OpenID Connect Client (openidConnectClient)
OpenID Connect client.
Name | Type | Default | Description |
---|---|---|---|
accessTokenCacheEnabled | boolean | true | Specifies whether authenticated subjects that are created by using a propagated access tokens are cached. |
accessTokenCacheTimeout | A period of time with millisecond precision | 5m | Specifies how long an authenticated subject that is created by using a propagated access token is cached. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
accessTokenInLtpaCookie | boolean | false | Specifies whether the LTPA token includes the access token. |
allowCustomCacheKey | boolean | true | Specifies whether a custom cache key is used to store users in an authentication cache. If this property is set to true and the cache key for a user is not found in the authentication cache, the user will be required to log in again. Set this property to false when you use the jwtSso feature to allow the security subject to be constructed directly from the jwtSso cookie. Set this property to false when you do not use the jwtSso feature to allow the security subject to be constructed directly from the user registry. If the security subject is reconstructed from the user registry, there will be no SSO components in the subject. If your LTPA cookie is used by more than one server, consider setting this property to false. If your application always requires the SSO components to be present in the subject, you must either set this property to true or use the jwtSso feature. |
audiences | string | Specifies a comma-separated list of trusted audiences that is verified against the aud claim in the JSON Web Token. | |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
authenticationTimeLimit | A period of time with millisecond precision | 420s | Maximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
authnSessionDisabled | boolean | true | An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. |
authorizationEndpointUrl | string | Specifies an Authorization endpoint URL. | |
clientId | string | Identity of the client. | |
clientSecret | Reversably encoded password (string) | Secret key of the client. | |
clockSkew | A period of time with millisecond precision | 300s | Specifies the allowed clock skew in seconds when you validate the JSON Web Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
disableIssChecking | boolean | false | Require the issuer claim to be absent when the OpenID Connect client validates a JWT access token for inbound propagation or when it performs token introspection for inbound propagation. |
disableLtpaCookie | boolean | false | Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. |
discoveryEndpointUrl | string | Specifies a discovery endpoint URL for an OpenID Connect provider. | |
discoveryPollingRate | A period of time with millisecond precision | 300s | Duration rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The checking is done only if there is an authentication failure. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
forwardLoginParameter | string | Specifies a comma-separated list of parameter names to forward to the OpenID Connect provider. If a protected resource request includes one or more of the specified parameters, the OpenID Connect client will include those parameters and their values in the authorization endpoint request to the OpenID Connect provider. | |
grantType |
| authorization_code | Specifies the grant type to use for this client. Use of the responseType attribute is preferred instead. |
groupIdentifier | string | groupIds | Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of. |
headerName | string | The name of the header which carries the inbound token in the request. | |
hostNameVerificationEnabled | boolean | true | Specifies whether to enable host name verification. |
httpsRequired | boolean | true | Require SSL communication between the OpenID relying party and provider service. |
id | string | A unique configuration ID. | |
inboundPropagation |
| none | Controls the operation of the token inbound propagation of the OpenID relying party. |
includeIdTokenInSubject | boolean | true | Specifies whether to include ID token in the client subject. |
initialStateCacheCapacity | int | 3000 | Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself. |
isClientSideRedirectSupported | boolean | true | Set this property to false if you do not want to use JavaScript to redirect to the OpenID Connect Provider for the initial authentication request. If JavaScript is not used, any URI fragments that are present in the original inbound request are lost. |
issuerIdentifier | string | A case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. Specify multiple values as a comma separated list. | |
jwkClientId | string | Specifies the client identifier to include in the basic authentication scheme of the JWK request. | |
jwkClientSecret | Reversably encoded password (string) | Specifies the client password to include in the basic authentication scheme of the JWK request. | |
jwkEndpointUrl | string | Specifies a JWK endpoint URL. | |
jwtAccessTokenRemoteValidation |
| none | Specifies whether a JWT access token that is received for inbound propagation is validated locally by the OpenID Connect client or by using the validation method that is configured by the OpenID Connect client. |
keyAliasName | string | The alias for the private key that is used for signing client authentication tokens. The public key that corresponds to the private key must also use this alias. The private key must be in the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute. The public key must be in one of the following locations: the truststore that is specified by the trustStoreRef attribute, the truststore that is specified by the SSL configuration that is referenced by the sslRef attribute, or the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute. | |
keyManagementKeyAlias | string | Private key alias of the key management key that is used to decrypt the Content Encryption Key of a JSON Web Encryption (JWE) token. | |
mapIdentityToRegistryUser | boolean | false | Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. |
nonceEnabled | boolean | false | Enable the nonce parameter in the authorization code flow. |
pkceCodeChallengeMethod |
| disabled | Specifies the challenge method to use for Proof Key for Code Exchange (PKCE). When PKCE is enabled, session affinity is required because a local cache is used. |
reAuthnCushion | A period of time with millisecond precision | 0s | The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
reAuthnOnAccessTokenExpire | boolean | true | Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true. |
realmIdentifier | string | realmName | Specifies a JSON attribute in the ID token that is used as the realm name. |
realmName | string | Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false. | |
redirectJunctionPath | string | Specifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string. | |
redirectToRPHostAndPort | string | After authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request. | |
resource | string | Resource parameter is included in the request. | |
responseType |
| Specifies the response requested from the provider, either an authorization code or implicit flow tokens. | |
scope | string (with whitespace trimmed off) | openid profile | OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. |
signatureAlgorithm |
| HS256 | Specifies the signature algorithm that will be used to verify the signature of the ID token. |
sslRef | A reference to top level ssl element (string). | Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider. | |
tokenEndpointAuthMethod |
| post | The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client. |
tokenEndpointAuthSigningAlgorithm |
| RS256 | The signature algorithm to use to sign tokens that are used for client authentication. |
tokenEndpointUrl | string | Specifies a token endpoint URL. | |
tokenOrderToFetchCallerClaims |
| IDToken | Specifies token order to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client continues the search with other tokens in the list. |
tokenRequestOriginHeader | string | Specifies the value to use in the Origin HTTP header that is included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request. | |
tokenReuse | boolean | false | Specifies whether JSON Web Tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier that is used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token. |
trustAliasName | string | Key alias name to locate public key for signature validation with asymmetric algorithm. | |
trustStoreRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the ID token. | |
uniqueUserIdentifier | string | uniqueSecurityName | Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. |
useSystemPropertiesForHttpClientConnections | boolean | false | Specifies whether to use Java system properties when the OpenID Connect client creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties. |
userIdentifier | string | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. | |
userIdentityToCreateSubject | string | sub | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. The value for this property is overridden by the value for userIdentifier, if specified. |
userInfoEndpointEnabled | boolean | false | Specifies whether the User info endpoint is contacted. |
userInfoEndpointUrl | string | Specifies a User Info endpoint URL | |
validationEndpointUrl | string | The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. | |
validationMethod |
| introspect | The method of validation on the token inbound propagation. |
authFilter
Specifies the authentication filter reference.
authFilter > cookie
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > host
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > remoteAddress
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
ip | string | Specifies the remote host TCP/IP address. | |
matchType |
| contains | Specifies the match type. |
authFilter > requestHeader
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. | |
value | string | The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains". |
authFilter > requestUrl
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
urlPattern | string | Specifies the URL pattern. The * character is not supported to be used as a wildcard. |
authFilter > userAgent
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
agent | string | Specifies the browser's user agent to help identify which browser is being used. | |
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
authFilter > webApp
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authzParameter
Specifies custom parameters to send to authorization endpoint of the OpenID Connect provider.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies name of the additional parameter. | |
value | string | Specifies value of the additional parameter. |
tokenParameter
Specifies custom parameters to send to token endpoint of the OpenID Connect provider.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies name of the additional parameter. | |
value | string | Specifies value of the additional parameter. |