OAuth Provider Definition (oauthProvider)

OAuth provider definition.

NameTypeDefaultDescription

accessTokenCacheEnabled

boolean

true

Enable caching to save access tokens in the database and in-memory cache.

accessTokenEncoding

  • PBKDF2WithHmacSHA512

  • plain

plain

The encoding type for the stored access token. The default is set to plain, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended.

accessTokenLength

long

40

Length of the generated OAuth access token.

accessTokenLifetime

A period of time with second precision

7200

Time that access token is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

allowCertAuthentication

boolean

true

Allow the authentication of a client certificate if a client certificate is included in the https request. This attribute allows client certificates to be used for authentication even if the certAuthentication attribute is set to false.

allowPublicClients

boolean

false

A value of false disables the access of public clients as detailed in the OAuth specification.

allowSpnegoAuthentication

boolean

false

Allow the authentication of an SPNEGO token in the https request.

appPasswordLifetime

A period of time with second precision

90d

Specifies the lifetime of application passwords that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

appTokenLifetime

A period of time with second precision

90d

Specifies the lifetime of application tokens that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

appTokenOrPasswordLimit

long

100

Token limit for each user and client combination.

authorizationCodeLength

long

30

Length of the generated authorization code.

authorizationCodeLifetime

A period of time with second precision

60

Authorization code lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

authorizationErrorTemplate

string

URL of a custom authorization error page template.

authorizationFormTemplate

string

template.html

URL of a custom authorization page template.

authorizationGrantLifetime

A period of time with second precision

604800

Authorization grant lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

autoAuthorize

boolean

false

To use auto authorization, append the autoAuthorize parameter to requests with a value of true.

autoAuthorizeClient

string

Name of a client that is allowed to use auto authorization.

autoAuthorizeParam

string

autoauthz

To use auto authorization, append the autoAuthorize parameter to requests with a value of true.

certAuthentication

boolean

false

Enable the authentication of client certificate in the https request.

characterEncoding

string

Set request character encoding to this value.

clientSecretEncoding

  • PBKDF2WithHmacSHA512

  • xor

xor

The encoding type for the stored client secret. The default is set to XOR, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended.

clientTokenCacheSize

long

Maximum number of entries in the client token cache.

clientURISubstitutions

string

Optional value to replace client URI strings for dynamic host names.

consentCacheEntryLifetime

A period of time with second precision

1800

Time that an entry in the consent cache is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

consentCacheSize

long
Min: 0

1000

Maximum number of entries allowed in the consent cache.

coverageMapSessionMaxAge

A period of time with second precision

600

The max-age value (seconds) for the cache-control header of the coverage map service. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

customLoginURL

string

login.jsp

URL of a custom login page.

filter

string

URI filter selects requests to be authorized by this provider.

grantType

string

authorization_code

An OAuth 2.0 grant type, as detailed in the OAuth 2.0 specification, that is allowed for the provider. By default, all grant types are allowed. The supported values are authorization_code, client_credentials, refresh_token, password, implicit and urn:ietf:params:oauth:grant-type:jwt-bearer.

httpsRequired

boolean

true

SSL communication between the OAuth client and provider is required.

id

string

A unique configuration ID.

includeTokenInSubject

boolean

true

If the value is true, add the com.ibm.wsspi.security.oauth20.token.WSOAuth20Token as a private credential.

internalClientId

string

The ID of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages.

internalClientSecret

Reversably encoded password (string)

The secret of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages.

issueRefreshToken

boolean

true

A value of false disables generation and the use of refresh tokens.

jwtAccessToken

boolean

false

Generate the Json Web Token, serialize it as a string and put in the place of the access token.

libraryRef

A reference to top level library element (string).

Reference to shared library containing the mediator plugin class.

logoutRedirectURL

string

Optional URL that the client is redirected to after successfully invoking the logout endpoint. If a URL is not supplied, then a minimal default logout page is used.

mediatorClassname

string

Mediator plugin class name.

oauthOnly

boolean

true

If the value is true, then requests matching the filter must have an access token or they will be failed. If false, then matching requests will be checked for other authentication data if no access token is present.

passwordGrantRequiresAppPassword

boolean

false

When set to true, OAuth authorization flows that use the resource owner password credentials grant type must use an application password instead of the password configured for a user in the user registry. When this attribute is enabled, OAuth clients must obtain an application password from this OAuth provider to use the password grant type.

refreshTokenLength

long

50

Length of generated refresh token.

refreshedAccessTokenLimit

long

100

Maximum number of access tokens that can be created by using refresh tokens for a single OAuth client and user combination.

revokeAccessTokensWithRefreshTokens

boolean

true

A value of false disables revocation of associated access tokens when a refresh token is revoked. The default value is true.

ropcPreferUserPrincipalName

boolean

false

If the user principal name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user principal name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence.

ropcPreferUserSecurityName

boolean

false

If the user security name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user security name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence.

skipResourceOwnerValidation

boolean

false

If the value is true, skip validation of resource owner.

tokenFormat

  • jwt

  • mpjwt

  • opaque

The type of token to be produced. One of opaque, jwt, or mpjwt. Mpjwt is microprofile standardized format. The default is opaque.

trackOAuthClients

boolean

false

Track all OAuth clients that interact with this OAuth provider.

userClientTokenLimit

long

Token limit for each user and client combination.

oauthProvider > customStore

Clients are defined, and tokens and consents are cached in a custom OAuthStore implementation.

NameTypeDefaultDescription

cleanupExpiredInterval

A period of time with second precision

3600

The interval to use for cleaning up expired tokens and consents from the custom OAuthStore implementation. The valid range is 0 to Integer.MAX_VALUE in seconds. A value of 0 indicates that no cleanup is performed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

storeId

string
Required

Specifies the OAuthStore ID to use for a custom store. The value must match the value of the oauth.store.id property that is specified for the OAuthStore implementation.

oauthProvider > databaseStore

Clients are defined and tokens are cached in the database.

NameTypeDefaultDescription

cleanupExpiredTokenInterval

A period of time with second precision

3600

The interval to use for cleaning up expired tokens from the database store. The valid range is 0 to Integer.MAX_VALUE in seconds. A value of 0 indicates that no cleanup is performed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

dataSourceRef

A reference to top level dataSource element (string).

Reference to the data source for the store.

password

Reversably encoded password (string)

Password used to access the database.

schema

string

OAuthDBSchema

Schema

user

string

User

Expand
oauthProvider > databaseStore > dataSource

Reference to the data source for the store.

Expand
oauthProvider > databaseStore > dataSource > connectionManager

Expand
oauthProvider > databaseStore > dataSource > containerAuthData

Expand
oauthProvider > databaseStore > dataSource > identifyException

Expand
oauthProvider > databaseStore > dataSource > jaasLoginContextEntry

Expand
oauthProvider > databaseStore > dataSource > jdbcDriver

Expand
oauthProvider > databaseStore > dataSource > jdbcDriver > library

Expand
oauthProvider > databaseStore > dataSource > jdbcDriver > library > file

Expand
oauthProvider > databaseStore > dataSource > jdbcDriver > library > fileset

Expand
oauthProvider > databaseStore > dataSource > jdbcDriver > library > folder

Expand
oauthProvider > databaseStore > dataSource > properties

Expand
oauthProvider > databaseStore > dataSource > properties.datadirect.sqlserver

Data source properties for the DataDirect Connect for JDBC driver for Microsoft SQL Server.

Expand
oauthProvider > databaseStore > dataSource > properties.db2.i.native

Data source properties for the IBM DB2 for i Native JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.db2.i.toolbox

Data source properties for the IBM DB2 for i Toolbox JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.db2.jcc

Data source properties for the IBM Data Server Driver for JDBC and SQLJ for DB2.

Expand
oauthProvider > databaseStore > dataSource > properties.derby.client

Data source properties for Derby Network Client JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.derby.embedded

Data source properties for Derby Embedded JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.informix

Data source properties for the Informix JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.informix.jcc

Data source properties for the IBM Data Server Driver for JDBC and SQLJ for Informix.

Expand
oauthProvider > databaseStore > dataSource > properties.microsoft.sqlserver

Data source properties for Microsoft SQL Server JDBC Driver.

Expand
oauthProvider > databaseStore > dataSource > properties.oracle

Data source properties for Oracle JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.oracle.ucp

Data source properties for Oracle Universal Connection Pooling.

Expand
oauthProvider > databaseStore > dataSource > properties.postgresql

Data source properties for PostgreSQL JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > properties.sybase

Data source properties for Sybase JDBC driver.

Expand
oauthProvider > databaseStore > dataSource > recoveryAuthData

oauthProvider > jwtGrantType

The grant_type for JWT Token handler

NameTypeDefaultDescription

clockSkew

A period of time with second precision

300s

The time difference allowed between OpenID Connect Client and OpenID Connect Provider systems when they are not synchronized. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

iatRequired

boolean

false

The iat claim in a jwt token is required.

maxJtiCacheSize

long
Min: 1

10000

The maximum size of cache, which keeps jti data of jwt token, to prevent the jti from being reused.

tokenMaxLifetime

A period of time with second precision

7200s

The time indicates the maximum lifetime of an alive jwt token since its issued-at-time. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

oauthProvider > library

Reference to shared library containing the mediator plugin class.

NameTypeDefaultDescription

apiTypeVisibility

string

spec,ibm-api,api,stable

The types of API packages that this class loader supports. This value is a comma-separated list of any combination of the following API packages: spec, ibm-api, api, stable, third-party.

description

string

Description of shared library for administrators

filesetRef

List of references to top level fileset elements (comma-separated string).

Id of referenced Fileset

name

string

Name of shared library for administrators

Expand
oauthProvider > library > file

Id of referenced File

Expand
oauthProvider > library > fileset

Id of referenced Fileset

Expand
oauthProvider > library > folder

Id of referenced folder

oauthProvider > localStore

Clients are defined in server.xml and tokens are cached in the server.

NameTypeDefaultDescription

tokenStoreSize

long

2000

Token store size

Expand
oauthProvider > localStore > client

A unique configuration ID.