camunda · danielkelemen · Oct 4, 2024 · Sep 10, 2024 · Sep 26, 2024 · Sep 26, 2024
diff --git a/content/user-guide/camunda-bpm-run.md b/content/user-guide/camunda-bpm-run.md
@@ -103,6 +103,14 @@ The start scripts (`start.bat` for Windows, `start.sh` for Linux/Mac) accept the
       </td>
       <td><code>enabled</code></td>
   </tr>
+  <tr>
+      <td><code>--oauth2</code></td>
+      <td>
+        Enables Spring Security OAuth2 integration.
+        See dedicated <a href="{{< ref "/user-guide/spring-boot-integration/spring-security.md" >}}">Spring Security OAuth2 Integration</a> documentation for details.
+      </td>
+      <td><code>false</code></td>
+  </tr>
   <tr>
       <td><code>--help</code></td>
       <td>Prints a message showing the available start script arguments.</td>

diff --git a/content/user-guide/process-engine/identity-service.md b/content/user-guide/process-engine/identity-service.md
@@ -376,6 +376,10 @@ The LDAP Identity Provider provides the following configuration properties:
   </tr>
 </table>
 
+# The OAuth2 Identity Service
+
+See the Spring Security OAuth2 Integration's [OAuth2 Identity Provider]({{< ref "/user-guide/spring-boot-integration/spring-security.md#oauth2-identity-provider" >}}) documentation.
+
 # Throttle login attempts
 
 A mechanism exists for preventing subsequent unsuccessful login attempts.The essence of it is that the user is not able to log in for a specific amount of time after unsuccessful login attempts.

diff --git a/content/user-guide/security.md b/content/user-guide/security.md
@@ -167,6 +167,10 @@ To prevent this:
 4. Don't allow to reuse an id of a deleted user.
 
 
+## Spring Security OAuth2
+
+See the Spring Security OAuth2 Integration's [Security Recommendations]({{< ref "/user-guide/spring-boot-integration/spring-security.md#security-recommendations" >}}) documentation.
+
 ## Deployments
 
 [Deployments]({{< ref "/user-guide/process-engine/deployments.md" >}}) to the process engine can contain resources that are interpreted like code:

diff --git a/content/user-guide/spring-boot-integration/configuration.md b/content/user-guide/spring-boot-integration/configuration.md
@@ -823,6 +823,42 @@ When setting to <code>/</code>, the legacy behavior of Camunda Spring Boot Start
 <td>-</td>
 </tr>
 
+<tr>
+  <td colspan="4">
+    <b>OAuth2</b>
+  </td>
+</tr>
+<tr>
+  <td rowspan="3"><code>camunda.bpm.oauth2.identity-provider</code></td>
+  <td><code>.enabled</code></td>
+  <td>Enables the OAuth2 identity provider.</td>
+  <td><code>true</code></td>
+</tr>
+<tr>
+  <td><code>.group-name-attribute</code></td>
+  <td>Enables and configures the OAuth2 Granted Authorities Mapper.</td>
+  <td>-</td>
+</tr>
+<tr>
+  <td><code>.group-name-delimiter</code></td>
+  <td>
+    Configures the delimiter used in the OAuth2 Granted Authorities Mapper.
+    It's only used if the configured <code>group-name-attribute</code> contains <code>String</code> value.
+  </td>
+  <td><code>,</code> (comma)</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>camunda.bpm.oauth2.sso-logout</code></td>
+  <td><code>.enabled</code></td>
+  <td>Activates the client initiated OIDC logout feature.</td>
+  <td><code>false</code></td>
+</tr>
+<tr>
+  <td><code>.post-logout-redirect-uri</code></td>
+  <td>Configures the URI the user is redirected after SSO logout from the provider.</td>
+  <td><code>{baseUrl}</code></td>
+</tr>
+
 </table>