DEFAULT_CLIENT_AUTHENTICATION_METHOD:post}" # basic or post
- userInfoUri: "${SECURITY_OAUTH2_DEFAULT_USER_INFO:}"
- userNameAttributeName: "${SECURITY_OAUTH2_DEFAULT_USER_NAME_ATTRIBUTE_NAME:email}"
- mapperConfig:
- # Allows to create user if it not exists
- allowUserCreation: "${SECURITY_OAUTH2_DEFAULT_MAPPER_ALLOW_USER_CREATION:true}"
- # Allows user to setup ThingsBoard internal password and login over default Login window
- activateUser: "${SECURITY_OAUTH2_DEFAULT_MAPPER_ACTIVATE_USER:false}"
- # Mapper type of converter from external user into internal - 'basic' or 'custom'
- type: "${SECURITY_OAUTH2_DEFAULT_MAPPER_TYPE:basic}"
- basic:
- # Key from attributes of external user object to use as email
- emailAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_EMAIL_ATTRIBUTE_KEY:email}"
- firstNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_FIRST_NAME_ATTRIBUTE_KEY:}"
- lastNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_LAST_NAME_ATTRIBUTE_KEY:}"
- # Strategy for generating Tenant from external user object - 'domain', 'email' or 'custom'
- # 'domain' - name of the Tenant will be extracted as domain from the email of the user
- # 'email' - name of the Tenant will email of the user
- # 'custom' - please configure 'tenantNamePattern' for custom mapping
- tenantNameStrategy: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_STRATEGY:domain}"
- # %{attribute_key} as placeholder for attribute value of attributes of external user object
- tenantNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_PATTERN:}"
- # If this field is not empty, user will be created as a user under defined Customer
- # %{attribute_key} as placeholder for attribute value of attributes of external user object
- customerNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_CUSTOMER_NAME_PATTERN:}"
- # If this field is not empty, user will be created with default defined Dashboard
- defaultDashboardName: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_DEFAULT_DASHBOARD_NAME:}"
- # If this field is set 'true' along with non-empty 'defaultDashboardName', user will start from the defined Dashboard in fullscreen mode
- alwaysFullScreen: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_ALWAYS_FULL_SCREEN:false}"
- custom:
- url: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_URL:}"
- username: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_USERNAME:}"
- password: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_PASSWORD:}"
-```
-
-
-After all the changes being applied, please, make sure to have the ThingsBoard restart.
-The ThingsBoard restart can be invoked with the next command on the Linux Server:
-```bash
-$ sudo service thingsboard restart
-```
-After that, proceed to the User Interface of yours, to make sure there are no troubles, press the **Login With Azure Active Directory**.
-
-
-
-In case of the troubleshooting with those, please, contact us [using the contact us form](/docs/contact-us/).
-
-## Next Steps
-
-{% assign currentGuide = "OAuth" %}{% include templates/guides-banner.md %}
diff --git a/docs/user-guide/oauth/oauth0.md b/docs/user-guide/oauth/oauth0.md
deleted file mode 100644
index 1a20c28cef..0000000000
--- a/docs/user-guide/oauth/oauth0.md
+++ /dev/null
@@ -1,169 +0,0 @@
----
-layout: docwithnav
-title: OAuth 2.0 Support
-description: OAuth 2.0 Support
-
----
-
-* TOC
-{:toc}
-
-## Overview
-ThingsBoard allows you to provide Single Sign On functionality for your customers and automatically create tenants, customers or subcustomers using external user management platforms, that supports **OAuth 2.0 protocol**.
-This guide is only for the **OAuth0 OAuth**.
-## Scenario description
-
-In this guide we will configure the **OAuth** with the [OAuth0](https://auth0.auth0.com/) for the authentication.
-In this case User is going to be logged into the Tenant which name is going to be equal to user’s email domain name.
-Additionally, for every user we are going to create a new Customer and Customer name is going to be user’s email
-
-To map those external user infos from Auth0 platform we are going to use built-in [basic mapper](/docs/user-guide/oauth-2-support/#basic-mapper).
-
-If [basic mapper](/docs/user-guide/oauth-2-support/#basic-mapper) functionality will not fit your business needs, you can configure the [custom mapper](/docs/user-guide/oauth-2-support/#custom-mapper) so that you are able to add an implementation that fits under your specific needs.
-
-## Login with OAuth0
-
-### Preparations
-To apply the configurations properly, we need to obtain the **clientName**, **clientId** and **clientSecret** first.
-For these reasons we first go for the [OAuth0 Management Console](https://auth0.auth0.com/).
-First we need to create the application.
-
-
-
-Then we need to specify the application name and application type.
-The application name equals the **clientName**. The Application type is a **Regular Web Application**.
-
-
-
-Afters, you need to specify the technology being used. Please, specify the **Java Spring Security**.
-
-
-
-Then we are forwarded to the application information page. There we can found the **clientName**, **clientId** and the **clientSecret**.
-
-
-
-For the allowed callback URLs we need to specify the redirect URI for the instance of ours.
-The **redirect URI** needs to be specified in the next format:
-
-```bash
- http://domain:port/login/oauth2/code/
-```
-
-Where under the domain, please, specify the current **domain** of yours and for the **port** please specify the port to have an HTTP access to the ThingsBoard instance of yours.
-For the example reasons, the domain of my is the localhost, and the port is being the default ThingsBoard installation port 80.
-
-
-
-So that we have received three values which are required to be inserted for the **thingsboard.yml** of ours.
-
-In the example of ours those equals:
-```bash
-clientName=ThingsBoard
-clientId=XXXXXXXX
-clientSecret=YYYYYYYY
-```
-
-So that now we need to insert those for the **thingsboard.yml**.
-
-We also need to acquire the list of the links for the next variables:
-
-```bash
-SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI
-SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI
-SECURITY_OAUTH2_DEFAULT_JWK_SET_URI
-SECURITY_OAUTH2_DEFAULT_USER_INFO_URI
-```
-
-Up to date list of those can be found on the bottom of application page.
-
-
-
-For the example of ours, we have set the Auth0 application domain to the tbsupport.eu.auth0.com, so that the next values are being used:
-
-```bash
-SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI=https://tbsupport.eu.auth0.com/oauth/token
-SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI=https://tbsupport.eu.auth0.com/authorize
-SECURITY_OAUTH2_DEFAULT_JWK_SET_URI=https://tbsupport.eu.auth0.com/.well-known/jwks.json
-SECURITY_OAUTH2_DEFAULT_USER_INFO_URI=https://tbsupport.eu.auth0.com/userinfo
-```
-
-### Result
-
-So that, the resulted **thingsboard.yml** equals the below one.
-
-```bash
-...
-# Security parameters
-security:
- ...
- oauth2:
- # Enable/disable OAuth 2 login functionality
- # For details please refer to https://thingsboard.io/docs/user-guide/oauth-2-support/
- enabled: "${SECURITY_OAUTH2_ENABLED:true}"
- # Redirect URL where access code from external user management system will be processed
- loginProcessingUrl: "${SECURITY_OAUTH2_LOGIN_PROCESSING_URL:/login/oauth2/code/}"
- # List of SSO clients
- clients:
- auth0:
- # Label that going to be show on login button - 'Login with {loginButtonLabel}'
- loginButtonLabel: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_LABEL:Auth0}"
- # Icon that going to be show on login button. Material design icon ID (https://material.angularjs.org/latest/api/directive/mdIcon)
- loginButtonIcon: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_ICON:}"
- clientName: "${SECURITY_OAUTH2_DEFAULT_CLIENT_NAME:ThingsBoard}"
- clientId: "${SECURITY_OAUTH2_DEFAULT_CLIENT_ID:XXXXXXXX}"
- clientSecret: "${SECURITY_OAUTH2_DEFAULT_CLIENT_SECRET:YYYYYYYY}"
- accessTokenUri: "${SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI:https://tbsupport.eu.auth0.com/oauth/token}"
- authorizationUri: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI:https://tbsupport.eu.auth0.com/authorize}"
- scope: "${SECURITY_OAUTH2_DEFAULT_SCOPE:openid,email,profile}"
- # Redirect URL that must be in sync with 'security.oauth2.loginProcessingUrl', but domain name added
- redirectUriTemplate: "${SECURITY_OAUTH2_DEFAULT_REDIRECT_URI_TEMPLATE:http://localhost:80/login/oauth2/code/}"
- jwkSetUri: "${SECURITY_OAUTH2_DEFAULT_JWK_SET_URI:https://tbsupport.eu.auth0.com/.well-known/jwks.json}"
- # 'authorization_code', 'implicit', 'refresh_token' or 'client_credentials'
- authorizationGrantType: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_GRANT_TYPE:authorization_code}"
- clientAuthenticationMethod: "${SECURITY_OAUTH2_DEFAULT_CLIENT_AUTHENTICATION_METHOD:post}" # basic or post
- userInfoUri: "${SECURITY_OAUTH2_DEFAULT_USER_INFO_URI:https://tbsupport.eu.auth0.com/userinfo}"
- userNameAttributeName: "${SECURITY_OAUTH2_DEFAULT_USER_NAME_ATTRIBUTE_NAME:email}"
- mapperConfig:
- # Allows to create user if it not exists
- allowUserCreation: "${SECURITY_OAUTH2_DEFAULT_MAPPER_ALLOW_USER_CREATION:true}"
- # Allows user to setup ThingsBoard internal password and login over default Login window
- activateUser: "${SECURITY_OAUTH2_DEFAULT_MAPPER_ACTIVATE_USER:false}"
- # Mapper type of converter from external user into internal - 'basic' or 'custom'
- type: "${SECURITY_OAUTH2_DEFAULT_MAPPER_TYPE:basic}"
- basic:
- # Key from attributes of external user object to use as email
- emailAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_EMAIL_ATTRIBUTE_KEY:email}"
- firstNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_FIRST_NAME_ATTRIBUTE_KEY:}"
- lastNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_LAST_NAME_ATTRIBUTE_KEY:}"
- # Strategy for generating Tenant from external user object - 'domain', 'email' or 'custom'
- # 'domain' - name of the Tenant will be extracted as domain from the email of the user
- # 'email' - name of the Tenant will email of the user
- # 'custom' - please configure 'tenantNamePattern' for custom mapping
- tenantNameStrategy: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_STRATEGY:domain}"
- # %{attribute_key} as placeholder for attribute value of attributes of external user object
- tenantNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_PATTERN:}"
- # If this field is not empty, user will be created as a user under defined Customer
- # %{attribute_key} as placeholder for attribute value of attributes of external user object
- customerNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_CUSTOMER_NAME_PATTERN: %{email}}"
- parentCustomerNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_PARENT_CUSTOMER_NAME_PATTERN:}" # %{attribute_key} as placeholder for attributes value by key
- userGroupsNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_USER_GROUPS_NAME_PATTERN: Customer Users}" # list of comma separated user group names, %{attribute_key} as placeholder for attributes value by key
- custom:
- url: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_URL:}"
- username: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_USERNAME:}"
- password: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_PASSWORD:}"
-```
-
-
-After all the changes being applied, please, make sure to have the ThingsBoard restart.
-The ThingsBoard restart can be invoked with the next command on the Linux Server:
-```bash
-$ sudo service thingsboard restart
-```
-After that, proceed to the User Interface of yours, to make sure there are no troubles, press the **Login With OAuth0**.
-
-In case of the troubleshooting with those, please, contact us [using the contact us form](/docs/contact-us/).
-
-## Next Steps
-
-{% assign currentGuide = "OAuth" %}{% include templates/guides-banner.md %}
diff --git a/docs/user-guide/oauth/okta.md b/docs/user-guide/oauth/okta.md
deleted file mode 100644
index fb08cd8c7e..0000000000
--- a/docs/user-guide/oauth/okta.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-layout: docwithnav
-title: OAuth 2.0 Support
-description: OAuth 2.0 Support
-
----
-
-* TOC
-{:toc}
-
-## Overview
-ThingsBoard allows you to provide Single Sign On functionality for your customers and automatically create tenants, customers or subcustomers using external user management platforms, that supports **OAuth 2.0 protocol**.
-This guide is only for the **Okta OAuth**.
-## Scenario description
-
-In this guide we will configure the **OAuth** with the [Okta](https://www.okta.com/) for the authentication.
-User is going to be logged into the Tenant and Tenant name is going to be equal to the users email.
-If Tenant does not exist in the system, the new Tenant will be created.
-
-To map those external user infos from Auth0 platform we are going to use built-in [basic mapper](/docs/user-guide/oauth-2-support/#basic-mapper).
-
-If [basic mapper](/docs/user-guide/oauth-2-support/#basic-mapper) functionality will not fit your business needs, you can configure the [custom mapper](/docs/user-guide/oauth-2-support/#custom-mapper) so that you are able to add an implementation that fits under your specific needs.
-
-## Login with Okta
-
-### Preparations
-To apply the configurations properly, we need to obtain the **clientName**, **clientId** and **clientSecret** first.
-For these reasons we first go for the [Okta Developer Console](https://developer.okta.com/).
-First we need to create the application.
-
-
-
-Then we need to specify platform type.
-The platform type equals to **Web** in our case.
-
-
-
-The name equals the **clientName**, and the Login Redirect URIs equals to the **redirectUriTemplate** from ours side.
-The **redirectUriTemplate** can be found in the **thingsboard.yml**
-
-```bash
- http://domain:port/login/oauth2/code/
-```
-
-Where under the domain, please, specify the current **domain** of yours and for the **port** please specify the port to have an HTTP access to the ThingsBoard instance of yours.
-
-For the example of ours, we have the **domain** equals to the tb.tbsupport.xyz and the **port** 80, so that there is no need to specify the port additionally.
-
-
-
-
-Then we need to confirm the settings we have applied.
-
-
-
-To apply the configurations properly, we need to obtain the **clientId** and **clientSecret** first.
-Those can be found on the page bottom.
-
-
-
-
-Then we need to create the **Authorization server**.
-
-
-
-The **name** and the **audience** can be set any for the **Authorization server**.
-
-
-
-
-So that we have received three values which are required to be inserted for the **thingsboard.yml** of ours.
-
-So that now we need to insert those for the **thingsboard.yml**.
-
-We also need to acquire the list of the links for the next variables:
-
-```bash
-SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI
-SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI
-SECURITY_OAUTH2_DEFAULT_JWK_SET_URI
-```
-
-The Up to date list of those can be found on the link for the Metadata URI.
-
-
-
-Clicking on those provide us with the json where we need to find the next fields.
-
-```js
-{
- ...
- "authorization_endpoint":"https://dev-example.okta.com/oauth2/default/v1/authorize",
- "token_endpoint":"https://dev-example.okta.com/oauth2/default/v1/token",
- ...
- "jwks_uri":"https://dev-example.okta.com/oauth2/default/v1/keys",
- ...
-}
-```
-
-So that we can refer to the
-```bash
-SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI=https://dev-example.okta.com/oauth2/default/v1/token
-SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI=https://dev-example.okta.com/oauth2/default/v1/authorize
-SECURITY_OAUTH2_DEFAULT_JWK_SET_URI=https://dev-example.okta.com/oauth2/default/v1/keys
-```
-
-In the example of ours those equals:
-```bash
-clientName=ThingsBoard
-clientId=XXXXXXXX
-clientSecret=YYYYYYYY
-```
-
-
-### Result
-
-So that, the resulted **thingsboard.yml** equals the below one.
-
-```bash
-...
-# Security parameters
-security:
- ...
- oauth2:
- # Enable/disable OAuth 2 login functionality
- # For details please refer to https://thingsboard.io/docs/user-guide/oauth-2-support/
- enabled: "${SECURITY_OAUTH2_ENABLED:true}"
- # Redirect URL where access code from external user management system will be processed
- loginProcessingUrl: "${SECURITY_OAUTH2_LOGIN_PROCESSING_URL:/login/oauth2/code/}"
- # List of SSO clients
- clients:
- default:
- # Label that going to be show on login button - 'Login with {loginButtonLabel}'
- loginButtonLabel: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_LABEL:Okta}"
- # Icon that going to be show on login button. Material design icon ID (https://material.angularjs.org/latest/api/directive/mdIcon)
- loginButtonIcon: "${SECURITY_OAUTH2_DEFAULT_LOGIN_BUTTON_ICON:}"
- clientName: "${SECURITY_OAUTH2_DEFAULT_CLIENT_NAME:ThingsBoard}"
- clientId: "${SECURITY_OAUTH2_DEFAULT_CLIENT_ID:XXXXXXXX}"
- clientSecret: "${SECURITY_OAUTH2_DEFAULT_CLIENT_SECRET:YYYYYYYY}"
- accessTokenUri: "${SECURITY_OAUTH2_DEFAULT_ACCESS_TOKEN_URI:https://dev-example.okta.com/oauth2/default/v1/token}"
- authorizationUri: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_URI:https://dev-example.okta.com/oauth2/default/v1/authorize}"
- scope: "${SECURITY_OAUTH2_DEFAULT_SCOPE:openid,email,profile}"
- # Redirect URL that must be in sync with 'security.oauth2.loginProcessingUrl', but domain name added
- redirectUriTemplate: "${SECURITY_OAUTH2_DEFAULT_REDIRECT_URI_TEMPLATE:http://tb.tbsupport.xyz/login/oauth2/code/}"
- jwkSetUri: "${SECURITY_OAUTH2_DEFAULT_JWK_SET_URI:https://dev-example.okta.com/oauth2/default/v1/keys}"
- # 'authorization_code', 'implicit', 'refresh_token' or 'client_credentials'
- authorizationGrantType: "${SECURITY_OAUTH2_DEFAULT_AUTHORIZATION_GRANT_TYPE:authorization_code}"
- clientAuthenticationMethod: "${SECURITY_OAUTH2_DEFAULT_CLIENT_AUTHENTICATION_METHOD:post}" # basic or post
- userInfoUri: "${SECURITY_OAUTH2_DEFAULT_USER_INFO:}"
- userNameAttributeName: "${SECURITY_OAUTH2_DEFAULT_USER_NAME_ATTRIBUTE_NAME:email}"
- mapperConfig:
- # Allows to create user if it not exists
- allowUserCreation: "${SECURITY_OAUTH2_DEFAULT_MAPPER_ALLOW_USER_CREATION:true}"
- # Allows user to setup ThingsBoard internal password and login over default Login window
- activateUser: "${SECURITY_OAUTH2_DEFAULT_MAPPER_ACTIVATE_USER:false}"
- # Mapper type of converter from external user into internal - 'basic' or 'custom'
- type: "${SECURITY_OAUTH2_DEFAULT_MAPPER_TYPE:basic}"
- basic:
- # Key from attributes of external user object to use as email
- emailAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_EMAIL_ATTRIBUTE_KEY:email}"
- firstNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_FIRST_NAME_ATTRIBUTE_KEY:}"
- lastNameAttributeKey: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_LAST_NAME_ATTRIBUTE_KEY:}"
- # Strategy for generating Tenant from external user object - 'domain', 'email' or 'custom'
- # 'domain' - name of the Tenant will be extracted as domain from the email of the user
- # 'email' - name of the Tenant will email of the user
- # 'custom' - please configure 'tenantNamePattern' for custom mapping
- tenantNameStrategy: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_STRATEGY:domain}"
- # %{attribute_key} as placeholder for attribute value of attributes of external user object
- tenantNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_TENANT_NAME_PATTERN:}"
- # If this field is not empty, user will be created as a user under defined Customer
- # %{attribute_key} as placeholder for attribute value of attributes of external user object
- customerNamePattern: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_CUSTOMER_NAME_PATTERN:}"
- # If this field is not empty, user will be created with default defined Dashboard
- defaultDashboardName: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_DEFAULT_DASHBOARD_NAME:}"
- # If this field is set 'true' along with non-empty 'defaultDashboardName', user will start from the defined Dashboard in fullscreen mode
- alwaysFullScreen: "${SECURITY_OAUTH2_DEFAULT_MAPPER_BASIC_ALWAYS_FULL_SCREEN:false}"
- custom:
- url: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_URL:}"
- username: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_USERNAME:}"
- password: "${SECURITY_OAUTH2_DEFAULT_MAPPER_CUSTOM_PASSWORD:}"
-```
-
-
-After all the changes being applied, please, make sure to have the ThingsBoard restart.
-The ThingsBoard restart can be invoked with the next command on the Linux Server:
-```bash
-$ sudo service thingsboard restart
-```
-After that, proceed to the User Interface of yours, to make sure there are no troubles, press the **Login With Okta**.
-
-In case of the troubleshooting with those, please, contact us [using the contact us form](/docs/contact-us/).
-
-## Next Steps
-
-{% assign currentGuide = "OAuth" %}{% include templates/guides-banner.md %}
diff --git a/images/user-guide/oauth-2-support/adding-domain-1-ce-preview.png b/images/user-guide/oauth-2-support/adding-domain-1-ce-preview.png
deleted file mode 100644
index 5802a402d6..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-1-ce.png b/images/user-guide/oauth-2-support/adding-domain-1-ce.png
deleted file mode 100644
index addccf2c0d..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-1-paas-preview.png b/images/user-guide/oauth-2-support/adding-domain-1-paas-preview.png
deleted file mode 100644
index 361ade34af..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-1-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-1-paas.png b/images/user-guide/oauth-2-support/adding-domain-1-paas.png
deleted file mode 100644
index a4da45247c..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-1-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-1-pe-preview.png b/images/user-guide/oauth-2-support/adding-domain-1-pe-preview.png
deleted file mode 100644
index f7501af484..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-1-pe.png b/images/user-guide/oauth-2-support/adding-domain-1-pe.png
deleted file mode 100644
index e00f432bc9..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-2-ce-preview.png b/images/user-guide/oauth-2-support/adding-domain-2-ce-preview.png
deleted file mode 100644
index 990d4da0e3..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-2-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-2-ce.png b/images/user-guide/oauth-2-support/adding-domain-2-ce.png
deleted file mode 100644
index 5d497c6c01..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-2-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-2-paas-preview.png b/images/user-guide/oauth-2-support/adding-domain-2-paas-preview.png
deleted file mode 100644
index 3878181e18..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-2-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-2-paas.png b/images/user-guide/oauth-2-support/adding-domain-2-paas.png
deleted file mode 100644
index 678dcda602..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-2-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-2-pe-preview.png b/images/user-guide/oauth-2-support/adding-domain-2-pe-preview.png
deleted file mode 100644
index b479e759c2..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-2-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-domain-2-pe.png b/images/user-guide/oauth-2-support/adding-domain-2-pe.png
deleted file mode 100644
index 85e648556a..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-domain-2-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-1-ce-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-1-ce-preview.png
deleted file mode 100644
index 86f9253b71..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-1-ce.png b/images/user-guide/oauth-2-support/adding-oauth2-client-1-ce.png
deleted file mode 100755
index 095fa01689..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-1-paas-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-1-paas-preview.png
deleted file mode 100644
index 6c2c890ca1..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-1-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-1-paas.png b/images/user-guide/oauth-2-support/adding-oauth2-client-1-paas.png
deleted file mode 100644
index e44d371294..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-1-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-1-pe-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-1-pe-preview.png
deleted file mode 100644
index 948d85da10..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-1-pe.png b/images/user-guide/oauth-2-support/adding-oauth2-client-1-pe.png
deleted file mode 100644
index 6c7c2239c2..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-2-ce-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-2-ce-preview.png
deleted file mode 100644
index 2fd0fb5af7..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-2-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-2-ce.png b/images/user-guide/oauth-2-support/adding-oauth2-client-2-ce.png
deleted file mode 100644
index 8e6b631075..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-2-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-2-paas-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-2-paas-preview.png
deleted file mode 100644
index 8defa66620..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-2-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-2-paas.png b/images/user-guide/oauth-2-support/adding-oauth2-client-2-paas.png
deleted file mode 100644
index aa69c1ee99..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-2-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-2-pe-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-2-pe-preview.png
deleted file mode 100644
index 099958e03a..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-2-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-2-pe.png b/images/user-guide/oauth-2-support/adding-oauth2-client-2-pe.png
deleted file mode 100644
index 64f0575302..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-2-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-3-ce-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-3-ce-preview.png
deleted file mode 100644
index 55ece6574f..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-3-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-3-ce.png b/images/user-guide/oauth-2-support/adding-oauth2-client-3-ce.png
deleted file mode 100644
index fbd9f18c17..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-3-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-3-paas-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-3-paas-preview.png
deleted file mode 100644
index 682525de96..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-3-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-3-paas.png b/images/user-guide/oauth-2-support/adding-oauth2-client-3-paas.png
deleted file mode 100644
index 48bef1b899..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-3-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-3-pe-preview.png b/images/user-guide/oauth-2-support/adding-oauth2-client-3-pe-preview.png
deleted file mode 100644
index 5caa97c0c1..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-3-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/adding-oauth2-client-3-pe.png b/images/user-guide/oauth-2-support/adding-oauth2-client-3-pe.png
deleted file mode 100644
index 7e8b4570d9..0000000000
Binary files a/images/user-guide/oauth-2-support/adding-oauth2-client-3-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-application-authentication-preview.png b/images/user-guide/oauth-2-support/azure/azure-application-authentication-preview.png
new file mode 100644
index 0000000000..d64a79454c
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-application-authentication-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-application-endpoints-preview.png b/images/user-guide/oauth-2-support/azure/azure-application-endpoints-preview.png
new file mode 100644
index 0000000000..7155a0562e
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-application-endpoints-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-application-general-data-preview.png b/images/user-guide/oauth-2-support/azure/azure-application-general-data-preview.png
new file mode 100644
index 0000000000..8ce355e0f2
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-application-general-data-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-application-secrets-preview.png b/images/user-guide/oauth-2-support/azure/azure-application-secrets-preview.png
new file mode 100644
index 0000000000..8662a262b4
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-application-secrets-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-create-application-preview.png b/images/user-guide/oauth-2-support/azure/azure-create-application-preview.png
new file mode 100644
index 0000000000..53f88d14d0
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-create-application-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-go-for-ad-preview.png b/images/user-guide/oauth-2-support/azure/azure-go-for-ad-preview.png
new file mode 100644
index 0000000000..dbacfa31ec
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-go-for-ad-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-go-for-and-create-application-preview.png b/images/user-guide/oauth-2-support/azure/azure-go-for-and-create-application-preview.png
new file mode 100644
index 0000000000..a4e2575be2
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-go-for-and-create-application-preview.png differ
diff --git a/images/user-guide/oauth-2-support/azure/azure-login-preview.png b/images/user-guide/oauth-2-support/azure/azure-login-preview.png
new file mode 100644
index 0000000000..e61a87c467
Binary files /dev/null and b/images/user-guide/oauth-2-support/azure/azure-login-preview.png differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-1-ce-preview.png b/images/user-guide/oauth-2-support/deleting-domain-1-ce-preview.png
deleted file mode 100644
index f224e7b76a..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-1-ce.png b/images/user-guide/oauth-2-support/deleting-domain-1-ce.png
deleted file mode 100644
index 45b6da739e..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-1-paas-preview.png b/images/user-guide/oauth-2-support/deleting-domain-1-paas-preview.png
deleted file mode 100644
index 094ec6e426..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-1-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-1-paas.png b/images/user-guide/oauth-2-support/deleting-domain-1-paas.png
deleted file mode 100644
index b58609b366..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-1-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-1-pe-preview.png b/images/user-guide/oauth-2-support/deleting-domain-1-pe-preview.png
deleted file mode 100644
index a40d6cf51a..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-1-pe.png b/images/user-guide/oauth-2-support/deleting-domain-1-pe.png
deleted file mode 100644
index 58bb0d1137..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-2-ce-preview.png b/images/user-guide/oauth-2-support/deleting-domain-2-ce-preview.png
deleted file mode 100644
index d18d9c9ce1..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-2-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-2-ce.png b/images/user-guide/oauth-2-support/deleting-domain-2-ce.png
deleted file mode 100644
index 264b972c97..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-2-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-2-paas-preview.png b/images/user-guide/oauth-2-support/deleting-domain-2-paas-preview.png
deleted file mode 100644
index 3192124958..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-2-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-2-paas.png b/images/user-guide/oauth-2-support/deleting-domain-2-paas.png
deleted file mode 100644
index d1a56ad5da..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-2-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-2-pe-preview.png b/images/user-guide/oauth-2-support/deleting-domain-2-pe-preview.png
deleted file mode 100644
index f5742566e9..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-2-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-domain-2-pe.png b/images/user-guide/oauth-2-support/deleting-domain-2-pe.png
deleted file mode 100644
index 2c0a77865a..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-domain-2-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce-preview.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce-preview.png
deleted file mode 100644
index 9c33f630f0..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce.png
deleted file mode 100644
index c4469d6537..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas-preview.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas-preview.png
deleted file mode 100644
index 41ea421bf5..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas.png
deleted file mode 100644
index 5b272c4406..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe-preview.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe-preview.png
deleted file mode 100644
index e4eba46458..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe.png
deleted file mode 100644
index 0209ff099a..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce-preview.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce-preview.png
deleted file mode 100644
index 10dd2e8474..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce.png
deleted file mode 100644
index 233f0665a9..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas-preview.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas-preview.png
deleted file mode 100644
index f6baf0add7..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas.png
deleted file mode 100644
index eed75b17bf..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe-preview.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe-preview.png
deleted file mode 100644
index d65b070629..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe.png b/images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe.png
deleted file mode 100644
index e98d0fd97c..0000000000
Binary files a/images/user-guide/oauth-2-support/deleting-oauth2-client-2-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-1-ce-preview.png b/images/user-guide/oauth-2-support/managing-domain-1-ce-preview.png
deleted file mode 100644
index 4b04605b7e..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-1-ce.png b/images/user-guide/oauth-2-support/managing-domain-1-ce.png
deleted file mode 100644
index ac5d48c5e9..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-1-paas-preview.png b/images/user-guide/oauth-2-support/managing-domain-1-paas-preview.png
deleted file mode 100644
index 85e304b469..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-1-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-1-paas.png b/images/user-guide/oauth-2-support/managing-domain-1-paas.png
deleted file mode 100644
index 811851c871..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-1-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-1-pe-preview.png b/images/user-guide/oauth-2-support/managing-domain-1-pe-preview.png
deleted file mode 100644
index 60a0c32a2d..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-1-pe.png b/images/user-guide/oauth-2-support/managing-domain-1-pe.png
deleted file mode 100644
index 14ba2e961c..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-2-ce-preview.png b/images/user-guide/oauth-2-support/managing-domain-2-ce-preview.png
deleted file mode 100644
index 5184235136..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-2-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-2-ce.png b/images/user-guide/oauth-2-support/managing-domain-2-ce.png
deleted file mode 100644
index 9ccac38d42..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-2-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-2-paas-preview.png b/images/user-guide/oauth-2-support/managing-domain-2-paas-preview.png
deleted file mode 100644
index 63d3a64a37..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-2-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-2-paas.png b/images/user-guide/oauth-2-support/managing-domain-2-paas.png
deleted file mode 100644
index 0d5c2d8fef..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-2-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-2-pe-preview.png b/images/user-guide/oauth-2-support/managing-domain-2-pe-preview.png
deleted file mode 100644
index d43f79c089..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-2-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-domain-2-pe.png b/images/user-guide/oauth-2-support/managing-domain-2-pe.png
deleted file mode 100644
index 5ecf364da8..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-domain-2-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-1-ce-preview.png b/images/user-guide/oauth-2-support/managing-oauth2-client-1-ce-preview.png
deleted file mode 100644
index 11328bff71..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-1-ce.png b/images/user-guide/oauth-2-support/managing-oauth2-client-1-ce.png
deleted file mode 100644
index cc3a3994f9..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-1-paas-preview.png b/images/user-guide/oauth-2-support/managing-oauth2-client-1-paas-preview.png
deleted file mode 100644
index f03464e73f..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-1-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-1-paas.png b/images/user-guide/oauth-2-support/managing-oauth2-client-1-paas.png
deleted file mode 100644
index ca9ef3c4a3..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-1-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-1-pe-preview.png b/images/user-guide/oauth-2-support/managing-oauth2-client-1-pe-preview.png
deleted file mode 100644
index c038bb0946..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-1-pe.png b/images/user-guide/oauth-2-support/managing-oauth2-client-1-pe.png
deleted file mode 100644
index 8b4a3c9c04..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-2-ce-preview.png b/images/user-guide/oauth-2-support/managing-oauth2-client-2-ce-preview.png
deleted file mode 100644
index b4db87ea4f..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-2-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-2-ce.png b/images/user-guide/oauth-2-support/managing-oauth2-client-2-ce.png
deleted file mode 100644
index 6228d71f0b..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-2-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-2-paas-preview.png b/images/user-guide/oauth-2-support/managing-oauth2-client-2-paas-preview.png
deleted file mode 100644
index f7180c711f..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-2-paas-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-2-paas.png b/images/user-guide/oauth-2-support/managing-oauth2-client-2-paas.png
deleted file mode 100644
index 5154681047..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-2-paas.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-2-pe-preview.png b/images/user-guide/oauth-2-support/managing-oauth2-client-2-pe-preview.png
deleted file mode 100644
index 917609a8d8..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-2-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/managing-oauth2-client-2-pe.png b/images/user-guide/oauth-2-support/managing-oauth2-client-2-pe.png
deleted file mode 100644
index fb53b84e49..0000000000
Binary files a/images/user-guide/oauth-2-support/managing-oauth2-client-2-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-basic-1-ce-preview.png b/images/user-guide/oauth-2-support/mapper-basic-1-ce-preview.png
deleted file mode 100644
index bd3d399728..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-basic-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-basic-1-ce.png b/images/user-guide/oauth-2-support/mapper-basic-1-ce.png
deleted file mode 100644
index 4cc538c8a2..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-basic-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-basic-1-pe-preview.png b/images/user-guide/oauth-2-support/mapper-basic-1-pe-preview.png
deleted file mode 100644
index be5b6cb84b..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-basic-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-basic-1-pe.png b/images/user-guide/oauth-2-support/mapper-basic-1-pe.png
deleted file mode 100644
index b0f176fa95..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-basic-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-custom-1-ce-preview.png b/images/user-guide/oauth-2-support/mapper-custom-1-ce-preview.png
deleted file mode 100644
index db15922c9d..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-custom-1-ce-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-custom-1-ce.png b/images/user-guide/oauth-2-support/mapper-custom-1-ce.png
deleted file mode 100644
index b9c191f7f0..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-custom-1-ce.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-custom-1-pe-preview.png b/images/user-guide/oauth-2-support/mapper-custom-1-pe-preview.png
deleted file mode 100644
index df9aeead9b..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-custom-1-pe-preview.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/mapper-custom-1-pe.png b/images/user-guide/oauth-2-support/mapper-custom-1-pe.png
deleted file mode 100644
index 9acba1a144..0000000000
Binary files a/images/user-guide/oauth-2-support/mapper-custom-1-pe.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-1.png b/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-1.png
deleted file mode 100644
index 0631de6a40..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-1.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-2.png b/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-2.png
deleted file mode 100644
index 686d0a6a2f..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-2.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-3.png b/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-3.png
deleted file mode 100644
index 28c1df1780..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-3.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-clientIdSecret.png b/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-clientIdSecret.png
deleted file mode 100644
index 67ff4abb60..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-application-creation-clientIdSecret.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-application.png b/images/user-guide/oauth-2-support/okta/okta-go-for-application.png
deleted file mode 100644
index d4b586cdfd..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-application.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation-1.png b/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation-1.png
deleted file mode 100644
index 095ade9090..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation-1.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation-2.png b/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation-2.png
deleted file mode 100644
index 0bc1ec57a9..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation-2.png and /dev/null differ
diff --git a/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation.png b/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation.png
deleted file mode 100644
index 7715b029fd..0000000000
Binary files a/images/user-guide/oauth-2-support/okta/okta-go-for-authorization-server-creation.png and /dev/null differ