OpenID Connect client.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
scope | tokenType | openid profile | OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. |
userIdentityToCreateSubject | string | sub | Specifies a user identity in the ID token used to create the user subject. |
httpsRequired | boolean | true | Require SSL communication between the OpenID relying party and provider service. |
grantType |
| authorization_code | Specifies the grant type to use for this client. implicit Implicit grant type authorization_code Authorization code grant type |
clientId | string | Identity of the client. | |
clientSecret | Reversably encoded password (string) | Secret key of the client. | |
redirectToRPHostAndPort | string | Specifies a redirect OpenID relying party host and port number. | |
isClientSideRedirectSupported | boolean | true | Specifies whether the client supports redirect at client side. |
issuerIdentifier | string | An Issuer Identifier is a case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. | |
mapIdentityToRegistryUser | boolean | false | Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. |
trustStoreRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the ID token. | |
trustAliasName | string | Key alias name to locate public key for signature validation with asymmetric algorithm. | |
nonceEnabled | boolean | false | Enable the nonce parameter in the authorization code flow. |
realmName | string | Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false. | |
sslRef | A reference to top level ssl element (string). | Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider. | |
signatureAlgorithm |
| HS256 | Specifies the signature algorithm that will be used to verify the signature of the ID token. HS256 Use the HS256 signature algorithm to sign and verify tokens none Tokens are not required to be signed RS256 Use the RS256 signature algorithm to sign and verify tokens |
includeIdTokenInSubject | boolean | true | Specifies whether to include ID token in the client subject. |
initialStateCacheCapacity | int Min: 0 | 3000 | Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself. |
hostNameVerificationEnabled | boolean | false | Specifies whether to enable host name verification. |
authorizationEndpointUrl | string | Specifies an Authorization end point URL. | |
tokenEndpointUrl | string | Specifies a token end point URL. | |
jwkEndpointUrl | string | Specifies a JWK end point URL. | |
responseType |
| Specifies the required response type for this client. token Access token code Authorization code id_token token ID token and access token id_token ID token | |
userIdentifier | string | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. | |
groupIdentifier | string | groupIds | Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of. |
realmIdentifier | string | realmName | Specifies a JSON attribute in the ID token that is used as the realm name. |
uniqueUserIdentifier | string | uniqueSecurityName | Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. |
tokenEndpointAuthMethod |
| post | The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client. post post basic basic |
inboundPropagation |
| none | Controls the operation of the token inbound propagation of the OpenID relying party. supported Support inbound token propagation none Do not support inbound token propagation required Require inbound token propagation |
validationMethod |
| introspect | The method of validation on the token inbound propagation. introspect Validate inbound tokens using token introspection userinfo Validate inbound tokens using the userinfo end point |
headerName | string | The name of the header which carries the inbound token in the request. | |
validationEndpointUrl | string | The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. | |
disableIssChecking | boolean | false | Do not check for the issuer while validating the json response for inbound token propagation. |
authnSessionDisabled | boolean | true | An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. |
disableLtpaCookie | boolean | false | Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. |
reAuthnOnAccessTokenExpire | boolean | true | Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true. |
reAuthnCushion | A period of time with millisecond precision | 0s | The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
The trusted audience list that is verified against the aud claim in the JSON web token.
Specifies the authentication filter reference.
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies the name. | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
urlPattern | string | Specifies the URL pattern. | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. lessThan Less than equals Equals greaterThan Greater than contains Contains notContain Not contain |
ip | string | Specifies the IP address. |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies the name. | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
agent | string | Specifies the user agent | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
Resource parameter is included in the request.