OpenID Connect Client (openidConnectClient)
OpenID Connect client.
Attribute name | Data type | Default value | Description |
---|---|---|---|
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
authnSessionDisabled | boolean | true | An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. |
authorizationEndpointUrl | string | Specifies an Authorization end point URL. | |
clientId | string | Identity of the client. | |
clientSecret | Reversably encoded password (string) | Secret key of the client. | |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
disableIssChecking | boolean | false | Do not check for the issuer while validating the json response for inbound token propagation. |
disableLtpaCookie | boolean | false | Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. |
grantType |
|
authorization_code | Specifies the grant type to use for this client.
|
groupIdentifier | string | groupIds | Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of. |
headerName | string | The name of the header which carries the inbound token in the request. | |
hostNameVerificationEnabled | boolean | false | Specifies whether to enable host name verification. |
httpsRequired | boolean | true | Require SSL communication between the OpenID relying party and provider service. |
id | string | A unique configuration ID. | |
inboundPropagation |
|
none | Controls the operation of the token inbound propagation of the OpenID relying party.
|
includeIdTokenInSubject | boolean | true | Specifies whether to include ID token in the client subject. |
initialStateCacheCapacity | int
Minimum: 0 |
3000 | Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself. |
isClientSideRedirectSupported | boolean | true | Specifies whether the client supports redirect at client side. |
issuerIdentifier | string | An Issuer Identifier is a case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. | |
jwkEndpointUrl | string | Specifies a JWK end point URL. | |
mapIdentityToRegistryUser | boolean | false | Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. |
nonceEnabled | boolean | false | Enable the nonce parameter in the authorization code flow. |
reAuthnCushion | A period of time with millisecond precision | 0s | The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
reAuthnOnAccessTokenExpire | boolean | true | Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true. |
realmIdentifier | string | realmName | Specifies a JSON attribute in the ID token that is used as the realm name. |
realmName | string | Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false. | |
redirectToRPHostAndPort | string | Specifies a redirect OpenID relying party host and port number. | |
responseType |
|
Specifies the required response type for this client.
|
|
scope | tokenType | openid profile | OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. |
signatureAlgorithm |
|
HS256 | Specifies the signature algorithm that will be used to verify the signature of the ID token.
|
sslRef | A reference to top level ssl element (string). | Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider. | |
tokenEndpointAuthMethod |
|
post | The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
|
tokenEndpointUrl | string | Specifies a token end point URL. | |
trustAliasName | string | Key alias name to locate public key for signature validation with asymmetric algorithm. | |
trustStoreRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the ID token. | |
uniqueUserIdentifier | string | uniqueSecurityName | Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. |
userIdentifier | string | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. | |
userIdentityToCreateSubject | string | sub | Specifies a user identity in the ID token used to create the user subject. |
validationEndpointUrl | string | The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. | |
validationMethod |
|
introspect | The method of validation on the token inbound propagation.
|
- audiences
Description: The trusted audience list that is verified against the aud claim in the JSON web token.Required: falseData type: string
- authFilter
Description: Specifies the authentication filter reference.Required: falseData type: - authFilter > host
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
name string Specifies the name.
- authFilter > remoteAddress
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. ip string Specifies the IP address. matchType - lessThan
- equals
- greaterThan
- contains
- notContain
contains Specifies the match type. - lessThan
- Less than
- equals
- Equals
- greaterThan
- Greater than
- contains
- Contains
- notContain
- Not contain
- authFilter > requestUrl
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
urlPattern string Specifies the URL pattern.
- authFilter > userAgent
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description agent string Specifies the user agent id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
- authFilter > webApp
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
name string Specifies the name.