OpenID Connect Relying Party custom properties
The following tables list the custom properties for the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI). You can define these properties in the Custom Properties panel for the OpenID Connect TAI using the administrative console.
The custom properties are used to determine the behavior of the OpenID Connect RP, and to communicate with an OpenID Connect Provider (OP). You can configure custom properties for multiple OpenID Connect providers.
To assign unique property names that identify each OpenID Connect provider, a provider_<id> is embedded in the property name and used to group the properties that are associated with each OP. The provider_<id>s are numbered sequentially for each OP. There are some custom properties that apply to all the providers and these properties are not prefixed with provider_<id>.
- Required properties: Without these properties defined the RP will not initialize and this is functionally the same as no RP installed.
- Optional properties: These properties have a default value as documented. They are used to fine tune the behavior of the RP.
Property name | Values | Description |
---|---|---|
provider_<id>.identifier | You can specify any string value. This property does not have a default value. | Specifies a unique name for each OpenID connect provider identified by the
<id> in the provider_<id> prefix. This identifier is used to
build the redirect URL that is registered with the OP. For
example:
|
provider_<id>.clientId | You can specify any string value. This property does not have a default value. | Specifies the id used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients registered to the provider. |
provider_<id>.clientSecret | You can specify plaintext or XOR encoded value. This property does not have a default value. | Specifies the secret used by the OpenID Connect Provider to secure messages
sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret that
is registered for this client. For
example:
|
provider_<id>.authorizeEndpointUrl | You can specify any URL value. This property does not have a default value. | Specifies the endpoint URL for redirecting authorization
requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize. |
provider_<id>.tokenEndpointUrl | You can specify any URL value. This property does not have a default value. | Specifies the endpoint URL for redirecting token
requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe. |
Property name | Values | Description |
---|---|---|
|
You can specify a comma-separated list of URI patterns. This property does not have a default value. | Specifies a comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI will intercept the request. To intercept ALL requests use “/.*”. For example: /abcCompanyApps.*, /snoop |
provider_<id>.introspectEndpoint | You can specify any URL value. This property does not have a default value. | Specifies the endpoint URL for calling the OpenID Connect Provider's
introspection endpoint. For
example:
|
callbackServletContext | You can specify any context root value, but it must match the context root that is configured for the OpenID connect RP callback servlet. By default, this property is set to the value of /oidcclient. | Specifies the context root that is configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root that is configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere®. It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient. |
provider_<id>.signatureAlgorithm | You can specify one of the following values:
|
Specifies the algorithm that is used to secure messages from the OpenID Connect provider. |
provider_<id>.jwkEndpointUrl | You can specify any URL value. This property does not have a default value. | Specifies the URL of the OP's JSON Web Key (JWK) set document that contains the signing key the RP uses to validate the signature from the OP. This property must be set if the signatureAlgorithm custom property is set to RS256 and you do not set the signVerifyAlias custom property to obtain the OP's signing certificate from the default trust store. |
provider_<id>.userIdentifier | By default, this property is set to the value of sub. | This property is set to a claim name used by the vendor's ID Token that represents a user's unique identifier. For example, you can set userIdentifier = email if you are using Google's OP. |
provider_<id>.opServerConnectionTimeout | Specify any integer value. By default, this property is set to the value of 20000 (20 seconds). | Specifies the time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request. |
provider_<id>.scope | By default, this property is set to the value of openid profile. | Specifies the scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general. |
provider_<id>.issuerIdentifier | By default, this property is set to the value that is derived from the authorizedEndpointUrl. | Specifies the issuer of the IDToken. If this property is not
set, it is derived from the authorizedEndpointUrl value. For
example:
|
provider_<id>.groupIdentifier | By default, this property is set to a value of groupIds. | Specifies the groups attribute name set by the OpenID Connect Provider in the IDToken. For example: groupIds. |
provider_<id>.mapIdentityToRegistryUser | You can specify one of the following values:
|
When this property is set to false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. The users and groups do not need to exist in the WebSphere Application Server user registry. When this property is set to true, the OpenID Connect RP maps the OpenID Connect authenticated user to the same user (by shortname) in the WebSphere Application Server user registry. All users must be maintained in the WebSphere Application Server user registry. If OpenID Connect authenticates a user that is not in the local WebSphere Application Server user registry, an error occurs. |
provider_<id>.redirectToRPHostAndPort | This custom property does not have a default value. | This RP registers its redirect URL with the OP as https://<host
name>:<ssl port> /oidcclient/signin_cb, where both the host name and ssl port are
automatically resolved. If there is a proxy in front of the RP, you can override the host name and
port with the attribute redirectToRPHostAndPort, and you can set
redirectToRPHostAndPort to https://<hostname>:<ssl port>.
For example:
|
provider_<id>.allowImplicitClientFlow | You can specify one of the following values:
|
This property determines how the OpenID Connect RP authenticates BasicAuth tokens. When this property is set to true, the TAI authenticates the Basic Auth token and the LTPA token using implicit flow. When the property is set to false, the TAI authenticates the Basic Auth token and the LTPA token using the authorization code flow. |
provider_<id>.excludedPathFilter | You can specify comma-separated list of URI patterns. This property does not have a default value. | This property specifies a comma-separated list of regular expression patterns
that are compared against the request URI to see if the TAI should not protect this request. This
can be used to provide exceptions to the interceptedPathFilter. For
example:
|
provider_<id>.signVerifyAlias |
This custom property does not have a default value. | Specifies the alias of the certificate in the default trust store that might be used to verify the signature from the OP. On a single server, the default trust store is NodeDefaultTrustStore, otherwise, it is CellDefaultTrustStore. This property must be set if the signatureAlgorithm custom property is set to RS256 and you do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK). |
jndiCacheName | When a dynamic cache service is enabled, aDistributedObjectCache named OIDCRPDistributedCacheMap with KEY_ENABLE_CACHE_REPLICATION=true and KEY_REPLICATION_DOMAIN=DynaCacheCluster is used. The attributes of this cache cannot be changed. | If you want to use an object cache instance with properties that are different
from the default, use this property to specify a custom object cache instance that is managed by the
dynamic cache service. Read Using object cache instances for information
about how to set up a custom object cache instance. The dynamic cache service must be enabled to use
an object cache instance or DistributedObjectCache. When the dynamic cache service
is not in use, a server-based cache is used. When the dynamic cache service is in use, the values
for sessionCacheSize and sessionCacheCleanupFrequency is ignored.
For example:
|
sessionCacheSize | You can specify any integer value. By default, this property is set to the value of 10000. | Specifies the size of internal cache the OpenID Connect RP uses. All subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use. |
sessionCacheCleanupFrequency | You can specify any integer value. By default, this property is set to the value of 1800. | The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. This property is only used when the dynamic cache service is not in use. |
httpOnly |
You can specify one of the following values:
|
When this property is set to true, the httpOnly flag is set on the cookie. |
httpsRequired |
You can specify one of the following values:
|
When this property is set to true, the OpenID Connect RP will only establish a connection with an OP that supports https communication. If this property is set to true, but the scheme of the authorizeEndpointUrl, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize. |
encodeParameters |
You can specify one of the following values:
|
Specifies that the client_id andclient_secret should be URL encoded before sending them to the IdP. |
|
This custom property has a default value of text/html; charset=UTF-8. | Use this property to change the default value of contentType text or html that is set on the response. |