OAuth Provider Definition (oauthProvider)
OAuth provider definition.
Name | Type | Default | Description |
---|---|---|---|
accessTokenCacheEnabled | boolean | true | Enable caching to save access tokens in the database and in-memory cache. |
accessTokenEncoding |
| plain | The encoding type for the stored access token. The default is set to plain, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended. |
accessTokenLength | long | 40 | Length of the generated OAuth access token. |
accessTokenLifetime | A period of time with second precision | 7200 | Time that access token is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
allowCertAuthentication | boolean | true | Allow the authentication of a client certificate if a client certificate is included in the https request. This attribute allows client certificates to be used for authentication even if the certAuthentication attribute is set to false. |
allowPublicClients | boolean | false | A value of false disables the access of public clients as detailed in the OAuth specification. |
allowSpnegoAuthentication | boolean | false | Allow the authentication of an SPNEGO token in the https request. |
appPasswordLifetime | A period of time with second precision | 90d | Specifies the lifetime of application passwords that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
appTokenLifetime | A period of time with second precision | 90d | Specifies the lifetime of application tokens that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
appTokenOrPasswordLimit | long | 100 | Token limit for each user and client combination. |
authorizationCodeLength | long | 30 | Length of the generated authorization code. |
authorizationCodeLifetime | A period of time with second precision | 60 | Authorization code lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
authorizationErrorTemplate | string | URL of a custom authorization error page template. | |
authorizationFormTemplate | string | template.html | URL of a custom authorization page template. |
authorizationGrantLifetime | A period of time with second precision | 604800 | Authorization grant lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
autoAuthorize | boolean | false | To use auto authorization, append the autoAuthorize parameter to requests with a value of true. |
autoAuthorizeClient | string | Name of a client that is allowed to use auto authorization. | |
autoAuthorizeParam | string | autoauthz | To use auto authorization, append the autoAuthorize parameter to requests with a value of true. |
certAuthentication | boolean | false | Enable the authentication of client certificate in the https request. |
characterEncoding | string | Set request character encoding to this value. | |
clientSecretEncoding |
| xor | The encoding type for the stored client secret. The default is set to XOR, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended. |
clientTokenCacheSize | long | Maximum number of entries in the client token cache. | |
clientURISubstitutions | string | Optional value to replace client URI strings for dynamic host names. | |
consentCacheEntryLifetime | A period of time with second precision | 1800 | Time that an entry in the consent cache is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
consentCacheSize | long | 1000 | Maximum number of entries allowed in the consent cache. |
coverageMapSessionMaxAge | A period of time with second precision | 600 | The max-age value (seconds) for the cache-control header of the coverage map service. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
customLoginURL | string | login.jsp | URL of a custom login page. |
filter | string | URI filter selects requests to be authorized by this provider. | |
grantType | string | authorization_code | An OAuth 2.0 grant type, as detailed in the OAuth 2.0 specification, that is allowed for the provider. By default, all grant types are allowed. The supported values are authorization_code, client_credentials, refresh_token, password, implicit and urn:ietf:params:oauth:grant-type:jwt-bearer. |
httpsRequired | boolean | true | SSL communication between the OAuth client and provider is required. |
id | string | A unique configuration ID. | |
includeTokenInSubject | boolean | true | If the value is true, add the com.ibm.wsspi.security.oauth20.token.WSOAuth20Token as a private credential. |
internalClientId | string | The ID of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages. | |
internalClientSecret | Reversably encoded password (string) | The secret of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages. | |
issueRefreshToken | boolean | true | A value of false disables generation and the use of refresh tokens. |
jwtAccessToken | boolean | false | Generate the Json Web Token, serialize it as a string and put in the place of the access token. |
libraryRef | A reference to top level library element (string). | Reference to shared library containing the mediator plugin class. | |
logoutRedirectURL | string | Optional URL that the client is redirected to after successfully invoking the logout endpoint. If a URL is not supplied, then a minimal default logout page is used. | |
mediatorClassname | string | Mediator plugin class name. | |
oauthOnly | boolean | true | If the value is true, then requests matching the filter must have an access token or they will be failed. If false, then matching requests will be checked for other authentication data if no access token is present. |
passwordGrantRequiresAppPassword | boolean | false | When set to true, OAuth authorization flows that use the resource owner password credentials grant type must use an application password instead of the password configured for a user in the user registry. When this attribute is enabled, OAuth clients must obtain an application password from this OAuth provider to use the password grant type. |
refreshTokenLength | long | 50 | Length of generated refresh token. |
refreshedAccessTokenLimit | long | 100 | Maximum number of access tokens that can be created by using refresh tokens for a single OAuth client and user combination. |
revokeAccessTokensWithRefreshTokens | boolean | true | A value of false disables revocation of associated access tokens when a refresh token is revoked. The default value is true. |
ropcPreferUserPrincipalName | boolean | false | If the user principal name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user principal name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence. |
ropcPreferUserSecurityName | boolean | false | If the user security name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user security name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence. |
skipResourceOwnerValidation | boolean | false | If the value is true, skip validation of resource owner. |
tokenFormat |
| The type of token to be produced. One of opaque, jwt, or mpjwt. Mpjwt is microprofile standardized format. The default is opaque. | |
trackOAuthClients | boolean | false | Track all OAuth clients that interact with this OAuth provider. |
userClientTokenLimit | long | Token limit for each user and client combination. |
Clients are defined, and tokens and consents are cached in a custom OAuthStore implementation.
Name | Type | Default | Description |
---|---|---|---|
cleanupExpiredInterval | A period of time with second precision | 3600 | The interval to use for cleaning up expired tokens and consents from the custom OAuthStore implementation. The valid range is 0 to Integer.MAX_VALUE in seconds. A value of 0 indicates that no cleanup is performed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
storeId | string | Specifies the OAuthStore ID to use for a custom store. The value must match the value of the oauth.store.id property that is specified for the OAuthStore implementation. |
Clients are defined and tokens are cached in the database.
Name | Type | Default | Description |
---|---|---|---|
cleanupExpiredTokenInterval | A period of time with second precision | 3600 | The interval to use for cleaning up expired tokens from the database store. The valid range is 0 to Integer.MAX_VALUE in seconds. A value of 0 indicates that no cleanup is performed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
dataSourceRef | A reference to top level dataSource element (string). | Reference to the data source for the store. | |
password | Reversably encoded password (string) | Password used to access the database. | |
schema | string | OAuthDBSchema | Schema |
user | string | User |
Reference to the data source for the store.
Data source properties for the DataDirect Connect for JDBC driver for Microsoft SQL Server.
Data source properties for the IBM DB2 for i Native JDBC driver.
Data source properties for the IBM DB2 for i Toolbox JDBC driver.
Data source properties for the IBM Data Server Driver for JDBC and SQLJ for DB2.
Data source properties for Derby Network Client JDBC driver.
Data source properties for Derby Embedded JDBC driver.
Data source properties for the Informix JDBC driver.
Data source properties for the IBM Data Server Driver for JDBC and SQLJ for Informix.
Data source properties for Microsoft SQL Server JDBC Driver.
Data source properties for Oracle JDBC driver.
Data source properties for Oracle Universal Connection Pooling.
Data source properties for PostgreSQL JDBC driver.
Data source properties for Sybase JDBC driver.
The grant_type for JWT Token handler
Name | Type | Default | Description |
---|---|---|---|
clockSkew | A period of time with second precision | 300s | The time difference allowed between OpenID Connect Client and OpenID Connect Provider systems when they are not synchronized. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
iatRequired | boolean | false | The iat claim in a jwt token is required. |
maxJtiCacheSize | long | 10000 | The maximum size of cache, which keeps jti data of jwt token, to prevent the jti from being reused. |
tokenMaxLifetime | A period of time with second precision | 7200s | The time indicates the maximum lifetime of an alive jwt token since its issued-at-time. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
Reference to shared library containing the mediator plugin class.
Name | Type | Default | Description |
---|---|---|---|
apiTypeVisibility | string | spec,ibm-api,api,stable | The types of API packages that this class loader supports. This value is a comma-separated list of any combination of the following API packages: spec, ibm-api, api, stable, third-party. |
description | string | Description of shared library for administrators | |
filesetRef | List of references to top level fileset elements (comma-separated string). | Id of referenced Fileset | |
name | string | Name of shared library for administrators |
Id of referenced File
Id of referenced Fileset
Id of referenced folder
Clients are defined in server.xml and tokens are cached in the server.
Name | Type | Default | Description |
---|---|---|---|
tokenStoreSize | long | 2000 | Token store size |
A unique configuration ID.