OIDC Social Login (oidcLogin)

The configuration of a social login that uses OIDC.

Name	Type	Default	Description
authFilterRef	A reference to top level authFilter element (string).		Specifies the authentication filter reference.
authorizationEndpoint	string		Specifies an Authorization end point URL.
clientId	string Required		The application or client ID.
clientSecret	Reversably encoded password (string)		The secret of the application or client.
clockSkew	int	300000	The maximum time difference in milliseconds between when a key is issued and when it can be used.
createSession	boolean	false	Specifies whether to create an HttpSession if the current HttpSession does not exist.
discoveryEndpoint	string		Specifies a discovery endpoint URL for an OpenID Connect provider.
discoveryPollingRate	A period of time with millisecond precision	300s	Rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The check is done only if an authentication failure exists. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
displayName	string	oidcLogin	The name of the social login configuration for display.
groupNameAttribute	string		The value of the claim is used as the user group membership.
hostNameVerificationEnabled	boolean	true	Specifies whether to enable host name verification when the client contacts the provider.
id	string Required		The unique ID.
isClientSideRedirectSupported	boolean	true	Specifies whether client side redirection is supported. Examples of a client include a browser or a standalone JavaScript application. If set to true, the client must support JavaScript.
issuer	string		The url of the issuer.
jwkClientId	string		Specifies the client identifier to include in the basic authentication scheme of the JWK request.
jwkClientSecret	Reversably encoded password (string)		Specifies the client password to include in the basic authentication scheme of the JWK request.
jwksUri	string		Specifies a JSON Web Key service URL.
keyAliasName	string		The alias for the private key that is used for signing client authentication tokens. The public key that corresponds to the private key must also use this alias. The private key must be in the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute. The public key must be in one of the following locations: the truststore that is specified by the trustStoreRef attribute, the truststore that is specified by the SSL configuration that is referenced by the sslRef attribute, or the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute.
keyManagementKeyAlias	string		Private key alias of the key management key that is used to decrypt the Content Encryption Key of a JSON Web Encryption (JWE) token.
mapToUserRegistry	boolean	false	Specifies whether to map userIdentifier to registry user.
pkceCodeChallengeMethod	S256 disabled plain	disabled	Specifies the code challenge method to use for Proof Key for Code Exchange (PKCE). When PKCE is enabled, session affinity is required because a local cache is used.
realmNameAttribute	string	iss	The value of the claim is used as the subject realm.
redirectToRPHostAndPort	string		Specifies a callback protocol, host, and port number. For example, https://myhost:8020.
responseType	code id_token token	code	Specifies the OAuth response type. code Authorization code id_token token ID token and access token
scope	string	openid profile email	Specifies required scope.
signatureAlgorithm	string	RS256	The algorithm that is used to sign a token or key.
sslRef	A reference to top level ssl element (string).		Specifies an ID of the SSL configuration that is used to connect to the social media.
tokenEndpoint	string		Specifies a token end point URL.
tokenEndpointAuthMethod	client_secret_basic client_secret_post private_key_jwt	client_secret_post	Specifies required authentication method. client_secret_basic Use the HTTP Basic authentication scheme to authenticate the client with the token endpoint of the OpenID Connect provider. client_secret_post Include the client credentials in the request body to authenticate the client with the token endpoint of the OpenID Connect provider. private_key_jwt Private key JWT client authentication.
tokenEndpointAuthSigningAlgorithm	ES256 ES384 ES512 RS256 RS384 RS512	RS256	The signature algorithm to use to sign tokens that are used for client authentication. ES256 Use the ES256 signature algorithm to sign tokens that are used for client authentication ES384 Use the ES384 signature algorithm to sign tokens that are used for client authentication ES512 Use the ES512 signature algorithm to sign tokens that are used for client authentication RS256 Use the RS256 signature algorithm to sign tokens that are used for client authentication RS384 Use the RS384 signature algorithm to sign tokens that are used for client authentication RS512 Use the RS512 signature algorithm to sign tokens that are used for client authentication
tokenRequestOriginHeader	string		Specifies the value to use in the Origin HTTP header that is included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request.
trustAliasName	string		Specifies a trusted key alias for using the public key to verify the signature of the token.
useSystemPropertiesForHttpClientConnections	boolean	false	Specifies whether to use Java system properties when the OpenID Connect or OAuth client creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties.
userInfoEndpoint	string		Specifies a UserInfo end point URL.
userInfoEndpointEnabled	boolean	false	Specifies whether the User Info endpoint is contacted.
userNameAttribute	string	sub	The value of the claim is authenticated user principal.
userUniqueIdAttribute	string		The value of the claim is used as the subject uniqueId.
website	string (with whitespace trimmed off)		The website address.

Name

Type

Default

Description

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

authorizationEndpoint

string

Specifies an Authorization end point URL.

clientId

string
Required

The application or client ID.

clientSecret

Reversably encoded password (string)

The secret of the application or client.

clockSkew

int

300000

The maximum time difference in milliseconds between when a key is issued and when it can be used.

createSession

boolean

false

Specifies whether to create an HttpSession if the current HttpSession does not exist.

discoveryEndpoint

string

Specifies a discovery endpoint URL for an OpenID Connect provider.

discoveryPollingRate

A period of time with millisecond precision

300s

Rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The check is done only if an authentication failure exists. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

displayName

string

oidcLogin

The name of the social login configuration for display.

groupNameAttribute

string

The value of the claim is used as the user group membership.

hostNameVerificationEnabled

boolean

true

Specifies whether to enable host name verification when the client contacts the provider.

string
Required

The unique ID.

isClientSideRedirectSupported

boolean

true

Specifies whether client side redirection is supported. Examples of a client include a browser or a standalone JavaScript application. If set to true, the client must support JavaScript.

issuer

string

The url of the issuer.

jwkClientId

string

Specifies the client identifier to include in the basic authentication scheme of the JWK request.

jwkClientSecret

Reversably encoded password (string)

Specifies the client password to include in the basic authentication scheme of the JWK request.

jwksUri

string

Specifies a JSON Web Key service URL.

keyAliasName

string

The alias for the private key that is used for signing client authentication tokens. The public key that corresponds to the private key must also use this alias. The private key must be in the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute. The public key must be in one of the following locations: the truststore that is specified by the trustStoreRef attribute, the truststore that is specified by the SSL configuration that is referenced by the sslRef attribute, or the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute.

keyManagementKeyAlias

string

Private key alias of the key management key that is used to decrypt the Content Encryption Key of a JSON Web Encryption (JWE) token.

mapToUserRegistry

boolean

false

Specifies whether to map userIdentifier to registry user.

pkceCodeChallengeMethod

S256
disabled
plain

disabled

Specifies the code challenge method to use for Proof Key for Code Exchange (PKCE). When PKCE is enabled, session affinity is required because a local cache is used.

realmNameAttribute

string

iss

The value of the claim is used as the subject realm.

redirectToRPHostAndPort

string

Specifies a callback protocol, host, and port number. For example, https://myhost:8020.

responseType

code
id_token token

code

Specifies the OAuth response type.
code
Authorization code
id_token token
ID token and access token

scope

string

openid profile email

Specifies required scope.

signatureAlgorithm

string

RS256

The algorithm that is used to sign a token or key.

sslRef

A reference to top level ssl element (string).

Specifies an ID of the SSL configuration that is used to connect to the social media.

tokenEndpoint

string

Specifies a token end point URL.

tokenEndpointAuthMethod

client_secret_basic
client_secret_post
private_key_jwt

client_secret_post

Specifies required authentication method.
client_secret_basic
Use the HTTP Basic authentication scheme to authenticate the client with the token endpoint of the OpenID Connect provider.
client_secret_post
Include the client credentials in the request body to authenticate the client with the token endpoint of the OpenID Connect provider.
private_key_jwt
Private key JWT client authentication.

tokenEndpointAuthSigningAlgorithm

ES256
ES384
ES512
RS256
RS384
RS512

RS256

The signature algorithm to use to sign tokens that are used for client authentication.
ES256
Use the ES256 signature algorithm to sign tokens that are used for client authentication
ES384
Use the ES384 signature algorithm to sign tokens that are used for client authentication
ES512
Use the ES512 signature algorithm to sign tokens that are used for client authentication
RS256
Use the RS256 signature algorithm to sign tokens that are used for client authentication
RS384
Use the RS384 signature algorithm to sign tokens that are used for client authentication
RS512
Use the RS512 signature algorithm to sign tokens that are used for client authentication

tokenRequestOriginHeader

string

Specifies the value to use in the Origin HTTP header that is included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request.

trustAliasName

string

Specifies a trusted key alias for using the public key to verify the signature of the token.

useSystemPropertiesForHttpClientConnections

boolean

false

Specifies whether to use Java system properties when the OpenID Connect or OAuth client creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties.

userInfoEndpoint

string

Specifies a UserInfo end point URL.

userInfoEndpointEnabled

boolean

false

Specifies whether the User Info endpoint is contacted.

userNameAttribute

string

sub

The value of the claim is authenticated user principal.

userUniqueIdAttribute

string

The value of the claim is used as the subject uniqueId.

website

string (with whitespace trimmed off)

The website address.

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
ip	string		Specifies the remote host TCP/IP address.
matchType	contains equals greaterThan lessThan notContain	contains	Specifies the match type.

Name

Type

Default

Description

string

A unique configuration ID.

string

Specifies the remote host TCP/IP address.

matchType

contains
equals
greaterThan
lessThan
notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.
value	string		The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
urlPattern	string Required		Specifies the URL pattern. The * character is not supported to be used as a wildcard.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

Name	Type	Default	Description
agent	string Required		Specifies the browser's user agent to help identify which browser is being used.
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.

Name

Type

Default

Description

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authzParameter

Specifies custom parameters to send to the authorization endpoint of the OpenID Connect provider.

Name	Type	Description
id	string	A unique configuration ID.
name	string	Specifies the name of the additional parameter.
value	string	Specifies the value of the additional parameter.

Name

Type

Default

Description

string

A unique configuration ID.

name

string

Specifies the name of the additional parameter.

value

string

Specifies the value of the additional parameter.

jwt

Specifies the information that is used to build the JWT tokens. This information includes the JWT builder reference and the claims from the id token.

Name	Type	Default	Description
builder	string (with whitespace trimmed off)		The referenced JWT builder creates a JWT token, and the token is added to the authenticated subject.
claims	string This is specified as a child element rather than as an XML attribute (maximum occurrences 400).		Specifies a comma-separated list of claims to copy from the user information or the id token.

Name

Type

Default

Description

builder

string (with whitespace trimmed off)

The referenced JWT builder creates a JWT token, and the token is added to the authenticated subject.

claims

string
This is specified as a child element rather than as an XML attribute (maximum occurrences 400).

Specifies a comma-separated list of claims to copy from the user information or the id token.

tokenParameter

Specifies custom parameters to send to the token endpoint of the OpenID Connect provider.

Name	Type	Description
id	string	A unique configuration ID.
name	string	Specifies the name of the additional parameter.
value	string	Specifies the value of the additional parameter.

Name

Type

Default

Description

string

A unique configuration ID.

name

string

Specifies the name of the additional parameter.

value

string

Specifies the value of the additional parameter.