OAuth20

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/SocialNode

Resource version: 1.0

create

Usage

am> create OAuth20 --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "saveUserAttributesToSession" : {
      "title" : "Save Attributes in the Session",
      "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session.",
      "propertyOrder" : 1700,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "clientId" : {
      "title" : "Client ID",
      "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.",
      "propertyOrder" : 100,
      "type" : "string",
      "exampleValue" : ""
    },
    "authorizeEndpoint" : {
      "title" : "Authentication Endpoint URL",
      "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : ""
    },
    "redirectURI" : {
      "title" : "Redirect URL",
      "description" : "",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationIdKey" : {
      "title" : "Auth ID Key",
      "description" : "",
      "propertyOrder" : 1000,
      "type" : "string",
      "exampleValue" : ""
    },
    "provider" : {
      "title" : "Social Provider",
      "description" : "Social Provider for which this module is being setup.",
      "propertyOrder" : 900,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgAccountMapperConfiguration" : {
      "title" : "Account Mapper Configuration",
      "description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
      "propertyOrder" : 1500,
      "patternProperties" : {
        ".*" : {
          "type" : "string"
        }
      },
      "type" : "object",
      "exampleValue" : ""
    },
    "cfgAttributeMappingClasses" : {
      "title" : "Attribute Mapper",
      "description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
      "propertyOrder" : 1400,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "basicAuth" : {
      "title" : "Use Basic Auth",
      "description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
      "propertyOrder" : 1100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "scopeDelimiter" : {
      "title" : "Scope Delimiter",
      "description" : "Delimiter used to separate scope values. Default value is space.",
      "propertyOrder" : 700,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgAttributeMappingConfiguration" : {
      "title" : "Attribute Mapper Configuration",
      "description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
      "propertyOrder" : 1600,
      "patternProperties" : {
        ".*" : {
          "type" : "string"
        }
      },
      "type" : "object",
      "exampleValue" : ""
    },
    "cfgAccountProviderClass" : {
      "title" : "Account Provider",
      "description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
      "propertyOrder" : 1200,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgAccountMapperClass" : {
      "title" : "Account Mapper",
      "description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
      "propertyOrder" : 1300,
      "type" : "string",
      "exampleValue" : ""
    },
    "tokenEndpoint" : {
      "title" : "Access Token Endpoint URL",
      "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientSecret" : {
      "title" : "Client Secret",
      "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.",
      "propertyOrder" : 200,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "userInfoEndpoint" : {
      "title" : "User Profile Service URL",
      "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : ""
    },
    "issuer" : {
      "title" : "Token Issuer",
      "description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
      "propertyOrder" : 1900,
      "type" : "string",
      "exampleValue" : ""
    },
    "scopeString" : {
      "title" : "OAuth Scope",
      "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgMixUpMitigation" : {
      "title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
      "description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
      "propertyOrder" : 1800,
      "type" : "boolean",
      "exampleValue" : ""
    }
  },
  "required" : [ "cfgAttributeMappingClasses", "authorizeEndpoint", "cfgAccountMapperConfiguration", "cfgAccountMapperClass", "authenticationIdKey", "redirectURI", "clientId", "scopeString", "tokenEndpoint", "provider", "cfgAccountProviderClass", "userInfoEndpoint", "cfgMixUpMitigation", "saveUserAttributesToSession", "basicAuth", "issuer", "scopeDelimiter", "cfgAttributeMappingConfiguration", "clientSecret" ]
}

delete

Usage

am> delete OAuth20 --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OAuth20 --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OAuth20 --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action OAuth20 --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OAuth20 --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query OAuth20 --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read OAuth20 --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update OAuth20 --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "saveUserAttributesToSession" : {
      "title" : "Save Attributes in the Session",
      "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session.",
      "propertyOrder" : 1700,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "clientId" : {
      "title" : "Client ID",
      "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.",
      "propertyOrder" : 100,
      "type" : "string",
      "exampleValue" : ""
    },
    "authorizeEndpoint" : {
      "title" : "Authentication Endpoint URL",
      "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : ""
    },
    "redirectURI" : {
      "title" : "Redirect URL",
      "description" : "",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationIdKey" : {
      "title" : "Auth ID Key",
      "description" : "",
      "propertyOrder" : 1000,
      "type" : "string",
      "exampleValue" : ""
    },
    "provider" : {
      "title" : "Social Provider",
      "description" : "Social Provider for which this module is being setup.",
      "propertyOrder" : 900,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgAccountMapperConfiguration" : {
      "title" : "Account Mapper Configuration",
      "description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
      "propertyOrder" : 1500,
      "patternProperties" : {
        ".*" : {
          "type" : "string"
        }
      },
      "type" : "object",
      "exampleValue" : ""
    },
    "cfgAttributeMappingClasses" : {
      "title" : "Attribute Mapper",
      "description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
      "propertyOrder" : 1400,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "basicAuth" : {
      "title" : "Use Basic Auth",
      "description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
      "propertyOrder" : 1100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "scopeDelimiter" : {
      "title" : "Scope Delimiter",
      "description" : "Delimiter used to separate scope values. Default value is space.",
      "propertyOrder" : 700,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgAttributeMappingConfiguration" : {
      "title" : "Attribute Mapper Configuration",
      "description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
      "propertyOrder" : 1600,
      "patternProperties" : {
        ".*" : {
          "type" : "string"
        }
      },
      "type" : "object",
      "exampleValue" : ""
    },
    "cfgAccountProviderClass" : {
      "title" : "Account Provider",
      "description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
      "propertyOrder" : 1200,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgAccountMapperClass" : {
      "title" : "Account Mapper",
      "description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
      "propertyOrder" : 1300,
      "type" : "string",
      "exampleValue" : ""
    },
    "tokenEndpoint" : {
      "title" : "Access Token Endpoint URL",
      "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientSecret" : {
      "title" : "Client Secret",
      "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.",
      "propertyOrder" : 200,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "userInfoEndpoint" : {
      "title" : "User Profile Service URL",
      "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : ""
    },
    "issuer" : {
      "title" : "Token Issuer",
      "description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
      "propertyOrder" : 1900,
      "type" : "string",
      "exampleValue" : ""
    },
    "scopeString" : {
      "title" : "OAuth Scope",
      "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "cfgMixUpMitigation" : {
      "title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
      "description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
      "propertyOrder" : 1800,
      "type" : "boolean",
      "exampleValue" : ""
    }
  },
  "required" : [ "cfgAttributeMappingClasses", "authorizeEndpoint", "cfgAccountMapperConfiguration", "cfgAccountMapperClass", "authenticationIdKey", "redirectURI", "clientId", "scopeString", "tokenEndpoint", "provider", "cfgAccountProviderClass", "userInfoEndpoint", "cfgMixUpMitigation", "saveUserAttributesToSession", "basicAuth", "issuer", "scopeDelimiter", "cfgAttributeMappingConfiguration", "clientSecret" ]
}