OpenID Connect Server Provider (openidConnectProvider)
OpenID Connect server provider
Name | Type | Default | Description |
---|---|---|---|
allowDefaultSsoCookieName | boolean | false | When this property is set to true, the default SSO cookie name, ltpaToken2, is used if a custom SSO cookie name is not configured. If a custom cookie name is configured for SSO, that cookie name is used. If a custom cookie name is not configured and this property is set to false, an auto-generated SSO cookie name will be used. |
customClaims | string | The extra claims to be put in the payloads of the ID token, in addition to the default realmName, uniqueSecurityName, and groupIds claims. | |
id | string | A unique configuration ID. | |
idTokenCacheEnabled | boolean | true | Enable caching to save ID tokens in the database and in-memory cache. |
idTokenLifetime | A period of time with second precision | 2h | Time that ID token is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
issuerIdentifier | string | Specify an issuer identifier for the issuer of the response. | |
jwkEnabled | boolean | false | When JWK is enabled, the OpenID Connect provider dynamically generates key pairs for signing JWT tokens that it creates. To validate the signature, the client can retrieve the key from the JWK endpoint, which has the format https://<host_name>:<port_number>/oidc/endpoint/<provider_id>/jwk. When this attribute is false, the provider will use the key that is specified by the keyAliasName attribute to sign the JWT. The provider will still make that key available as a JWK from the JWK endpoint if this attribute is false. |
jwkRotationTime | A period of time with minute precision | 720m | Amount of time after which a new JWK will be generated. Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. You can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes. |
jwkSigningKeySize |
| 2048 | Size measured in bits of the signing key. |
keyAliasName | string | Key alias name to locate the private key for signing with an asymmetric algorithm. | |
keyStoreRef | A reference to top level keyStore element (string). | opKeyStore | A keystore containing the private key necessary for signing with an asymmetric algorithm. |
oauthProviderRef | A reference to top level oauthProvider element (string). | A reference to the ID of an OAuth provider. | |
sessionManaged | boolean | false | Indicate by true or false whether session management is supported. Default is false. |
signatureAlgorithm |
| HS256 | Specify the signature algorithm that will be used to sign the ID token. |
trustStoreRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying a signature of the JWT token. |
Specify the user registry key for the claim.
Name | Type | Default | Description |
---|---|---|---|
address | string | postalAddress | Specify the user registry key that will be retrieved for the address claim. |
string | Specify the user registry key that will be retrieved for the email claim. | ||
given_name | string | givenName | Specify the user registry key that will be retrieved for the given_name claim. |
name | string | displayName | Specify the user registry key that will be retrieved for the name claim. |
phone_number | string | telephoneNumber | Specify the user registry key that will be retrieved for the phone_number claim. |
picture | string | photoURL | Specify the user registry key that will be retrieved for the picture claim. |
A unique configuration ID.
Discovery is based on OpenID Connect and Jazz Authorization Server Profile.
Name | Type | Default | Description |
---|---|---|---|
claimsParameterSupported | boolean | false | Indicate by true or false whether claims parameter is supported. |
claimsSupported | string | sub | Specify by comma the list of claims that will be supported. |
grantTypesSupported |
| authorization_code | Specify by comma the list of the grant types that will be used. |
idTokenSigningAlgValuesSupported |
| HS256 | Specify the signature algorithm that will be used to sign the ID token. |
requestParameterSupported | boolean | false | Indicate by true or false whether request parameter is supported. |
requestUriParameterSupported | boolean | false | Indicate by true or false whether request URI parameter is supported. |
requireRequestUriRegistration | boolean | false | Indicate by true or false whether require request URI registration is supported. |
responseModesSupported |
| query | Specify by comma the list of the response modes that will be used. |
responseTypesSupported |
| code | Specify by comma the list of the response types that will be supported by the OP. |
scopesSupported | string | openid | Specify by comma the list of scopes that will be supported. |
tokenEndpointAuthMethodsSupported |
| client_secret_post | Specify by comma the list of the token endpoint authentication methods that will be used. |
A reference to the ID of an OAuth provider.
Name | Type | Default | Description |
---|---|---|---|
accessTokenCacheEnabled | boolean | true | Enable caching to save access tokens in the database and in-memory cache. |
accessTokenEncoding |
| plain | The encoding type for the stored access token. The default is set to plain, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended. |
accessTokenLength | long | 40 | Length of the generated OAuth access token. |
accessTokenLifetime | A period of time with second precision | 7200 | Time that access token is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
allowCertAuthentication | boolean | true | Allow the authentication of a client certificate if a client certificate is included in the https request. This attribute allows client certificates to be used for authentication even if the certAuthentication attribute is set to false. |
allowPublicClients | boolean | false | A value of false disables the access of public clients as detailed in the OAuth specification. |
allowSpnegoAuthentication | boolean | false | Allow the authentication of an SPNEGO token in the https request. |
appPasswordLifetime | A period of time with second precision | 90d | Specifies the lifetime of application passwords that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
appTokenLifetime | A period of time with second precision | 90d | Specifies the lifetime of application tokens that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
appTokenOrPasswordLimit | long | 100 | Token limit for each user and client combination. |
authorizationCodeLength | long | 30 | Length of the generated authorization code. |
authorizationCodeLifetime | A period of time with second precision | 60 | Authorization code lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
authorizationErrorTemplate | string | URL of a custom authorization error page template. | |
authorizationFormTemplate | string | template.html | URL of a custom authorization page template. |
authorizationGrantLifetime | A period of time with second precision | 604800 | Authorization grant lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
autoAuthorize | boolean | false | To use auto authorization, append the autoAuthorize parameter to requests with a value of true. |
autoAuthorizeClient | string | Name of a client that is allowed to use auto authorization. | |
autoAuthorizeParam | string | autoauthz | To use auto authorization, append the autoAuthorize parameter to requests with a value of true. |
certAuthentication | boolean | false | Enable the authentication of client certificate in the https request. |
characterEncoding | string | Set request character encoding to this value. | |
clientSecretEncoding |
| xor | The encoding type for the stored client secret. The default is set to XOR, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended. |
clientTokenCacheSize | long | Maximum number of entries in the client token cache. | |
clientURISubstitutions | string | Optional value to replace client URI strings for dynamic host names. | |
consentCacheEntryLifetime | A period of time with second precision | 1800 | Time that an entry in the consent cache is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
consentCacheSize | long | 1000 | Maximum number of entries allowed in the consent cache. |
coverageMapSessionMaxAge | A period of time with second precision | 600 | The max-age value (seconds) for the cache-control header of the coverage map service. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
customLoginURL | string | login.jsp | URL of a custom login page. |
filter | string | URI filter selects requests to be authorized by this provider. | |
grantType | string | authorization_code | An OAuth 2.0 grant type, as detailed in the OAuth 2.0 specification, that is allowed for the provider. By default, all grant types are allowed. The supported values are authorization_code, client_credentials, refresh_token, password, implicit and urn:ietf:params:oauth:grant-type:jwt-bearer. |
httpsRequired | boolean | true | SSL communication between the OAuth client and provider is required. |
includeTokenInSubject | boolean | true | If the value is true, add the com.ibm.wsspi.security.oauth20.token.WSOAuth20Token as a private credential. |
internalClientId | string | The ID of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages. | |
internalClientSecret | Reversably encoded password (string) | The secret of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages. | |
issueRefreshToken | boolean | true | A value of false disables generation and the use of refresh tokens. |
jwtAccessToken | boolean | false | Generate the Json Web Token, serialize it as a string and put in the place of the access token. |
libraryRef | A reference to top level library element (string). | Reference to shared library containing the mediator plugin class. | |
logoutRedirectURL | string | Optional URL that the client is redirected to after successfully invoking the logout endpoint. If a URL is not supplied, then a minimal default logout page is used. | |
mediatorClassname | string | Mediator plugin class name. | |
oauthOnly | boolean | true | If the value is true, then requests matching the filter must have an access token or they will be failed. If false, then matching requests will be checked for other authentication data if no access token is present. |
passwordGrantRequiresAppPassword | boolean | false | When set to true, OAuth authorization flows that use the resource owner password credentials grant type must use an application password instead of the password configured for a user in the user registry. When this attribute is enabled, OAuth clients must obtain an application password from this OAuth provider to use the password grant type. |
refreshTokenLength | long | 50 | Length of generated refresh token. |
refreshedAccessTokenLimit | long | 100 | Maximum number of access tokens that can be created by using refresh tokens for a single OAuth client and user combination. |
revokeAccessTokensWithRefreshTokens | boolean | true | A value of false disables revocation of associated access tokens when a refresh token is revoked. The default value is true. |
ropcPreferUserPrincipalName | boolean | false | If the user principal name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user principal name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence. |
ropcPreferUserSecurityName | boolean | false | If the user security name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user security name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence. |
skipResourceOwnerValidation | boolean | false | If the value is true, skip validation of resource owner. |
tokenFormat |
| The type of token to be produced. One of opaque, jwt, or mpjwt. Mpjwt is microprofile standardized format. The default is opaque. | |
trackOAuthClients | boolean | false | Track all OAuth clients that interact with this OAuth provider. |
userClientTokenLimit | long | Token limit for each user and client combination. |
Clients are defined, and tokens and consents are cached in a custom OAuthStore implementation.
Clients are defined and tokens are cached in the database.
Data source properties for the DataDirect Connect for JDBC driver for Microsoft SQL Server.
Data source properties for the IBM DB2 for i Native JDBC driver.
Data source properties for the IBM DB2 for i Toolbox JDBC driver.
Data source properties for the IBM Data Server Driver for JDBC and SQLJ for DB2.
Data source properties for Derby Network Client JDBC driver.
Data source properties for Derby Embedded JDBC driver.
Data source properties for the Informix JDBC driver.
Data source properties for the IBM Data Server Driver for JDBC and SQLJ for Informix.
Data source properties for Microsoft SQL Server JDBC Driver.
Data source properties for Oracle JDBC driver.
Data source properties for Oracle Universal Connection Pooling.
Data source properties for PostgreSQL JDBC driver.
Data source properties for Sybase JDBC driver.
The grant_type for JWT Token handler
Reference to shared library containing the mediator plugin class.
Clients are defined in server.xml and tokens are cached in the server.
Specify the claims for the scope.
Name | Type | Default | Description |
---|---|---|---|
address | string | address | Specify a comma-separated list of claims associated with the address scope. |
string | email, email_verified | Specify a comma-separated list of claims associated with the email scope. | |
phone | string | phone_number, phone_number_verified | Specify a comma-separated list of claims associated with the phone scope. |
profile | string | name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at | Specify a comma-separated list of claims associated with the profile scope. |
A unique configuration ID.