OpenID Connect client.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
scope | tokenType | openid profile | OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. |
userIdentityToCreateSubject | string | sub | Specifies a user identity in the ID token used to create the user subject. |
httpsRequired | boolean | true | Require SSL communication between the OpenID relying party and provider service. |
grantType |
| authorization_code | Specifies the grant type to use for this client. implicit Implicit grant type authorization_code Authorization code grant type |
clientId | string | Identity of the client. | |
clientSecret | Reversably encoded password (string) | Secret key of the client. | |
redirectToRPHostAndPort | string | After authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request. | |
redirectJunctionPath | string | Specifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string. | |
isClientSideRedirectSupported | boolean | true | Specifies whether the client supports redirect at client side. |
issuerIdentifier | string | An Issuer Identifier is a case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. | |
mapIdentityToRegistryUser | boolean | false | Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. |
trustStoreRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the ID token. | |
trustAliasName | string | Key alias name to locate public key for signature validation with asymmetric algorithm. | |
nonceEnabled | boolean | false | Enable the nonce parameter in the authorization code flow. |
realmName | string | Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false. | |
sslRef | A reference to top level ssl element (string). | Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider. | |
signatureAlgorithm |
| HS256 | Specifies the signature algorithm that will be used to verify the signature of the ID token. HS256 Use the HS256 signature algorithm to sign and verify tokens RS256 Use the RS256 signature algorithm to sign and verify tokens none Tokens are not required to be signed |
includeIdTokenInSubject | boolean | true | Specifies whether to include ID token in the client subject. |
accessTokenInLtpaCookie | boolean | false | Specifies whether the LTPA token includes the access token. |
initialStateCacheCapacity | int Min: 0 | 3000 | Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself. |
hostNameVerificationEnabled | boolean | false | Specifies whether to enable host name verification. |
authorizationEndpointUrl | string | Specifies an Authorization endpoint URL. | |
tokenEndpointUrl | string | Specifies a token endpoint URL. | |
jwkEndpointUrl | string | Specifies a JWK endpoint URL. | |
jwkClientId | string | Specifies the client identifier to include in the basic authentication scheme of the JWK request. | |
jwkClientSecret | Reversably encoded password (string) | Specifies the client password to include in the basic authentication scheme of the JWK request. | |
responseType |
| Specifies the required response type for this client. id_token token ID token and access token code Authorization code id_token ID token token Access token | |
userIdentifier | string | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. | |
groupIdentifier | string | groupIds | Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of. |
realmIdentifier | string | realmName | Specifies a JSON attribute in the ID token that is used as the realm name. |
uniqueUserIdentifier | string | uniqueSecurityName | Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. |
tokenEndpointAuthMethod |
| post | The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client. post post basic basic |
inboundPropagation |
| none | Controls the operation of the token inbound propagation of the OpenID relying party. none Do not support inbound token propagation required Require inbound token propagation supported Support inbound token propagation |
validationMethod |
| introspect | The method of validation on the token inbound propagation. introspect Validate inbound tokens using token introspection userinfo Validate inbound tokens using the userinfo endpoint |
headerName | string | The name of the header which carries the inbound token in the request. | |
validationEndpointUrl | string | The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. | |
disableIssChecking | boolean | false | Do not check for the issuer while validating the json response for inbound token propagation. |
authnSessionDisabled | boolean | true | An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. |
disableLtpaCookie | boolean | false | Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. |
reAuthnOnAccessTokenExpire | boolean | true | Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true. |
reAuthnCushion | A period of time with millisecond precision | 0s | The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
authenticationTimeLimit | A period of time with millisecond precision | 420s | Maximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
The trusted audience list that is verified against the aud claim in the JSON web token.
Specifies the authentication filter reference.
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies the name. | |
matchType |
| contains | Specifies the match type. contains Contains notContain Not contain equals Equals |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
urlPattern | string | Specifies the URL pattern. | |
matchType |
| contains | Specifies the match type. contains Contains notContain Not contain equals Equals |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. contains Contains notContain Not contain equals Equals lessThan Less than greaterThan Greater than |
ip | string | Specifies the IP address. |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies the name. | |
matchType |
| contains | Specifies the match type. contains Contains notContain Not contain equals Equals |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
agent | string | Specifies the user agent | |
matchType |
| contains | Specifies the match type. contains Contains notContain Not contain equals Equals |
Resource parameter is included in the request.