OpenID Connect Server Provider (openidConnectProvider)

OpenID Connect server provider

NameTypeDefaultDescription

allowDefaultSsoCookieName

boolean

false

When this property is set to true, the default SSO cookie name, ltpaToken2, is used if a custom SSO cookie name is not configured. If a custom cookie name is configured for SSO, that cookie name is used. If a custom cookie name is not configured and this property is set to false, an auto-generated SSO cookie name will be used.

customClaims

string

The extra claims to be put in the payloads of the ID token, in addition to the default realmName, uniqueSecurityName, and groupIds claims.

id

string

A unique configuration ID.

idTokenCacheEnabled

boolean

true

Enable caching to save ID tokens in the database and in-memory cache.

idTokenLifetime

A period of time with second precision

2h

Time that ID token is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

issuerIdentifier

string

Specify an issuer identifier for the issuer of the response.

jwkEnabled

boolean

false

When JWK is enabled, the OpenID Connect provider dynamically generates key pairs for signing JWT tokens that it creates. To validate the signature, the client can retrieve the key from the JWK endpoint, which has the format https://<host_name>:<port_number>/oidc/endpoint/<provider_id>/jwk. When this attribute is false, the provider will use the key that is specified by the keyAliasName attribute to sign the JWT. The provider will still make that key available as a JWK from the JWK endpoint if this attribute is false.

jwkRotationTime

A period of time with minute precision

720m

Amount of time after which a new JWK will be generated. Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. You can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.

jwkSigningKeySize

  • 1024

  • 2048

  • 4096

2048

Size measured in bits of the signing key.
1024
1024 bits
2048
2048 bits
4096
4096 bits

keyAliasName

string

Key alias name to locate the private key for signing with an asymmetric algorithm.

keyStoreRef

A reference to top level keyStore element (string).

opKeyStore

A keystore containing the private key necessary for signing with an asymmetric algorithm.

oauthProviderRef

A reference to top level oauthProvider element (string).

A reference to the ID of an OAuth provider.

sessionManaged

boolean

false

Indicate by true or false whether session management is supported. Default is false.

signatureAlgorithm

  • HS256

  • RS256

  • none

HS256

Specify the signature algorithm that will be used to sign the ID token.
HS256
HMAC using SHA-256 hash
RS256
RSASSA-PKCS-v1_5 using SHA-256 hash
none
No signature

trustStoreRef

A reference to top level keyStore element (string).

A keystore containing the public key necessary for verifying a signature of the JWT token.

openidConnectProvider > claimToUserRegistryMap

Specify the user registry key for the claim.

NameTypeDefaultDescription

address

string

postalAddress

Specify the user registry key that will be retrieved for the address claim.

email

string

mail

Specify the user registry key that will be retrieved for the email claim.

given_name

string

givenName

Specify the user registry key that will be retrieved for the given_name claim.

name

string

displayName

Specify the user registry key that will be retrieved for the name claim.

phone_number

string

telephoneNumber

Specify the user registry key that will be retrieved for the phone_number claim.

picture

string

photoURL

Specify the user registry key that will be retrieved for the picture claim.

Expand
openidConnectProvider > claimToUserRegistryMap > property

A unique configuration ID.

openidConnectProvider > discovery

Discovery is based on OpenID Connect and Jazz Authorization Server Profile.

NameTypeDefaultDescription

claimsParameterSupported

boolean

false

Indicate by true or false whether claims parameter is supported.

claimsSupported

string

sub

Specify by comma the list of claims that will be supported.

grantTypesSupported

  • authorization_code

  • client_credentials

  • implicit

  • password

  • refresh_token

  • urn:ietf:params:oauth:grant-type:jwt-bearer

authorization_code

Specify by comma the list of the grant types that will be used.

idTokenSigningAlgValuesSupported

  • HS256

  • RS256

  • none

HS256

Specify the signature algorithm that will be used to sign the ID token.
HS256
HMAC using SHA-256 hash
RS256
RSASSA-PKCS-v1_5 using SHA-256 hash
none
No signature

requestParameterSupported

boolean

false

Indicate by true or false whether request parameter is supported.

requestUriParameterSupported

boolean

false

Indicate by true or false whether request URI parameter is supported.

requireRequestUriRegistration

boolean

false

Indicate by true or false whether require request URI registration is supported.

responseModesSupported

  • form_post

  • fragment

  • query

query

Specify by comma the list of the response modes that will be used.

responseTypesSupported

  • code

  • id_token token

  • token

code

Specify by comma the list of the response types that will be supported by the OP.

scopesSupported

string

openid

Specify by comma the list of scopes that will be supported.

tokenEndpointAuthMethodsSupported

  • client_secret_basic

  • client_secret_post

  • none

client_secret_post

Specify by comma the list of the token endpoint authentication methods that will be used.

openidConnectProvider > oauthProvider

A reference to the ID of an OAuth provider.

NameTypeDefaultDescription

accessTokenCacheEnabled

boolean

true

Enable caching to save access tokens in the database and in-memory cache.

accessTokenEncoding

  • PBKDF2WithHmacSHA512

  • plain

plain

The encoding type for the stored access token. The default is set to plain, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended.

accessTokenLength

long

40

Length of the generated OAuth access token.

accessTokenLifetime

A period of time with second precision

7200

Time that access token is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

allowCertAuthentication

boolean

true

Allow the authentication of a client certificate if a client certificate is included in the https request. This attribute allows client certificates to be used for authentication even if the certAuthentication attribute is set to false.

allowPublicClients

boolean

false

A value of false disables the access of public clients as detailed in the OAuth specification.

allowSpnegoAuthentication

boolean

false

Allow the authentication of an SPNEGO token in the https request.

appPasswordLifetime

A period of time with second precision

90d

Specifies the lifetime of application passwords that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

appTokenLifetime

A period of time with second precision

90d

Specifies the lifetime of application tokens that are generated by this OAuth provider. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

appTokenOrPasswordLimit

long

100

Token limit for each user and client combination.

authorizationCodeLength

long

30

Length of the generated authorization code.

authorizationCodeLifetime

A period of time with second precision

60

Authorization code lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

authorizationErrorTemplate

string

URL of a custom authorization error page template.

authorizationFormTemplate

string

template.html

URL of a custom authorization page template.

authorizationGrantLifetime

A period of time with second precision

604800

Authorization grant lifetime (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

autoAuthorize

boolean

false

To use auto authorization, append the autoAuthorize parameter to requests with a value of true.

autoAuthorizeClient

string

Name of a client that is allowed to use auto authorization.

autoAuthorizeParam

string

autoauthz

To use auto authorization, append the autoAuthorize parameter to requests with a value of true.

certAuthentication

boolean

false

Enable the authentication of client certificate in the https request.

characterEncoding

string

Set request character encoding to this value.

clientSecretEncoding

  • PBKDF2WithHmacSHA512

  • xor

xor

The encoding type for the stored client secret. The default is set to XOR, for compatibility with earlier versions. PBKDF2WithHmacSHA512 is recommended.

clientTokenCacheSize

long

Maximum number of entries in the client token cache.

clientURISubstitutions

string

Optional value to replace client URI strings for dynamic host names.

consentCacheEntryLifetime

A period of time with second precision

1800

Time that an entry in the consent cache is valid (seconds). Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

consentCacheSize

long
Min: 0

1000

Maximum number of entries allowed in the consent cache.

coverageMapSessionMaxAge

A period of time with second precision

600

The max-age value (seconds) for the cache-control header of the coverage map service. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

customLoginURL

string

login.jsp

URL of a custom login page.

filter

string

URI filter selects requests to be authorized by this provider.

grantType

string

authorization_code

An OAuth 2.0 grant type, as detailed in the OAuth 2.0 specification, that is allowed for the provider. By default, all grant types are allowed. The supported values are authorization_code, client_credentials, refresh_token, password, implicit and urn:ietf:params:oauth:grant-type:jwt-bearer.

httpsRequired

boolean

true

SSL communication between the OAuth client and provider is required.

includeTokenInSubject

boolean

true

If the value is true, add the com.ibm.wsspi.security.oauth20.token.WSOAuth20Token as a private credential.

internalClientId

string

The ID of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages.

internalClientSecret

Reversably encoded password (string)

The secret of an existing client that will be used to generate tokens for PersonalTokenManagement and UsersTokenManagement UI pages.

issueRefreshToken

boolean

true

A value of false disables generation and the use of refresh tokens.

jwtAccessToken

boolean

false

Generate the Json Web Token, serialize it as a string and put in the place of the access token.

libraryRef

A reference to top level library element (string).

Reference to shared library containing the mediator plugin class.

logoutRedirectURL

string

Optional URL that the client is redirected to after successfully invoking the logout endpoint. If a URL is not supplied, then a minimal default logout page is used.

mediatorClassname

string

Mediator plugin class name.

oauthOnly

boolean

true

If the value is true, then requests matching the filter must have an access token or they will be failed. If false, then matching requests will be checked for other authentication data if no access token is present.

passwordGrantRequiresAppPassword

boolean

false

When set to true, OAuth authorization flows that use the resource owner password credentials grant type must use an application password instead of the password configured for a user in the user registry. When this attribute is enabled, OAuth clients must obtain an application password from this OAuth provider to use the password grant type.

refreshTokenLength

long

50

Length of generated refresh token.

refreshedAccessTokenLimit

long

100

Maximum number of access tokens that can be created by using refresh tokens for a single OAuth client and user combination.

revokeAccessTokensWithRefreshTokens

boolean

true

A value of false disables revocation of associated access tokens when a refresh token is revoked. The default value is true.

ropcPreferUserPrincipalName

boolean

false

If the user principal name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user principal name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence.

ropcPreferUserSecurityName

boolean

false

If the user security name differs from the username that is supplied in the ROPC (Resource Owner Password Credentials) request, then the username is set to the user security name for all tokens that are created by the ROPC grant type. The default is false. If both ropcPreferUserSecurityName and ropcPreferUserPrincipalName are set to true, then ropcPreferUserPrincipalName takes precedence.

skipResourceOwnerValidation

boolean

false

If the value is true, skip validation of resource owner.

tokenFormat

  • jwt

  • mpjwt

  • opaque

The type of token to be produced. One of opaque, jwt, or mpjwt. Mpjwt is microprofile standardized format. The default is opaque.

trackOAuthClients

boolean

false

Track all OAuth clients that interact with this OAuth provider.

userClientTokenLimit

long

Token limit for each user and client combination.

Expand
openidConnectProvider > oauthProvider > customStore

Clients are defined, and tokens and consents are cached in a custom OAuthStore implementation.

Expand
openidConnectProvider > oauthProvider > databaseStore

Clients are defined and tokens are cached in the database.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > connectionManager

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > containerAuthData

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > identifyException

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > jaasLoginContextEntry

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > jdbcDriver

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > jdbcDriver > library

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > jdbcDriver > library > file

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > jdbcDriver > library > fileset

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > jdbcDriver > library > folder

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.datadirect.sqlserver

Data source properties for the DataDirect Connect for JDBC driver for Microsoft SQL Server.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.db2.i.native

Data source properties for the IBM DB2 for i Native JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.db2.i.toolbox

Data source properties for the IBM DB2 for i Toolbox JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.db2.jcc

Data source properties for the IBM Data Server Driver for JDBC and SQLJ for DB2.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.derby.client

Data source properties for Derby Network Client JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.derby.embedded

Data source properties for Derby Embedded JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.informix

Data source properties for the Informix JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.informix.jcc

Data source properties for the IBM Data Server Driver for JDBC and SQLJ for Informix.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.microsoft.sqlserver

Data source properties for Microsoft SQL Server JDBC Driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.oracle

Data source properties for Oracle JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.oracle.ucp

Data source properties for Oracle Universal Connection Pooling.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.postgresql

Data source properties for PostgreSQL JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > properties.sybase

Data source properties for Sybase JDBC driver.

Expand
openidConnectProvider > oauthProvider > databaseStore > dataSource > recoveryAuthData

Expand
openidConnectProvider > oauthProvider > jwtGrantType

The grant_type for JWT Token handler

Expand
openidConnectProvider > oauthProvider > library

Reference to shared library containing the mediator plugin class.

Expand
openidConnectProvider > oauthProvider > library > file

Expand
openidConnectProvider > oauthProvider > library > fileset

Expand
openidConnectProvider > oauthProvider > library > folder

Expand
openidConnectProvider > oauthProvider > localStore

Clients are defined in server.xml and tokens are cached in the server.

Expand
openidConnectProvider > oauthProvider > localStore > client

openidConnectProvider > scopeToClaimMap

Specify the claims for the scope.

NameTypeDefaultDescription

address

string

address

Specify a comma-separated list of claims associated with the address scope.

email

string

email, email_verified

Specify a comma-separated list of claims associated with the email scope.

phone

string

phone_number, phone_number_verified

Specify a comma-separated list of claims associated with the phone scope.

profile

string

name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at

Specify a comma-separated list of claims associated with the profile scope.

Expand
openidConnectProvider > scopeToClaimMap > property

A unique configuration ID.