openidConnectClient - OpenID Connect Client (openidConnectClient)

OpenID Connect client.

NameTypeDefaultDescription
idstringA unique configuration ID.
scopetokenTypeopenid profileOpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider.
userIdentityToCreateSubjectstringsubSpecifies a user identity in the ID token used to create the user subject.
httpsRequiredbooleantrueRequire SSL communication between the OpenID relying party and provider service.
grantType
  • implicit
  • authorization_code
authorization_codeSpecifies the grant type to use for this client.
implicit
Implicit grant type
authorization_code
Authorization code grant type
clientIdstringIdentity of the client.
clientSecretReversably encoded password (string)Secret key of the client.
redirectToRPHostAndPortstringAfter authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request.
redirectJunctionPathstringSpecifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string.
isClientSideRedirectSupportedbooleantrueSpecifies whether the client supports redirect at client side.
issuerIdentifierstringAn Issuer Identifier is a case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components.
mapIdentityToRegistryUserbooleanfalseSpecifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.
trustStoreRefA reference to top level keyStore element (string).A keystore containing the public key necessary for verifying the signature of the ID token.
trustAliasNamestringKey alias name to locate public key for signature validation with asymmetric algorithm.
nonceEnabledbooleanfalseEnable the nonce parameter in the authorization code flow.
realmNamestringSpecifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false.
sslRefA reference to top level ssl element (string).Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider.
signatureAlgorithm
  • HS256
  • RS256
  • none
HS256Specifies the signature algorithm that will be used to verify the signature of the ID token.
HS256
Use the HS256 signature algorithm to sign and verify tokens
RS256
Use the RS256 signature algorithm to sign and verify tokens
none
Tokens are not required to be signed
includeIdTokenInSubjectbooleantrueSpecifies whether to include ID token in the client subject.
accessTokenInLtpaCookiebooleanfalseSpecifies whether the LTPA token includes the access token.
initialStateCacheCapacityint
Min: 0
3000Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself.
hostNameVerificationEnabledbooleanfalseSpecifies whether to enable host name verification.
authorizationEndpointUrlstringSpecifies an Authorization endpoint URL.
tokenEndpointUrlstringSpecifies a token endpoint URL.
jwkEndpointUrlstringSpecifies a JWK endpoint URL.
jwkClientIdstringSpecifies the client identifier to include in the basic authentication scheme of the JWK request.
jwkClientSecretReversably encoded password (string)Specifies the client password to include in the basic authentication scheme of the JWK request.
responseType
  • id_token token
  • code
  • id_token
  • token
Specifies the required response type for this client.
id_token token
ID token and access token
code
Authorization code
id_token
ID token
token
Access token
userIdentifierstringSpecifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used.
groupIdentifierstringgroupIdsSpecifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of.
realmIdentifierstringrealmNameSpecifies a JSON attribute in the ID token that is used as the realm name.
uniqueUserIdentifierstringuniqueSecurityNameSpecifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject.
tokenEndpointAuthMethod
  • post
  • basic
postThe method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
post
post
basic
basic
inboundPropagation
  • none
  • required
  • supported
noneControls the operation of the token inbound propagation of the OpenID relying party.
none
Do not support inbound token propagation
required
Require inbound token propagation
supported
Support inbound token propagation
validationMethod
  • introspect
  • userinfo
introspectThe method of validation on the token inbound propagation.
introspect
Validate inbound tokens using token introspection
userinfo
Validate inbound tokens using the userinfo endpoint
headerNamestringThe name of the header which carries the inbound token in the request.
validationEndpointUrlstringThe endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod.
disableIssCheckingbooleanfalseDo not check for the issuer while validating the json response for inbound token propagation.
authnSessionDisabledbooleantrueAn authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.
disableLtpaCookiebooleanfalseDo not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead.
reAuthnOnAccessTokenExpirebooleantrueAuthenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true.
reAuthnCushionA period of time with millisecond precision0sThe time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
authFilterRefA reference to top level authFilter element (string).Specifies the authentication filter reference.
createSessionbooleantrueSpecifies whether to create an HttpSession if the current HttpSession does not exist.
authenticationTimeLimitA period of time with millisecond precision420sMaximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

audiences

The trusted audience list that is verified against the aud claim in the JSON web token.

authFilter

Specifies the authentication filter reference.

authFilter > webApp

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringSpecifies the name.
matchType
  • contains
  • notContain
  • equals
containsSpecifies the match type.
contains
Contains
notContain
Not contain
equals
Equals

authFilter > requestUrl

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
urlPatternstringSpecifies the URL pattern.
matchType
  • contains
  • notContain
  • equals
containsSpecifies the match type.
contains
Contains
notContain
Not contain
equals
Equals

authFilter > remoteAddress

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
matchType
  • contains
  • notContain
  • equals
  • lessThan
  • greaterThan
containsSpecifies the match type.
contains
Contains
notContain
Not contain
equals
Equals
lessThan
Less than
greaterThan
Greater than
ipstringSpecifies the IP address.

authFilter > host

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringSpecifies the name.
matchType
  • contains
  • notContain
  • equals
containsSpecifies the match type.
contains
Contains
notContain
Not contain
equals
Equals

authFilter > userAgent

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
agentstringSpecifies the user agent
matchType
  • contains
  • notContain
  • equals
containsSpecifies the match type.
contains
Contains
notContain
Not contain
equals
Equals

resource

Resource parameter is included in the request.