Amster

OAuth2Provider

Realm Operations

Resource path:

/realm-config/services/oauth-oidc

Resource version: 1.0

create

Usage

am> create OAuth2Provider --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "deviceCodeConfig" : {
      "type" : "object",
      "title" : "Device Flow",
      "propertyOrder" : 5,
      "properties" : {
        "deviceCodeLifetime" : {
          "title" : "Device Code Lifetime (seconds)",
          "description" : "The lifetime of the device code, in seconds.",
          "propertyOrder" : 390,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "devicePollInterval" : {
          "title" : "Device Polling Interval",
          "description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "verificationUrl" : {
          "title" : "Verification URL",
          "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 370,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "completionUrl" : {
          "title" : "Device Completion URL",
          "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 380,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "advancedOIDCConfig" : {
      "type" : "object",
      "title" : "Advanced OpenID Connect",
      "propertyOrder" : 4,
      "properties" : {
        "supportedUserInfoEncryptionAlgorithms" : {
          "title" : "UserInfo Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 457,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterSigningAlgorithms" : {
          "title" : "Request Parameter Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 441,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultACR" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 320,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loaMapping" : {
          "title" : "OpenID Connect acr_values to Auth Chain Mapping",
          "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
          "propertyOrder" : 310,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseSigningAlgorithms" : {
          "title" : "Token Introspection Response Signing Algorithms Supported",
          "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>",
          "propertyOrder" : 459,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "alwaysAddClaimsToToken" : {
          "title" : "Always Return Claims in ID Tokens",
          "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
          "propertyOrder" : 360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedTokenEndpointAuthenticationSigningAlgorithms" : {
          "title" : "Supported Token Endpoint JWS Signing Algorithms.",
          "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.",
          "propertyOrder" : 444,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "claimsParameterSupported" : {
          "title" : "Enable \"claims_parameter_supported\"",
          "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
          "propertyOrder" : 250,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseEncryptionEnc" : {
          "title" : "Token Introspection Response Encryption Methods Supported",
          "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 461,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "useForceAuthnForPromptLogin" : {
          "title" : "Use Force Authentication for prompt=login",
          "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>",
          "propertyOrder" : 640,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "storeOpsTokens" : {
          "title" : "Enable Session Management",
          "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled.  When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ",
          "propertyOrder" : 410,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "includeAllKtyAlgCombinationsInJwksUri" : {
          "title" : "Include all kty and alg combinations in jwks_uri",
          "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>",
          "propertyOrder" : 630,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "amrMappings" : {
          "title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
          "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
          "propertyOrder" : 330,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseEncryptionAlgorithms" : {
          "title" : "Token Introspection Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 460,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionAlgorithms" : {
          "title" : "Request Parameter Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 442,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedUserInfoEncryptionEnc" : {
          "title" : "UserInfo Encryption Methods Supported",
          "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 458,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authorisedOpenIdConnectSSOClients" : {
          "title" : "Authorized OIDC SSO Clients",
          "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
          "propertyOrder" : 446,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jkwsURI" : {
          "title" : "Remote JSON Web Key URL",
          "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
          "propertyOrder" : 140,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedUserInfoSigningAlgorithms" : {
          "title" : "UserInfo Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 456,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionEnc" : {
          "title" : "Request Parameter Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 443,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "idTokenInfoClientAuthenticationEnabled" : {
          "title" : "Idtokeninfo Endpoint Requires Client Authentication",
          "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
          "propertyOrder" : 225,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "advancedOAuth2Config" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "macaroonTokenFormat" : {
          "title" : "Macaroon Token Format",
          "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.",
          "propertyOrder" : 620,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "moduleMessageEnabledInPasswordGrant" : {
          "title" : "Enable Auth Module Messages for Password Credentials Grant",
          "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
          "propertyOrder" : 440,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "tlsCertificateRevocationCheckingEnabled" : {
          "title" : "Check TLS Certificate Revocation Status",
          "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.",
          "propertyOrder" : 615,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultScopes" : {
          "title" : "Default Client Scopes",
          "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
          "propertyOrder" : 200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "hashSalt" : {
          "title" : "Subject Identifier Hash Salt",
          "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
          "propertyOrder" : 260,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "displayNameAttribute" : {
          "title" : "User Display Name attribute",
          "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
          "propertyOrder" : 120,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedSubjectTypes" : {
          "title" : "Subject Types supported",
          "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
          "propertyOrder" : 150,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsClientCertificateHeaderFormat" : {
          "title" : "TLS Client Certificate Header Format",
          "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>",
          "propertyOrder" : 605,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "createdTimestampAttribute" : {
          "title" : "Created Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return created timestamp values.",
          "propertyOrder" : 350,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "modifiedTimestampAttribute" : {
          "title" : "Modified Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ",
          "propertyOrder" : 340,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenCompressionEnabled" : {
          "title" : "Client-Based Token Compression",
          "description" : "Whether client-based access and refresh tokens should be compressed.",
          "propertyOrder" : 223,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.",
          "propertyOrder" : 560,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "allowedAudienceValues" : {
          "title" : "Additional Audience Values",
          "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.",
          "propertyOrder" : 91,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenValidatorClasses" : {
          "title" : "Token Validator Plugins",
          "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.",
          "propertyOrder" : 96,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authenticationAttributes" : {
          "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
          "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsOcspResponderUri" : {
          "title" : "OCSP Responder URI",
          "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.",
          "propertyOrder" : 616,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenExchangeClasses" : {
          "title" : "Token Exchanger Plugins",
          "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.",
          "propertyOrder" : 95,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "customLoginUrlTemplate" : {
          "title" : "Custom Login URL Template",
          "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}&lt;#if acrValues??&gt;&amp;acr_values=${acrValues}&lt;&#x2F;#if&gt;&lt;#if realm??&gt;&amp;realm=${realm}&lt;&#x2F;#if&gt;&lt;#if module??&gt;&amp;module=${module}&lt;&#x2F;#if&gt;&lt;#if service??&gt;&amp;service=${service}&lt;&#x2F;#if&gt;&lt;#if locale??&gt;&amp;locale=${locale}&lt;&#x2F;#if&gt;</code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
          "propertyOrder" : 60,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenEncryptionEnabled" : {
          "title" : "Encrypt Client-Based Tokens",
          "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
          "propertyOrder" : 242,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "tokenSigningAlgorithm" : {
          "title" : "OAuth2 Token Signing Algorithm",
          "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 220,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsCertificateBoundAccessTokensEnabled" : {
          "title" : "Support TLS Certificate-Bound Access Tokens",
          "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.",
          "propertyOrder" : 610,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "codeVerifierEnforced" : {
          "title" : "Code Verifier Parameter Required",
          "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.",
          "propertyOrder" : 270,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "passwordGrantAuthService" : {
          "title" : "Password Grant Authentication Service",
          "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.",
          "propertyOrder" : 430,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedScopes" : {
          "title" : "Client Registration Scope Whitelist",
          "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
          "propertyOrder" : 130,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsOcspResponderCert" : {
          "title" : "OCSP Responder Certificate",
          "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.",
          "propertyOrder" : 617,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "responseTypeClasses" : {
          "title" : "Response Type Plugins",
          "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
          "propertyOrder" : 90,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsClientCertificateTrustedHeader" : {
          "title" : "Trusted TLS Client Certificate Header",
          "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "scopeImplementationClass" : {
          "title" : "Scope Implementation Class",
          "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
          "propertyOrder" : 70,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "consent" : {
      "type" : "object",
      "title" : "Consent",
      "propertyOrder" : 6,
      "properties" : {
        "clientsCanSkipConsent" : {
          "title" : "Allow Clients to Skip Consent",
          "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
          "propertyOrder" : 420,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "remoteConsentServiceId" : {
          "title" : "Remote Consent Service ID",
          "description" : "The ID of an existing remote consent service agent.",
          "propertyOrder" : 448,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Request Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 450,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enableRemoteConsent" : {
          "title" : "Enable Remote Consent",
          "description" : "",
          "propertyOrder" : 447,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedRcsResponseSigningAlgorithms" : {
          "title" : "Remote Consent Service Response Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 452,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionMethods" : {
          "title" : "Remote Consent Service Request Encryption Methods Supported",
          "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 451,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsRequestSigningAlgorithms" : {
          "title" : "Remote Consent Service Request Signing Algorithms Supported",
          "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 449,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "savedConsentAttribute" : {
          "title" : "Saved Consent Attribute Name",
          "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
          "propertyOrder" : 110,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionMethods" : {
          "title" : "Remote Consent Service Response Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 454,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 453,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "coreOIDCConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 3,
      "properties" : {
        "oidcDiscoveryEndpointEnabled" : {
          "title" : "OIDC Provider Discovery",
          "description" : "Turns on and off OIDC Discovery endpoint.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedClaims" : {
          "title" : "Supported Claims",
          "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
          "propertyOrder" : 190,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedIDTokenSigningAlgorithms" : {
          "title" : "ID Token Signing Algorithms supported",
          "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>",
          "propertyOrder" : 160,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The amount of time the JWT will be valid for, in seconds.",
          "propertyOrder" : 210,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "overrideableOIDCClaims" : {
          "title" : "Overrideable Id_Token Claims",
          "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.",
          "propertyOrder" : 155,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedIDTokenEncryptionAlgorithms" : {
          "title" : "ID Token Encryption Algorithms supported",
          "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 170,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedIDTokenEncryptionMethods" : {
          "title" : "ID Token Encryption Methods supported",
          "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 180,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "oidcClaimsScript" : {
          "title" : "OIDC Claims Script",
          "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
          "propertyOrder" : 80,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreOAuth2Config" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "macaroonTokensEnabled" : {
          "title" : "Use Macaroon Access and Refresh Tokens",
          "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.",
          "propertyOrder" : 6,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accessTokenModificationScript" : {
          "title" : "OAuth2 Access Token Modification Script",
          "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.",
          "propertyOrder" : 75,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenMayActScript" : {
          "title" : "OAuth2 Access Token May Act Script",
          "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 78,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "issueRefreshToken" : {
          "title" : "Issue Refresh Tokens",
          "description" : "Whether to issue a refresh token when returning an access token.",
          "propertyOrder" : 40,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.",
          "propertyOrder" : 20,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "usePolicyEngineForScope" : {
          "title" : "Use Policy Engine for Scope decisions",
          "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
          "propertyOrder" : 55,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "oidcMayActScript" : {
          "title" : "OIDC ID Token May Act Script",
          "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 79,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.",
          "propertyOrder" : 30,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "issueRefreshTokenOnRefreshedToken" : {
          "title" : "Issue Refresh Tokens on Refreshing Access Tokens",
          "description" : "Whether to issue a refresh token when refreshing an access token.",
          "propertyOrder" : 50,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "codeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time an authorization code is valid for, in seconds.",
          "propertyOrder" : 10,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "statelessTokensEnabled" : {
          "title" : "Use Client-Based Access & Refresh Tokens",
          "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
          "propertyOrder" : 3,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "clientDynamicRegistrationConfig" : {
      "type" : "object",
      "title" : "Client Dynamic Registration",
      "propertyOrder" : 2,
      "properties" : {
        "allowDynamicRegistration" : {
          "title" : "Allow Open Dynamic Client Registration",
          "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see  <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
          "propertyOrder" : 280,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "dynamicClientRegistrationScope" : {
          "title" : "Scope to give access to dynamic client registration",
          "description" : "Mandatory scope required when registering a new OAuth2 client.",
          "propertyOrder" : 455,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "generateRegistrationAccessTokens" : {
          "title" : "Generate Registration Access Tokens",
          "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
          "propertyOrder" : 290,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "dynamicClientRegistrationSoftwareStatementRequired" : {
          "title" : "Require Software Statement for Dynamic Client Registration",
          "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
          "propertyOrder" : 271,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "requiredSoftwareStatementAttestedAttributes" : {
          "title" : "Required Software Statement Attested Attributes",
          "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
          "propertyOrder" : 272,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "cibaConfig" : {
      "type" : "object",
      "title" : "CIBA",
      "propertyOrder" : 7,
      "properties" : {
        "supportedCibaSigningAlgorithms" : {
          "title" : "Signing Algorithms Supported",
          "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "cibaMinimumPollingInterval" : {
          "title" : "Polling Wait Interval (seconds)",
          "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "cibaAuthReqIdLifetime" : {
          "title" : "Back Channel Authentication ID Lifetime (seconds)",
          "description" : "The time back channel authentication request id is valid for, in seconds.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      }
    }
  }
}

delete

Usage

am> delete OAuth2Provider --realm Realm

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OAuth2Provider --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OAuth2Provider --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OAuth2Provider --realm Realm --actionName nextdescendents

read

Usage

am> read OAuth2Provider --realm Realm

update

Usage

am> update OAuth2Provider --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "deviceCodeConfig" : {
      "type" : "object",
      "title" : "Device Flow",
      "propertyOrder" : 5,
      "properties" : {
        "deviceCodeLifetime" : {
          "title" : "Device Code Lifetime (seconds)",
          "description" : "The lifetime of the device code, in seconds.",
          "propertyOrder" : 390,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "devicePollInterval" : {
          "title" : "Device Polling Interval",
          "description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "verificationUrl" : {
          "title" : "Verification URL",
          "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 370,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "completionUrl" : {
          "title" : "Device Completion URL",
          "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 380,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "advancedOIDCConfig" : {
      "type" : "object",
      "title" : "Advanced OpenID Connect",
      "propertyOrder" : 4,
      "properties" : {
        "supportedUserInfoEncryptionAlgorithms" : {
          "title" : "UserInfo Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 457,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterSigningAlgorithms" : {
          "title" : "Request Parameter Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 441,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultACR" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 320,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loaMapping" : {
          "title" : "OpenID Connect acr_values to Auth Chain Mapping",
          "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
          "propertyOrder" : 310,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseSigningAlgorithms" : {
          "title" : "Token Introspection Response Signing Algorithms Supported",
          "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>",
          "propertyOrder" : 459,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "alwaysAddClaimsToToken" : {
          "title" : "Always Return Claims in ID Tokens",
          "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
          "propertyOrder" : 360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedTokenEndpointAuthenticationSigningAlgorithms" : {
          "title" : "Supported Token Endpoint JWS Signing Algorithms.",
          "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.",
          "propertyOrder" : 444,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "claimsParameterSupported" : {
          "title" : "Enable \"claims_parameter_supported\"",
          "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
          "propertyOrder" : 250,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseEncryptionEnc" : {
          "title" : "Token Introspection Response Encryption Methods Supported",
          "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 461,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "useForceAuthnForPromptLogin" : {
          "title" : "Use Force Authentication for prompt=login",
          "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>",
          "propertyOrder" : 640,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "storeOpsTokens" : {
          "title" : "Enable Session Management",
          "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled.  When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ",
          "propertyOrder" : 410,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "includeAllKtyAlgCombinationsInJwksUri" : {
          "title" : "Include all kty and alg combinations in jwks_uri",
          "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>",
          "propertyOrder" : 630,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "amrMappings" : {
          "title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
          "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
          "propertyOrder" : 330,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseEncryptionAlgorithms" : {
          "title" : "Token Introspection Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 460,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionAlgorithms" : {
          "title" : "Request Parameter Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 442,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedUserInfoEncryptionEnc" : {
          "title" : "UserInfo Encryption Methods Supported",
          "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 458,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authorisedOpenIdConnectSSOClients" : {
          "title" : "Authorized OIDC SSO Clients",
          "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
          "propertyOrder" : 446,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jkwsURI" : {
          "title" : "Remote JSON Web Key URL",
          "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
          "propertyOrder" : 140,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedUserInfoSigningAlgorithms" : {
          "title" : "UserInfo Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 456,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionEnc" : {
          "title" : "Request Parameter Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 443,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "idTokenInfoClientAuthenticationEnabled" : {
          "title" : "Idtokeninfo Endpoint Requires Client Authentication",
          "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
          "propertyOrder" : 225,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "advancedOAuth2Config" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "macaroonTokenFormat" : {
          "title" : "Macaroon Token Format",
          "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.",
          "propertyOrder" : 620,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "moduleMessageEnabledInPasswordGrant" : {
          "title" : "Enable Auth Module Messages for Password Credentials Grant",
          "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
          "propertyOrder" : 440,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "tlsCertificateRevocationCheckingEnabled" : {
          "title" : "Check TLS Certificate Revocation Status",
          "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.",
          "propertyOrder" : 615,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultScopes" : {
          "title" : "Default Client Scopes",
          "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
          "propertyOrder" : 200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "hashSalt" : {
          "title" : "Subject Identifier Hash Salt",
          "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
          "propertyOrder" : 260,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "displayNameAttribute" : {
          "title" : "User Display Name attribute",
          "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
          "propertyOrder" : 120,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedSubjectTypes" : {
          "title" : "Subject Types supported",
          "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
          "propertyOrder" : 150,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsClientCertificateHeaderFormat" : {
          "title" : "TLS Client Certificate Header Format",
          "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>",
          "propertyOrder" : 605,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "createdTimestampAttribute" : {
          "title" : "Created Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return created timestamp values.",
          "propertyOrder" : 350,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "modifiedTimestampAttribute" : {
          "title" : "Modified Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ",
          "propertyOrder" : 340,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenCompressionEnabled" : {
          "title" : "Client-Based Token Compression",
          "description" : "Whether client-based access and refresh tokens should be compressed.",
          "propertyOrder" : 223,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.",
          "propertyOrder" : 560,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "allowedAudienceValues" : {
          "title" : "Additional Audience Values",
          "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.",
          "propertyOrder" : 91,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenValidatorClasses" : {
          "title" : "Token Validator Plugins",
          "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.",
          "propertyOrder" : 96,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authenticationAttributes" : {
          "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
          "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsOcspResponderUri" : {
          "title" : "OCSP Responder URI",
          "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.",
          "propertyOrder" : 616,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenExchangeClasses" : {
          "title" : "Token Exchanger Plugins",
          "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.",
          "propertyOrder" : 95,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "customLoginUrlTemplate" : {
          "title" : "Custom Login URL Template",
          "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}&lt;#if acrValues??&gt;&amp;acr_values=${acrValues}&lt;&#x2F;#if&gt;&lt;#if realm??&gt;&amp;realm=${realm}&lt;&#x2F;#if&gt;&lt;#if module??&gt;&amp;module=${module}&lt;&#x2F;#if&gt;&lt;#if service??&gt;&amp;service=${service}&lt;&#x2F;#if&gt;&lt;#if locale??&gt;&amp;locale=${locale}&lt;&#x2F;#if&gt;</code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
          "propertyOrder" : 60,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenEncryptionEnabled" : {
          "title" : "Encrypt Client-Based Tokens",
          "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
          "propertyOrder" : 242,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "tokenSigningAlgorithm" : {
          "title" : "OAuth2 Token Signing Algorithm",
          "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 220,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsCertificateBoundAccessTokensEnabled" : {
          "title" : "Support TLS Certificate-Bound Access Tokens",
          "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.",
          "propertyOrder" : 610,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "codeVerifierEnforced" : {
          "title" : "Code Verifier Parameter Required",
          "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.",
          "propertyOrder" : 270,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "passwordGrantAuthService" : {
          "title" : "Password Grant Authentication Service",
          "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.",
          "propertyOrder" : 430,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedScopes" : {
          "title" : "Client Registration Scope Whitelist",
          "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
          "propertyOrder" : 130,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsOcspResponderCert" : {
          "title" : "OCSP Responder Certificate",
          "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.",
          "propertyOrder" : 617,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "responseTypeClasses" : {
          "title" : "Response Type Plugins",
          "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
          "propertyOrder" : 90,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsClientCertificateTrustedHeader" : {
          "title" : "Trusted TLS Client Certificate Header",
          "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "scopeImplementationClass" : {
          "title" : "Scope Implementation Class",
          "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
          "propertyOrder" : 70,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "consent" : {
      "type" : "object",
      "title" : "Consent",
      "propertyOrder" : 6,
      "properties" : {
        "clientsCanSkipConsent" : {
          "title" : "Allow Clients to Skip Consent",
          "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
          "propertyOrder" : 420,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "remoteConsentServiceId" : {
          "title" : "Remote Consent Service ID",
          "description" : "The ID of an existing remote consent service agent.",
          "propertyOrder" : 448,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Request Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 450,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enableRemoteConsent" : {
          "title" : "Enable Remote Consent",
          "description" : "",
          "propertyOrder" : 447,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedRcsResponseSigningAlgorithms" : {
          "title" : "Remote Consent Service Response Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 452,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionMethods" : {
          "title" : "Remote Consent Service Request Encryption Methods Supported",
          "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 451,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsRequestSigningAlgorithms" : {
          "title" : "Remote Consent Service Request Signing Algorithms Supported",
          "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 449,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "savedConsentAttribute" : {
          "title" : "Saved Consent Attribute Name",
          "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
          "propertyOrder" : 110,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionMethods" : {
          "title" : "Remote Consent Service Response Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 454,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 453,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "coreOIDCConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 3,
      "properties" : {
        "oidcDiscoveryEndpointEnabled" : {
          "title" : "OIDC Provider Discovery",
          "description" : "Turns on and off OIDC Discovery endpoint.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedClaims" : {
          "title" : "Supported Claims",
          "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
          "propertyOrder" : 190,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedIDTokenSigningAlgorithms" : {
          "title" : "ID Token Signing Algorithms supported",
          "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>",
          "propertyOrder" : 160,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The amount of time the JWT will be valid for, in seconds.",
          "propertyOrder" : 210,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "overrideableOIDCClaims" : {
          "title" : "Overrideable Id_Token Claims",
          "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.",
          "propertyOrder" : 155,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedIDTokenEncryptionAlgorithms" : {
          "title" : "ID Token Encryption Algorithms supported",
          "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 170,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedIDTokenEncryptionMethods" : {
          "title" : "ID Token Encryption Methods supported",
          "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 180,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "oidcClaimsScript" : {
          "title" : "OIDC Claims Script",
          "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
          "propertyOrder" : 80,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreOAuth2Config" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "macaroonTokensEnabled" : {
          "title" : "Use Macaroon Access and Refresh Tokens",
          "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.",
          "propertyOrder" : 6,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accessTokenModificationScript" : {
          "title" : "OAuth2 Access Token Modification Script",
          "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.",
          "propertyOrder" : 75,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenMayActScript" : {
          "title" : "OAuth2 Access Token May Act Script",
          "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 78,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "issueRefreshToken" : {
          "title" : "Issue Refresh Tokens",
          "description" : "Whether to issue a refresh token when returning an access token.",
          "propertyOrder" : 40,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.",
          "propertyOrder" : 20,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "usePolicyEngineForScope" : {
          "title" : "Use Policy Engine for Scope decisions",
          "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
          "propertyOrder" : 55,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "oidcMayActScript" : {
          "title" : "OIDC ID Token May Act Script",
          "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 79,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.",
          "propertyOrder" : 30,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "issueRefreshTokenOnRefreshedToken" : {
          "title" : "Issue Refresh Tokens on Refreshing Access Tokens",
          "description" : "Whether to issue a refresh token when refreshing an access token.",
          "propertyOrder" : 50,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "codeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time an authorization code is valid for, in seconds.",
          "propertyOrder" : 10,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "statelessTokensEnabled" : {
          "title" : "Use Client-Based Access & Refresh Tokens",
          "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
          "propertyOrder" : 3,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "clientDynamicRegistrationConfig" : {
      "type" : "object",
      "title" : "Client Dynamic Registration",
      "propertyOrder" : 2,
      "properties" : {
        "allowDynamicRegistration" : {
          "title" : "Allow Open Dynamic Client Registration",
          "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see  <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
          "propertyOrder" : 280,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "dynamicClientRegistrationScope" : {
          "title" : "Scope to give access to dynamic client registration",
          "description" : "Mandatory scope required when registering a new OAuth2 client.",
          "propertyOrder" : 455,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "generateRegistrationAccessTokens" : {
          "title" : "Generate Registration Access Tokens",
          "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
          "propertyOrder" : 290,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "dynamicClientRegistrationSoftwareStatementRequired" : {
          "title" : "Require Software Statement for Dynamic Client Registration",
          "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
          "propertyOrder" : 271,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "requiredSoftwareStatementAttestedAttributes" : {
          "title" : "Required Software Statement Attested Attributes",
          "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
          "propertyOrder" : 272,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "cibaConfig" : {
      "type" : "object",
      "title" : "CIBA",
      "propertyOrder" : 7,
      "properties" : {
        "supportedCibaSigningAlgorithms" : {
          "title" : "Signing Algorithms Supported",
          "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "cibaMinimumPollingInterval" : {
          "title" : "Polling Wait Interval (seconds)",
          "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "cibaAuthReqIdLifetime" : {
          "title" : "Back Channel Authentication ID Lifetime (seconds)",
          "description" : "The time back channel authentication request id is valid for, in seconds.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      }
    }
  }
}

Global Operations

Resource path:

/global-config/services/oauth-oidc

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OAuth2Provider --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OAuth2Provider --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OAuth2Provider --global --actionName nextdescendents

read

Usage

am> read OAuth2Provider --global

update

Usage

am> update OAuth2Provider --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "storageScheme" : {
      "title" : "CTS Storage Scheme",
      "description" : "Storage scheme to be used when storing OAuth2 tokens to CTS.<br><br>In order to support rolling upgrades, this should be set to the latest storage scheme supported by all OpenAM instances within your cluster. Select the latest storage scheme once all OpenAM instances in the cluster have been upgraded.<br/><br/><b>One-to-One Storage Scheme</b><br/>Under this storage scheme, each OAuth2 token maps to an individual CTS entry.<br/><i>This storage scheme is inefficient - use the Grant-Set Storage Scheme once all servers have been upgraded to a version which supports it.</i><br/><br/><b>Grant-Set Storage Scheme</b><br/>Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.",
      "propertyOrder" : 6,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "jwtTokenUnreasonableLifetime" : {
      "title" : "JWT Unreasonable Lifetime (seconds)",
      "description" : "Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration.",
      "propertyOrder" : 8,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "blacklistPurgeDelay" : {
      "title" : "Blacklist Purge Delay (minutes)",
      "description" : "Length of time to blacklist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the blacklist.",
      "propertyOrder" : 2,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "blacklistPollInterval" : {
      "title" : "Blacklist Poll Interval (seconds)",
      "description" : "How frequently to poll for token blacklist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token blacklist changes from other servers. This is used to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.",
      "propertyOrder" : 1,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "jwtTokenLifetimeValidationEnabled" : {
      "title" : "Enforce JWT Unreasonable Lifetime",
      "description" : "Enable the enforcement of JWT token unreasonable lifetime during validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. This enforcement may be disabled, but should only be done if the security implications have been evaluated.",
      "propertyOrder" : 7,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "blacklistCacheSize" : {
      "title" : "Token Blacklist Cache Size",
      "description" : "Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.",
      "propertyOrder" : 0,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "statelessGrantTokenUpgradeCompatibilityMode" : {
      "title" : "Client-Based Grant Token Upgrade Compatibility Mode",
      "description" : "Enable OpenAM to consume and create client-based OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume client-based OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.",
      "propertyOrder" : 5,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "consent" : {
          "type" : "object",
          "title" : "Consent",
          "propertyOrder" : 6,
          "properties" : {
            "savedConsentAttribute" : {
              "title" : "Saved Consent Attribute Name",
              "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
              "propertyOrder" : 110,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "supportedRcsResponseSigningAlgorithms" : {
              "title" : "Remote Consent Service Response Signing Algorithms Supported",
              "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 452,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "remoteConsentServiceId" : {
              "title" : "Remote Consent Service ID",
              "description" : "The ID of an existing remote consent service agent.",
              "propertyOrder" : 448,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "supportedRcsRequestSigningAlgorithms" : {
              "title" : "Remote Consent Service Request Signing Algorithms Supported",
              "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 449,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsRequestEncryptionAlgorithms" : {
              "title" : "Remote Consent Service Request Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
              "propertyOrder" : 450,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsResponseEncryptionMethods" : {
              "title" : "Remote Consent Service Response Encryption Methods Supported",
              "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 454,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsRequestEncryptionMethods" : {
              "title" : "Remote Consent Service Request Encryption Methods Supported",
              "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 451,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsResponseEncryptionAlgorithms" : {
              "title" : "Remote Consent Service Response Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
              "propertyOrder" : 453,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "enableRemoteConsent" : {
              "title" : "Enable Remote Consent",
              "description" : "",
              "propertyOrder" : 447,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "clientsCanSkipConsent" : {
              "title" : "Allow Clients to Skip Consent",
              "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
              "propertyOrder" : 420,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "clientDynamicRegistrationConfig" : {
          "type" : "object",
          "title" : "Client Dynamic Registration",
          "propertyOrder" : 2,
          "properties" : {
            "generateRegistrationAccessTokens" : {
              "title" : "Generate Registration Access Tokens",
              "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
              "propertyOrder" : 290,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "dynamicClientRegistrationScope" : {
              "title" : "Scope to give access to dynamic client registration",
              "description" : "Mandatory scope required when registering a new OAuth2 client.",
              "propertyOrder" : 455,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "allowDynamicRegistration" : {
              "title" : "Allow Open Dynamic Client Registration",
              "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see  <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
              "propertyOrder" : 280,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "dynamicClientRegistrationSoftwareStatementRequired" : {
              "title" : "Require Software Statement for Dynamic Client Registration",
              "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
              "propertyOrder" : 271,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "requiredSoftwareStatementAttestedAttributes" : {
              "title" : "Required Software Statement Attested Attributes",
              "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
              "propertyOrder" : 272,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "advancedOAuth2Config" : {
          "type" : "object",
          "title" : "Advanced",
          "propertyOrder" : 1,
          "properties" : {
            "grantTypes" : {
              "title" : "Grant Types",
              "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.",
              "propertyOrder" : 560,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "tlsClientCertificateTrustedHeader" : {
              "title" : "Trusted TLS Client Certificate Header",
              "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.",
              "propertyOrder" : 600,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "authenticationAttributes" : {
              "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
              "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
              "propertyOrder" : 100,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedScopes" : {
              "title" : "Client Registration Scope Whitelist",
              "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
              "propertyOrder" : 130,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "defaultScopes" : {
              "title" : "Default Client Scopes",
              "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
              "propertyOrder" : 200,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "allowedAudienceValues" : {
              "title" : "Additional Audience Values",
              "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.",
              "propertyOrder" : 91,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "tokenSigningAlgorithm" : {
              "title" : "OAuth2 Token Signing Algorithm",
              "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 220,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "passwordGrantAuthService" : {
              "title" : "Password Grant Authentication Service",
              "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.",
              "propertyOrder" : 430,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenCompressionEnabled" : {
              "title" : "Client-Based Token Compression",
              "description" : "Whether client-based access and refresh tokens should be compressed.",
              "propertyOrder" : 223,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tlsCertificateRevocationCheckingEnabled" : {
              "title" : "Check TLS Certificate Revocation Status",
              "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.",
              "propertyOrder" : 615,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tlsClientCertificateHeaderFormat" : {
              "title" : "TLS Client Certificate Header Format",
              "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>",
              "propertyOrder" : 605,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "displayNameAttribute" : {
              "title" : "User Display Name attribute",
              "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
              "propertyOrder" : 120,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tlsOcspResponderUri" : {
              "title" : "OCSP Responder URI",
              "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.",
              "propertyOrder" : 616,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "supportedSubjectTypes" : {
              "title" : "Subject Types supported",
              "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
              "propertyOrder" : 150,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "tlsOcspResponderCert" : {
              "title" : "OCSP Responder Certificate",
              "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.",
              "propertyOrder" : 617,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "scopeImplementationClass" : {
              "title" : "Scope Implementation Class",
              "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
              "propertyOrder" : 70,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "macaroonTokenFormat" : {
              "title" : "Macaroon Token Format",
              "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.",
              "propertyOrder" : 620,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "moduleMessageEnabledInPasswordGrant" : {
              "title" : "Enable Auth Module Messages for Password Credentials Grant",
              "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
              "propertyOrder" : 440,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tokenExchangeClasses" : {
              "title" : "Token Exchanger Plugins",
              "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.",
              "propertyOrder" : 95,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "responseTypeClasses" : {
              "title" : "Response Type Plugins",
              "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
              "propertyOrder" : 90,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "createdTimestampAttribute" : {
              "title" : "Created Timestamp Attribute Name",
              "description" : "The identity Data Store attribute used to return created timestamp values.",
              "propertyOrder" : 350,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "hashSalt" : {
              "title" : "Subject Identifier Hash Salt",
              "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
              "propertyOrder" : 260,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "customLoginUrlTemplate" : {
              "title" : "Custom Login URL Template",
              "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}&lt;#if acrValues??&gt;&amp;acr_values=${acrValues}&lt;&#x2F;#if&gt;&lt;#if realm??&gt;&amp;realm=${realm}&lt;&#x2F;#if&gt;&lt;#if module??&gt;&amp;module=${module}&lt;&#x2F;#if&gt;&lt;#if service??&gt;&amp;service=${service}&lt;&#x2F;#if&gt;&lt;#if locale??&gt;&amp;locale=${locale}&lt;&#x2F;#if&gt;</code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
              "propertyOrder" : 60,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenEncryptionEnabled" : {
              "title" : "Encrypt Client-Based Tokens",
              "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
              "propertyOrder" : 242,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tlsCertificateBoundAccessTokensEnabled" : {
              "title" : "Support TLS Certificate-Bound Access Tokens",
              "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.",
              "propertyOrder" : 610,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "modifiedTimestampAttribute" : {
              "title" : "Modified Timestamp Attribute Name",
              "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ",
              "propertyOrder" : 340,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "codeVerifierEnforced" : {
              "title" : "Code Verifier Parameter Required",
              "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.",
              "propertyOrder" : 270,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenValidatorClasses" : {
              "title" : "Token Validator Plugins",
              "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.",
              "propertyOrder" : 96,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "advancedOIDCConfig" : {
          "type" : "object",
          "title" : "Advanced OpenID Connect",
          "propertyOrder" : 4,
          "properties" : {
            "storeOpsTokens" : {
              "title" : "Enable Session Management",
              "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled.  When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ",
              "propertyOrder" : 410,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedTokenIntrospectionResponseEncryptionAlgorithms" : {
              "title" : "Token Introspection Response Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 460,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "includeAllKtyAlgCombinationsInJwksUri" : {
              "title" : "Include all kty and alg combinations in jwks_uri",
              "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>",
              "propertyOrder" : 630,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "loaMapping" : {
              "title" : "OpenID Connect acr_values to Auth Chain Mapping",
              "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
              "propertyOrder" : 310,
              "required" : false,
              "patternProperties" : {
                ".*" : { }
              },
              "type" : "object",
              "exampleValue" : ""
            },
            "useForceAuthnForPromptLogin" : {
              "title" : "Use Force Authentication for prompt=login",
              "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>",
              "propertyOrder" : 640,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "alwaysAddClaimsToToken" : {
              "title" : "Always Return Claims in ID Tokens",
              "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
              "propertyOrder" : 360,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedUserInfoEncryptionAlgorithms" : {
              "title" : "UserInfo Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 457,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRequestParameterEncryptionEnc" : {
              "title" : "Request Parameter Encryption Methods Supported",
              "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 443,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedTokenIntrospectionResponseEncryptionEnc" : {
              "title" : "Token Introspection Response Encryption Methods Supported",
              "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 461,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedUserInfoSigningAlgorithms" : {
              "title" : "UserInfo Signing Algorithms Supported",
              "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 456,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "idTokenInfoClientAuthenticationEnabled" : {
              "title" : "Idtokeninfo Endpoint Requires Client Authentication",
              "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
              "propertyOrder" : 225,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedTokenIntrospectionResponseSigningAlgorithms" : {
              "title" : "Token Introspection Response Signing Algorithms Supported",
              "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>",
              "propertyOrder" : 459,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedTokenEndpointAuthenticationSigningAlgorithms" : {
              "title" : "Supported Token Endpoint JWS Signing Algorithms.",
              "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.",
              "propertyOrder" : 444,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "authorisedOpenIdConnectSSOClients" : {
              "title" : "Authorized OIDC SSO Clients",
              "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
              "propertyOrder" : 446,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRequestParameterEncryptionAlgorithms" : {
              "title" : "Request Parameter Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 442,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "defaultACR" : {
              "title" : "Default ACR values",
              "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
              "propertyOrder" : 320,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRequestParameterSigningAlgorithms" : {
              "title" : "Request Parameter Signing Algorithms Supported",
              "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 441,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "jkwsURI" : {
              "title" : "Remote JSON Web Key URL",
              "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
              "propertyOrder" : 140,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "supportedUserInfoEncryptionEnc" : {
              "title" : "UserInfo Encryption Methods Supported",
              "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 458,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "amrMappings" : {
              "title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
              "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
              "propertyOrder" : 330,
              "required" : false,
              "patternProperties" : {
                ".*" : { }
              },
              "type" : "object",
              "exampleValue" : ""
            },
            "claimsParameterSupported" : {
              "title" : "Enable \"claims_parameter_supported\"",
              "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
              "propertyOrder" : 250,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "coreOIDCConfig" : {
          "type" : "object",
          "title" : "OpenID Connect",
          "propertyOrder" : 3,
          "properties" : {
            "supportedIDTokenEncryptionMethods" : {
              "title" : "ID Token Encryption Methods supported",
              "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 180,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "oidcClaimsScript" : {
              "title" : "OIDC Claims Script",
              "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
              "propertyOrder" : 80,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "oidcDiscoveryEndpointEnabled" : {
              "title" : "OIDC Provider Discovery",
              "description" : "Turns on and off OIDC Discovery endpoint.",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "jwtTokenLifetime" : {
              "title" : "OpenID Connect JWT Token Lifetime (seconds)",
              "description" : "The amount of time the JWT will be valid for, in seconds.",
              "propertyOrder" : 210,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "supportedIDTokenSigningAlgorithms" : {
              "title" : "ID Token Signing Algorithms supported",
              "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>",
              "propertyOrder" : 160,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedClaims" : {
              "title" : "Supported Claims",
              "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
              "propertyOrder" : 190,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "overrideableOIDCClaims" : {
              "title" : "Overrideable Id_Token Claims",
              "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.",
              "propertyOrder" : 155,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedIDTokenEncryptionAlgorithms" : {
              "title" : "ID Token Encryption Algorithms supported",
              "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 170,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "coreOAuth2Config" : {
          "type" : "object",
          "title" : "Core",
          "propertyOrder" : 0,
          "properties" : {
            "codeLifetime" : {
              "title" : "Authorization Code Lifetime (seconds)",
              "description" : "The time an authorization code is valid for, in seconds.",
              "propertyOrder" : 10,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "usePolicyEngineForScope" : {
              "title" : "Use Policy Engine for Scope decisions",
              "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
              "propertyOrder" : 55,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "accessTokenModificationScript" : {
              "title" : "OAuth2 Access Token Modification Script",
              "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.",
              "propertyOrder" : 75,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "issueRefreshTokenOnRefreshedToken" : {
              "title" : "Issue Refresh Tokens on Refreshing Access Tokens",
              "description" : "Whether to issue a refresh token when refreshing an access token.",
              "propertyOrder" : 50,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "issueRefreshToken" : {
              "title" : "Issue Refresh Tokens",
              "description" : "Whether to issue a refresh token when returning an access token.",
              "propertyOrder" : 40,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "macaroonTokensEnabled" : {
              "title" : "Use Macaroon Access and Refresh Tokens",
              "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.",
              "propertyOrder" : 6,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "accessTokenLifetime" : {
              "title" : "Access Token Lifetime (seconds)",
              "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.",
              "propertyOrder" : 30,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "statelessTokensEnabled" : {
              "title" : "Use Client-Based Access & Refresh Tokens",
              "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
              "propertyOrder" : 3,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "refreshTokenLifetime" : {
              "title" : "Refresh Token Lifetime (seconds)",
              "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.",
              "propertyOrder" : 20,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "accessTokenMayActScript" : {
              "title" : "OAuth2 Access Token May Act Script",
              "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.",
              "propertyOrder" : 78,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "oidcMayActScript" : {
              "title" : "OIDC ID Token May Act Script",
              "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.",
              "propertyOrder" : 79,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "deviceCodeConfig" : {
          "type" : "object",
          "title" : "Device Flow",
          "propertyOrder" : 5,
          "properties" : {
            "devicePollInterval" : {
              "title" : "Device Polling Interval",
              "description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "verificationUrl" : {
              "title" : "Verification URL",
              "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
              "propertyOrder" : 370,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "deviceCodeLifetime" : {
              "title" : "Device Code Lifetime (seconds)",
              "description" : "The lifetime of the device code, in seconds.",
              "propertyOrder" : 390,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "completionUrl" : {
              "title" : "Device Completion URL",
              "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
              "propertyOrder" : 380,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "cibaConfig" : {
          "type" : "object",
          "title" : "CIBA",
          "propertyOrder" : 7,
          "properties" : {
            "supportedCibaSigningAlgorithms" : {
              "title" : "Signing Algorithms Supported",
              "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>",
              "propertyOrder" : 900,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "cibaAuthReqIdLifetime" : {
              "title" : "Back Channel Authentication ID Lifetime (seconds)",
              "description" : "The time back channel authentication request id is valid for, in seconds.",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "cibaMinimumPollingInterval" : {
              "title" : "Polling Wait Interval (seconds)",
              "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}
Copyright © 2010-2023 ForgeRock, all rights reserved.