OAuth2Provider

Realm Operations

Resource path:

/realm-config/services/oauth-oidc

Resource version: 1.0

create

Usage

am> create OAuth2Provider --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "clientDynamicRegistrationConfig" : {
      "type" : "object",
      "title" : "Client Dynamic Registration",
      "propertyOrder" : 2,
      "properties" : {
        "dynamicClientRegistrationSoftwareStatementRequired" : {
          "title" : "Require Software Statement for Dynamic Client Registration",
          "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
          "propertyOrder" : 271,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "requiredSoftwareStatementAttestedAttributes" : {
          "title" : "Required Software Statement Attested Attributes",
          "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
          "propertyOrder" : 272,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "dynamicClientRegistrationScope" : {
          "title" : "Scope to give access to dynamic client registration",
          "description" : "Mandatory scope required when registering a new OAuth2 client.",
          "propertyOrder" : 455,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "allowDynamicRegistration" : {
          "title" : "Allow Open Dynamic Client Registration",
          "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see  <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
          "propertyOrder" : 280,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "generateRegistrationAccessTokens" : {
          "title" : "Generate Registration Access Tokens",
          "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
          "propertyOrder" : 290,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "consent" : {
      "type" : "object",
      "title" : "Consent",
      "propertyOrder" : 6,
      "properties" : {
        "supportedRcsResponseSigningAlgorithms" : {
          "title" : "Remote Consent Service Response Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 452,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "remoteConsentServiceId" : {
          "title" : "Remote Consent Service ID",
          "description" : "The ID of an existing remote consent service agent.",
          "propertyOrder" : 448,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionMethods" : {
          "title" : "Remote Consent Service Request Encryption Methods Supported",
          "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 451,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "clientsCanSkipConsent" : {
          "title" : "Allow Clients to Skip Consent",
          "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
          "propertyOrder" : 420,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedRcsRequestSigningAlgorithms" : {
          "title" : "Remote Consent Service Request Signing Algorithms Supported",
          "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 449,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Request Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 450,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enableRemoteConsent" : {
          "title" : "Enable Remote Consent",
          "description" : "",
          "propertyOrder" : 447,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionMethods" : {
          "title" : "Remote Consent Service Response Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 454,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "savedConsentAttribute" : {
          "title" : "Saved Consent Attribute Name",
          "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
          "propertyOrder" : 110,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 453,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "coreOAuth2Config" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "codeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time an authorization code is valid for, in seconds.",
          "propertyOrder" : 10,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "issueRefreshTokenOnRefreshedToken" : {
          "title" : "Issue Refresh Tokens on Refreshing Access Tokens",
          "description" : "Whether to issue a refresh token when refreshing an access token.",
          "propertyOrder" : 50,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "issueRefreshToken" : {
          "title" : "Issue Refresh Tokens",
          "description" : "Whether to issue a refresh token when returning an access token.",
          "propertyOrder" : 40,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accessTokenMayActScript" : {
          "title" : "OAuth2 Access Token May Act Script",
          "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 78,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "statelessTokensEnabled" : {
          "title" : "Use Client-Based Access & Refresh Tokens",
          "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
          "propertyOrder" : 3,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accessTokenModificationScript" : {
          "title" : "OAuth2 Access Token Modification Script",
          "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.",
          "propertyOrder" : 75,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.",
          "propertyOrder" : 30,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.",
          "propertyOrder" : 20,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "oidcMayActScript" : {
          "title" : "OIDC ID Token May Act Script",
          "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 79,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usePolicyEngineForScope" : {
          "title" : "Use Policy Engine for Scope decisions",
          "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
          "propertyOrder" : 55,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "macaroonTokensEnabled" : {
          "title" : "Use Macaroon Access and Refresh Tokens",
          "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.",
          "propertyOrder" : 6,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "advancedOAuth2Config" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "tokenEncryptionEnabled" : {
          "title" : "Encrypt Client-Based Tokens",
          "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
          "propertyOrder" : 242,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "passwordGrantAuthService" : {
          "title" : "Password Grant Authentication Service",
          "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.",
          "propertyOrder" : 430,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedSubjectTypes" : {
          "title" : "Subject Types supported",
          "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
          "propertyOrder" : 150,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "modifiedTimestampAttribute" : {
          "title" : "Modified Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ",
          "propertyOrder" : 340,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "displayNameAttribute" : {
          "title" : "User Display Name attribute",
          "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
          "propertyOrder" : 120,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "moduleMessageEnabledInPasswordGrant" : {
          "title" : "Enable Auth Module Messages for Password Credentials Grant",
          "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
          "propertyOrder" : 440,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedScopes" : {
          "title" : "Client Registration Scope Whitelist",
          "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
          "propertyOrder" : 130,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsClientCertificateTrustedHeader" : {
          "title" : "Trusted TLS Client Certificate Header",
          "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "macaroonTokenFormat" : {
          "title" : "Macaroon Token Format",
          "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.",
          "propertyOrder" : 620,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "createdTimestampAttribute" : {
          "title" : "Created Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return created timestamp values.",
          "propertyOrder" : 350,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsCertificateRevocationCheckingEnabled" : {
          "title" : "Check TLS Certificate Revocation Status",
          "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.",
          "propertyOrder" : 615,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultScopes" : {
          "title" : "Default Client Scopes",
          "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
          "propertyOrder" : 200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "scopeImplementationClass" : {
          "title" : "Scope Implementation Class",
          "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
          "propertyOrder" : 70,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsOcspResponderCert" : {
          "title" : "OCSP Responder Certificate",
          "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.",
          "propertyOrder" : 617,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "allowedAudienceValues" : {
          "title" : "Additional Audience Values",
          "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.",
          "propertyOrder" : 91,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "codeVerifierEnforced" : {
          "title" : "Code Verifier Parameter Required",
          "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.",
          "propertyOrder" : 270,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenValidatorClasses" : {
          "title" : "Token Validator Plugins",
          "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.",
          "propertyOrder" : 96,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenSigningAlgorithm" : {
          "title" : "OAuth2 Token Signing Algorithm",
          "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 220,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "customLoginUrlTemplate" : {
          "title" : "Custom Login URL Template",
          "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}&lt;#if acrValues??&gt;&amp;acr_values=${acrValues}&lt;&#x2F;#if&gt;&lt;#if realm??&gt;&amp;realm=${realm}&lt;&#x2F;#if&gt;&lt;#if module??&gt;&amp;module=${module}&lt;&#x2F;#if&gt;&lt;#if service??&gt;&amp;service=${service}&lt;&#x2F;#if&gt;&lt;#if locale??&gt;&amp;locale=${locale}&lt;&#x2F;#if&gt;</code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
          "propertyOrder" : 60,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "responseTypeClasses" : {
          "title" : "Response Type Plugins",
          "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
          "propertyOrder" : 90,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenCompressionEnabled" : {
          "title" : "Client-Based Token Compression",
          "description" : "Whether client-based access and refresh tokens should be compressed.",
          "propertyOrder" : 223,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "hashSalt" : {
          "title" : "Subject Identifier Hash Salt",
          "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
          "propertyOrder" : 260,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsClientCertificateHeaderFormat" : {
          "title" : "TLS Client Certificate Header Format",
          "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>",
          "propertyOrder" : 605,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsCertificateBoundAccessTokensEnabled" : {
          "title" : "Support TLS Certificate-Bound Access Tokens",
          "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.",
          "propertyOrder" : 610,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationAttributes" : {
          "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
          "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenExchangeClasses" : {
          "title" : "Token Exchanger Plugins",
          "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.",
          "propertyOrder" : 95,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.",
          "propertyOrder" : 560,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsOcspResponderUri" : {
          "title" : "OCSP Responder URI",
          "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.",
          "propertyOrder" : 616,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreOIDCConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 3,
      "properties" : {
        "supportedIDTokenEncryptionMethods" : {
          "title" : "ID Token Encryption Methods supported",
          "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 180,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "overrideableOIDCClaims" : {
          "title" : "Overrideable Id_Token Claims",
          "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.",
          "propertyOrder" : 155,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "oidcDiscoveryEndpointEnabled" : {
          "title" : "OIDC Provider Discovery",
          "description" : "Turns on and off OIDC Discovery endpoint.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedIDTokenSigningAlgorithms" : {
          "title" : "ID Token Signing Algorithms supported",
          "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>",
          "propertyOrder" : 160,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The amount of time the JWT will be valid for, in seconds.",
          "propertyOrder" : 210,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "supportedClaims" : {
          "title" : "Supported Claims",
          "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
          "propertyOrder" : 190,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "oidcClaimsScript" : {
          "title" : "OIDC Claims Script",
          "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
          "propertyOrder" : 80,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedIDTokenEncryptionAlgorithms" : {
          "title" : "ID Token Encryption Algorithms supported",
          "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 170,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "deviceCodeConfig" : {
      "type" : "object",
      "title" : "Device Flow",
      "propertyOrder" : 5,
      "properties" : {
        "deviceCodeLifetime" : {
          "title" : "Device Code Lifetime (seconds)",
          "description" : "The lifetime of the device code, in seconds.",
          "propertyOrder" : 390,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "devicePollInterval" : {
          "title" : "Device Polling Interval",
          "description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "verificationUrl" : {
          "title" : "Verification URL",
          "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 370,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "completionUrl" : {
          "title" : "Device Completion URL",
          "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 380,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "advancedOIDCConfig" : {
      "type" : "object",
      "title" : "Advanced OpenID Connect",
      "propertyOrder" : 4,
      "properties" : {
        "supportedTokenIntrospectionResponseEncryptionAlgorithms" : {
          "title" : "Token Introspection Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 460,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "claimsParameterSupported" : {
          "title" : "Enable \"claims_parameter_supported\"",
          "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
          "propertyOrder" : 250,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedUserInfoEncryptionEnc" : {
          "title" : "UserInfo Encryption Methods Supported",
          "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 458,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "amrMappings" : {
          "title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
          "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
          "propertyOrder" : 330,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedUserInfoEncryptionAlgorithms" : {
          "title" : "UserInfo Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 457,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "alwaysAddClaimsToToken" : {
          "title" : "Always Return Claims in ID Tokens",
          "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
          "propertyOrder" : 360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedUserInfoSigningAlgorithms" : {
          "title" : "UserInfo Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 456,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "idTokenInfoClientAuthenticationEnabled" : {
          "title" : "Idtokeninfo Endpoint Requires Client Authentication",
          "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
          "propertyOrder" : 225,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedTokenEndpointAuthenticationSigningAlgorithms" : {
          "title" : "Supported Token Endpoint JWS Signing Algorithms.",
          "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.",
          "propertyOrder" : 444,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterSigningAlgorithms" : {
          "title" : "Request Parameter Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 441,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authorisedOpenIdConnectSSOClients" : {
          "title" : "Authorized OIDC SSO Clients",
          "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
          "propertyOrder" : 446,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jkwsURI" : {
          "title" : "Remote JSON Web Key URL",
          "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
          "propertyOrder" : 140,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "storeOpsTokens" : {
          "title" : "Enable Session Management",
          "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled.  When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ",
          "propertyOrder" : 410,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultACR" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 320,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "includeAllKtyAlgCombinationsInJwksUri" : {
          "title" : "Include all kty and alg combinations in jwks_uri",
          "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>",
          "propertyOrder" : 630,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "loaMapping" : {
          "title" : "OpenID Connect acr_values to Auth Chain Mapping",
          "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
          "propertyOrder" : 310,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionAlgorithms" : {
          "title" : "Request Parameter Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 442,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionEnc" : {
          "title" : "Request Parameter Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 443,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseSigningAlgorithms" : {
          "title" : "Token Introspection Response Signing Algorithms Supported",
          "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>",
          "propertyOrder" : 459,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseEncryptionEnc" : {
          "title" : "Token Introspection Response Encryption Methods Supported",
          "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 461,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "cibaConfig" : {
      "type" : "object",
      "title" : "CIBA",
      "propertyOrder" : 7,
      "properties" : {
        "supportedCibaSigningAlgorithms" : {
          "title" : "Signing Algorithms Supported",
          "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "cibaAuthReqIdLifetime" : {
          "title" : "Back Channel Authentication ID Lifetime (seconds)",
          "description" : "The time back channel authentication request id is valid for, in seconds.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "cibaMinimumPollingInterval" : {
          "title" : "Polling Wait Interval (seconds)",
          "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      }
    }
  }
}

delete

Usage

am> delete OAuth2Provider --realm Realm

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OAuth2Provider --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OAuth2Provider --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OAuth2Provider --realm Realm --actionName nextdescendents

read

Usage

am> read OAuth2Provider --realm Realm

update

Usage

am> update OAuth2Provider --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "clientDynamicRegistrationConfig" : {
      "type" : "object",
      "title" : "Client Dynamic Registration",
      "propertyOrder" : 2,
      "properties" : {
        "dynamicClientRegistrationSoftwareStatementRequired" : {
          "title" : "Require Software Statement for Dynamic Client Registration",
          "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
          "propertyOrder" : 271,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "requiredSoftwareStatementAttestedAttributes" : {
          "title" : "Required Software Statement Attested Attributes",
          "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
          "propertyOrder" : 272,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "dynamicClientRegistrationScope" : {
          "title" : "Scope to give access to dynamic client registration",
          "description" : "Mandatory scope required when registering a new OAuth2 client.",
          "propertyOrder" : 455,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "allowDynamicRegistration" : {
          "title" : "Allow Open Dynamic Client Registration",
          "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see  <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
          "propertyOrder" : 280,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "generateRegistrationAccessTokens" : {
          "title" : "Generate Registration Access Tokens",
          "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
          "propertyOrder" : 290,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "consent" : {
      "type" : "object",
      "title" : "Consent",
      "propertyOrder" : 6,
      "properties" : {
        "supportedRcsResponseSigningAlgorithms" : {
          "title" : "Remote Consent Service Response Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 452,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "remoteConsentServiceId" : {
          "title" : "Remote Consent Service ID",
          "description" : "The ID of an existing remote consent service agent.",
          "propertyOrder" : 448,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionMethods" : {
          "title" : "Remote Consent Service Request Encryption Methods Supported",
          "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 451,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "clientsCanSkipConsent" : {
          "title" : "Allow Clients to Skip Consent",
          "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
          "propertyOrder" : 420,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedRcsRequestSigningAlgorithms" : {
          "title" : "Remote Consent Service Request Signing Algorithms Supported",
          "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 449,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRcsRequestEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Request Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 450,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enableRemoteConsent" : {
          "title" : "Enable Remote Consent",
          "description" : "",
          "propertyOrder" : 447,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionMethods" : {
          "title" : "Remote Consent Service Response Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 454,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "savedConsentAttribute" : {
          "title" : "Saved Consent Attribute Name",
          "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
          "propertyOrder" : 110,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedRcsResponseEncryptionAlgorithms" : {
          "title" : "Remote Consent Service Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
          "propertyOrder" : 453,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "coreOAuth2Config" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "codeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time an authorization code is valid for, in seconds.",
          "propertyOrder" : 10,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "issueRefreshTokenOnRefreshedToken" : {
          "title" : "Issue Refresh Tokens on Refreshing Access Tokens",
          "description" : "Whether to issue a refresh token when refreshing an access token.",
          "propertyOrder" : 50,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "issueRefreshToken" : {
          "title" : "Issue Refresh Tokens",
          "description" : "Whether to issue a refresh token when returning an access token.",
          "propertyOrder" : 40,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accessTokenMayActScript" : {
          "title" : "OAuth2 Access Token May Act Script",
          "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 78,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "statelessTokensEnabled" : {
          "title" : "Use Client-Based Access & Refresh Tokens",
          "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
          "propertyOrder" : 3,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accessTokenModificationScript" : {
          "title" : "OAuth2 Access Token Modification Script",
          "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.",
          "propertyOrder" : 75,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.",
          "propertyOrder" : 30,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.",
          "propertyOrder" : 20,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "oidcMayActScript" : {
          "title" : "OIDC ID Token May Act Script",
          "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.",
          "propertyOrder" : 79,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usePolicyEngineForScope" : {
          "title" : "Use Policy Engine for Scope decisions",
          "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
          "propertyOrder" : 55,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "macaroonTokensEnabled" : {
          "title" : "Use Macaroon Access and Refresh Tokens",
          "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.",
          "propertyOrder" : 6,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "advancedOAuth2Config" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "tokenEncryptionEnabled" : {
          "title" : "Encrypt Client-Based Tokens",
          "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
          "propertyOrder" : 242,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "passwordGrantAuthService" : {
          "title" : "Password Grant Authentication Service",
          "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.",
          "propertyOrder" : 430,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedSubjectTypes" : {
          "title" : "Subject Types supported",
          "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
          "propertyOrder" : 150,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "modifiedTimestampAttribute" : {
          "title" : "Modified Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ",
          "propertyOrder" : 340,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "displayNameAttribute" : {
          "title" : "User Display Name attribute",
          "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
          "propertyOrder" : 120,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "moduleMessageEnabledInPasswordGrant" : {
          "title" : "Enable Auth Module Messages for Password Credentials Grant",
          "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
          "propertyOrder" : 440,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedScopes" : {
          "title" : "Client Registration Scope Whitelist",
          "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
          "propertyOrder" : 130,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsClientCertificateTrustedHeader" : {
          "title" : "Trusted TLS Client Certificate Header",
          "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "macaroonTokenFormat" : {
          "title" : "Macaroon Token Format",
          "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.",
          "propertyOrder" : 620,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "createdTimestampAttribute" : {
          "title" : "Created Timestamp Attribute Name",
          "description" : "The identity Data Store attribute used to return created timestamp values.",
          "propertyOrder" : 350,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsCertificateRevocationCheckingEnabled" : {
          "title" : "Check TLS Certificate Revocation Status",
          "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.",
          "propertyOrder" : 615,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultScopes" : {
          "title" : "Default Client Scopes",
          "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
          "propertyOrder" : 200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "scopeImplementationClass" : {
          "title" : "Scope Implementation Class",
          "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
          "propertyOrder" : 70,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsOcspResponderCert" : {
          "title" : "OCSP Responder Certificate",
          "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.",
          "propertyOrder" : 617,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "allowedAudienceValues" : {
          "title" : "Additional Audience Values",
          "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.",
          "propertyOrder" : 91,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "codeVerifierEnforced" : {
          "title" : "Code Verifier Parameter Required",
          "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.",
          "propertyOrder" : 270,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenValidatorClasses" : {
          "title" : "Token Validator Plugins",
          "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.",
          "propertyOrder" : 96,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenSigningAlgorithm" : {
          "title" : "OAuth2 Token Signing Algorithm",
          "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 220,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "customLoginUrlTemplate" : {
          "title" : "Custom Login URL Template",
          "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}&lt;#if acrValues??&gt;&amp;acr_values=${acrValues}&lt;&#x2F;#if&gt;&lt;#if realm??&gt;&amp;realm=${realm}&lt;&#x2F;#if&gt;&lt;#if module??&gt;&amp;module=${module}&lt;&#x2F;#if&gt;&lt;#if service??&gt;&amp;service=${service}&lt;&#x2F;#if&gt;&lt;#if locale??&gt;&amp;locale=${locale}&lt;&#x2F;#if&gt;</code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
          "propertyOrder" : 60,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "responseTypeClasses" : {
          "title" : "Response Type Plugins",
          "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
          "propertyOrder" : 90,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenCompressionEnabled" : {
          "title" : "Client-Based Token Compression",
          "description" : "Whether client-based access and refresh tokens should be compressed.",
          "propertyOrder" : 223,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "hashSalt" : {
          "title" : "Subject Identifier Hash Salt",
          "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
          "propertyOrder" : 260,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsClientCertificateHeaderFormat" : {
          "title" : "TLS Client Certificate Header Format",
          "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>",
          "propertyOrder" : 605,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tlsCertificateBoundAccessTokensEnabled" : {
          "title" : "Support TLS Certificate-Bound Access Tokens",
          "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.",
          "propertyOrder" : 610,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationAttributes" : {
          "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
          "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenExchangeClasses" : {
          "title" : "Token Exchanger Plugins",
          "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.",
          "propertyOrder" : 95,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.",
          "propertyOrder" : 560,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tlsOcspResponderUri" : {
          "title" : "OCSP Responder URI",
          "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.",
          "propertyOrder" : 616,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreOIDCConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 3,
      "properties" : {
        "supportedIDTokenEncryptionMethods" : {
          "title" : "ID Token Encryption Methods supported",
          "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 180,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "overrideableOIDCClaims" : {
          "title" : "Overrideable Id_Token Claims",
          "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.",
          "propertyOrder" : 155,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "oidcDiscoveryEndpointEnabled" : {
          "title" : "OIDC Provider Discovery",
          "description" : "Turns on and off OIDC Discovery endpoint.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedIDTokenSigningAlgorithms" : {
          "title" : "ID Token Signing Algorithms supported",
          "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>",
          "propertyOrder" : 160,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The amount of time the JWT will be valid for, in seconds.",
          "propertyOrder" : 210,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "supportedClaims" : {
          "title" : "Supported Claims",
          "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
          "propertyOrder" : 190,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "oidcClaimsScript" : {
          "title" : "OIDC Claims Script",
          "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
          "propertyOrder" : 80,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "supportedIDTokenEncryptionAlgorithms" : {
          "title" : "ID Token Encryption Algorithms supported",
          "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 170,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "deviceCodeConfig" : {
      "type" : "object",
      "title" : "Device Flow",
      "propertyOrder" : 5,
      "properties" : {
        "deviceCodeLifetime" : {
          "title" : "Device Code Lifetime (seconds)",
          "description" : "The lifetime of the device code, in seconds.",
          "propertyOrder" : 390,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "devicePollInterval" : {
          "title" : "Device Polling Interval",
          "description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "verificationUrl" : {
          "title" : "Verification URL",
          "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 370,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "completionUrl" : {
          "title" : "Device Completion URL",
          "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
          "propertyOrder" : 380,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "advancedOIDCConfig" : {
      "type" : "object",
      "title" : "Advanced OpenID Connect",
      "propertyOrder" : 4,
      "properties" : {
        "supportedTokenIntrospectionResponseEncryptionAlgorithms" : {
          "title" : "Token Introspection Response Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 460,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "claimsParameterSupported" : {
          "title" : "Enable \"claims_parameter_supported\"",
          "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
          "propertyOrder" : 250,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedUserInfoEncryptionEnc" : {
          "title" : "UserInfo Encryption Methods Supported",
          "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 458,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "amrMappings" : {
          "title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
          "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
          "propertyOrder" : 330,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedUserInfoEncryptionAlgorithms" : {
          "title" : "UserInfo Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 457,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "alwaysAddClaimsToToken" : {
          "title" : "Always Return Claims in ID Tokens",
          "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
          "propertyOrder" : 360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedUserInfoSigningAlgorithms" : {
          "title" : "UserInfo Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 456,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "idTokenInfoClientAuthenticationEnabled" : {
          "title" : "Idtokeninfo Endpoint Requires Client Authentication",
          "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
          "propertyOrder" : 225,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "supportedTokenEndpointAuthenticationSigningAlgorithms" : {
          "title" : "Supported Token Endpoint JWS Signing Algorithms.",
          "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.",
          "propertyOrder" : 444,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterSigningAlgorithms" : {
          "title" : "Request Parameter Signing Algorithms Supported",
          "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
          "propertyOrder" : 441,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authorisedOpenIdConnectSSOClients" : {
          "title" : "Authorized OIDC SSO Clients",
          "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
          "propertyOrder" : 446,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jkwsURI" : {
          "title" : "Remote JSON Web Key URL",
          "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
          "propertyOrder" : 140,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "storeOpsTokens" : {
          "title" : "Enable Session Management",
          "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled.  When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ",
          "propertyOrder" : 410,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultACR" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 320,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "includeAllKtyAlgCombinationsInJwksUri" : {
          "title" : "Include all kty and alg combinations in jwks_uri",
          "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>",
          "propertyOrder" : 630,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "loaMapping" : {
          "title" : "OpenID Connect acr_values to Auth Chain Mapping",
          "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
          "propertyOrder" : 310,
          "required" : false,
          "patternProperties" : {
            ".*" : { }
          },
          "type" : "object",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionAlgorithms" : {
          "title" : "Request Parameter Encryption Algorithms Supported",
          "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
          "propertyOrder" : 442,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedRequestParameterEncryptionEnc" : {
          "title" : "Request Parameter Encryption Methods Supported",
          "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 443,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseSigningAlgorithms" : {
          "title" : "Token Introspection Response Signing Algorithms Supported",
          "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>",
          "propertyOrder" : 459,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "supportedTokenIntrospectionResponseEncryptionEnc" : {
          "title" : "Token Introspection Response Encryption Methods Supported",
          "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 461,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "cibaConfig" : {
      "type" : "object",
      "title" : "CIBA",
      "propertyOrder" : 7,
      "properties" : {
        "supportedCibaSigningAlgorithms" : {
          "title" : "Signing Algorithms Supported",
          "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "cibaAuthReqIdLifetime" : {
          "title" : "Back Channel Authentication ID Lifetime (seconds)",
          "description" : "The time back channel authentication request id is valid for, in seconds.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "cibaMinimumPollingInterval" : {
          "title" : "Polling Wait Interval (seconds)",
          "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      }
    }
  }
}

Global Operations

Resource path:

/global-config/services/oauth-oidc

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OAuth2Provider --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OAuth2Provider --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OAuth2Provider --global --actionName nextdescendents

read

Usage

am> read OAuth2Provider --global

update

Usage

am> update OAuth2Provider --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "jwtTokenLifetimeValidationEnabled" : {
      "title" : "Enforce JWT Unreasonable Lifetime",
      "description" : "Enable the enforcement of JWT token unreasonable lifetime during validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. This enforcement may be disabled, but should only be done if the security implications have been evaluated.",
      "propertyOrder" : 7,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "blacklistCacheSize" : {
      "title" : "Token Blacklist Cache Size",
      "description" : "Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.",
      "propertyOrder" : 0,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "blacklistPollInterval" : {
      "title" : "Blacklist Poll Interval (seconds)",
      "description" : "How frequently to poll for token blacklist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token blacklist changes from other servers. This is used to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.",
      "propertyOrder" : 1,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "jwtTokenUnreasonableLifetime" : {
      "title" : "JWT Unreasonable Lifetime (seconds)",
      "description" : "Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration.",
      "propertyOrder" : 8,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "storageScheme" : {
      "title" : "CTS Storage Scheme",
      "description" : "Storage scheme to be used when storing OAuth2 tokens to CTS.<br><br>In order to support rolling upgrades, this should be set to the latest storage scheme supported by all OpenAM instances within your cluster. Select the latest storage scheme once all OpenAM instances in the cluster have been upgraded.<br/><br/><b>One-to-One Storage Scheme</b><br/>Under this storage scheme, each OAuth2 token maps to an individual CTS entry.<br/><i>This storage scheme is inefficient - use the Grant-Set Storage Scheme once all servers have been upgraded to a version which supports it.</i><br/><br/><b>Grant-Set Storage Scheme</b><br/>Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.",
      "propertyOrder" : 6,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "blacklistPurgeDelay" : {
      "title" : "Blacklist Purge Delay (minutes)",
      "description" : "Length of time to blacklist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the blacklist.",
      "propertyOrder" : 2,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "statelessGrantTokenUpgradeCompatibilityMode" : {
      "title" : "Client-Based Grant Token Upgrade Compatibility Mode",
      "description" : "Enable OpenAM to consume and create client-based OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume client-based OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.",
      "propertyOrder" : 5,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "advancedOAuth2Config" : {
          "type" : "object",
          "title" : "Advanced",
          "propertyOrder" : 1,
          "properties" : {
            "supportedScopes" : {
              "title" : "Client Registration Scope Whitelist",
              "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
              "propertyOrder" : 130,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "tlsCertificateBoundAccessTokensEnabled" : {
              "title" : "Support TLS Certificate-Bound Access Tokens",
              "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.",
              "propertyOrder" : 610,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tokenCompressionEnabled" : {
              "title" : "Client-Based Token Compression",
              "description" : "Whether client-based access and refresh tokens should be compressed.",
              "propertyOrder" : 223,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tlsClientCertificateHeaderFormat" : {
              "title" : "TLS Client Certificate Header Format",
              "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>",
              "propertyOrder" : 605,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tlsOcspResponderCert" : {
              "title" : "OCSP Responder Certificate",
              "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.",
              "propertyOrder" : 617,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenEncryptionEnabled" : {
              "title" : "Encrypt Client-Based Tokens",
              "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
              "propertyOrder" : 242,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "grantTypes" : {
              "title" : "Grant Types",
              "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.",
              "propertyOrder" : 560,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "allowedAudienceValues" : {
              "title" : "Additional Audience Values",
              "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.",
              "propertyOrder" : 91,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "customLoginUrlTemplate" : {
              "title" : "Custom Login URL Template",
              "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}&lt;#if acrValues??&gt;&amp;acr_values=${acrValues}&lt;&#x2F;#if&gt;&lt;#if realm??&gt;&amp;realm=${realm}&lt;&#x2F;#if&gt;&lt;#if module??&gt;&amp;module=${module}&lt;&#x2F;#if&gt;&lt;#if service??&gt;&amp;service=${service}&lt;&#x2F;#if&gt;&lt;#if locale??&gt;&amp;locale=${locale}&lt;&#x2F;#if&gt;</code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
              "propertyOrder" : 60,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "passwordGrantAuthService" : {
              "title" : "Password Grant Authentication Service",
              "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.",
              "propertyOrder" : 430,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "responseTypeClasses" : {
              "title" : "Response Type Plugins",
              "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
              "propertyOrder" : 90,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "tlsClientCertificateTrustedHeader" : {
              "title" : "Trusted TLS Client Certificate Header",
              "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.",
              "propertyOrder" : 600,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenSigningAlgorithm" : {
              "title" : "OAuth2 Token Signing Algorithm",
              "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 220,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "macaroonTokenFormat" : {
              "title" : "Macaroon Token Format",
              "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.",
              "propertyOrder" : 620,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "moduleMessageEnabledInPasswordGrant" : {
              "title" : "Enable Auth Module Messages for Password Credentials Grant",
              "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
              "propertyOrder" : 440,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "tokenValidatorClasses" : {
              "title" : "Token Validator Plugins",
              "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.",
              "propertyOrder" : 96,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "scopeImplementationClass" : {
              "title" : "Scope Implementation Class",
              "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
              "propertyOrder" : 70,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tlsCertificateRevocationCheckingEnabled" : {
              "title" : "Check TLS Certificate Revocation Status",
              "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.",
              "propertyOrder" : 615,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "hashSalt" : {
              "title" : "Subject Identifier Hash Salt",
              "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
              "propertyOrder" : 260,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "tlsOcspResponderUri" : {
              "title" : "OCSP Responder URI",
              "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.",
              "propertyOrder" : 616,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "createdTimestampAttribute" : {
              "title" : "Created Timestamp Attribute Name",
              "description" : "The identity Data Store attribute used to return created timestamp values.",
              "propertyOrder" : 350,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "displayNameAttribute" : {
              "title" : "User Display Name attribute",
              "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
              "propertyOrder" : 120,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "modifiedTimestampAttribute" : {
              "title" : "Modified Timestamp Attribute Name",
              "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ",
              "propertyOrder" : 340,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenExchangeClasses" : {
              "title" : "Token Exchanger Plugins",
              "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.",
              "propertyOrder" : 95,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedSubjectTypes" : {
              "title" : "Subject Types supported",
              "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
              "propertyOrder" : 150,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "defaultScopes" : {
              "title" : "Default Client Scopes",
              "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
              "propertyOrder" : 200,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "authenticationAttributes" : {
              "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
              "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
              "propertyOrder" : 100,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "codeVerifierEnforced" : {
              "title" : "Code Verifier Parameter Required",
              "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.",
              "propertyOrder" : 270,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "deviceCodeConfig" : {
          "type" : "object",
          "title" : "Device Flow",
          "propertyOrder" : 5,
          "properties" : {
            "completionUrl" : {
              "title" : "Device Completion URL",
              "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
              "propertyOrder" : 380,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "devicePollInterval" : {
              "title" : "Device Polling Interval",
              "description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "deviceCodeLifetime" : {
              "title" : "Device Code Lifetime (seconds)",
              "description" : "The lifetime of the device code, in seconds.",
              "propertyOrder" : 390,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "verificationUrl" : {
              "title" : "Verification URL",
              "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
              "propertyOrder" : 370,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "advancedOIDCConfig" : {
          "type" : "object",
          "title" : "Advanced OpenID Connect",
          "propertyOrder" : 4,
          "properties" : {
            "jkwsURI" : {
              "title" : "Remote JSON Web Key URL",
              "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
              "propertyOrder" : 140,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "includeAllKtyAlgCombinationsInJwksUri" : {
              "title" : "Include all kty and alg combinations in jwks_uri",
              "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>",
              "propertyOrder" : 630,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "authorisedOpenIdConnectSSOClients" : {
              "title" : "Authorized OIDC SSO Clients",
              "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
              "propertyOrder" : 446,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "loaMapping" : {
              "title" : "OpenID Connect acr_values to Auth Chain Mapping",
              "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
              "propertyOrder" : 310,
              "required" : false,
              "patternProperties" : {
                ".*" : { }
              },
              "type" : "object",
              "exampleValue" : ""
            },
            "supportedRequestParameterSigningAlgorithms" : {
              "title" : "Request Parameter Signing Algorithms Supported",
              "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 441,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "storeOpsTokens" : {
              "title" : "Enable Session Management",
              "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled.  When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ",
              "propertyOrder" : 410,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedUserInfoSigningAlgorithms" : {
              "title" : "UserInfo Signing Algorithms Supported",
              "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 456,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedUserInfoEncryptionAlgorithms" : {
              "title" : "UserInfo Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 457,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedTokenEndpointAuthenticationSigningAlgorithms" : {
              "title" : "Supported Token Endpoint JWS Signing Algorithms.",
              "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.",
              "propertyOrder" : 444,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "defaultACR" : {
              "title" : "Default ACR values",
              "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
              "propertyOrder" : 320,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedTokenIntrospectionResponseEncryptionAlgorithms" : {
              "title" : "Token Introspection Response Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 460,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedTokenIntrospectionResponseEncryptionEnc" : {
              "title" : "Token Introspection Response Encryption Methods Supported",
              "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 461,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "alwaysAddClaimsToToken" : {
              "title" : "Always Return Claims in ID Tokens",
              "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
              "propertyOrder" : 360,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedRequestParameterEncryptionEnc" : {
              "title" : "Request Parameter Encryption Methods Supported",
              "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 443,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedTokenIntrospectionResponseSigningAlgorithms" : {
              "title" : "Token Introspection Response Signing Algorithms Supported",
              "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>",
              "propertyOrder" : 459,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "claimsParameterSupported" : {
              "title" : "Enable \"claims_parameter_supported\"",
              "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
              "propertyOrder" : 250,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedUserInfoEncryptionEnc" : {
              "title" : "UserInfo Encryption Methods Supported",
              "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 458,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRequestParameterEncryptionAlgorithms" : {
              "title" : "Request Parameter Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 442,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "amrMappings" : {
              "title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
              "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
              "propertyOrder" : 330,
              "required" : false,
              "patternProperties" : {
                ".*" : { }
              },
              "type" : "object",
              "exampleValue" : ""
            },
            "idTokenInfoClientAuthenticationEnabled" : {
              "title" : "Idtokeninfo Endpoint Requires Client Authentication",
              "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
              "propertyOrder" : 225,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "clientDynamicRegistrationConfig" : {
          "type" : "object",
          "title" : "Client Dynamic Registration",
          "propertyOrder" : 2,
          "properties" : {
            "dynamicClientRegistrationSoftwareStatementRequired" : {
              "title" : "Require Software Statement for Dynamic Client Registration",
              "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
              "propertyOrder" : 271,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "generateRegistrationAccessTokens" : {
              "title" : "Generate Registration Access Tokens",
              "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
              "propertyOrder" : 290,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "requiredSoftwareStatementAttestedAttributes" : {
              "title" : "Required Software Statement Attested Attributes",
              "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
              "propertyOrder" : 272,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "allowDynamicRegistration" : {
              "title" : "Allow Open Dynamic Client Registration",
              "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see  <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
              "propertyOrder" : 280,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "dynamicClientRegistrationScope" : {
              "title" : "Scope to give access to dynamic client registration",
              "description" : "Mandatory scope required when registering a new OAuth2 client.",
              "propertyOrder" : 455,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "coreOIDCConfig" : {
          "type" : "object",
          "title" : "OpenID Connect",
          "propertyOrder" : 3,
          "properties" : {
            "oidcDiscoveryEndpointEnabled" : {
              "title" : "OIDC Provider Discovery",
              "description" : "Turns on and off OIDC Discovery endpoint.",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedIDTokenEncryptionMethods" : {
              "title" : "ID Token Encryption Methods supported",
              "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 180,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "jwtTokenLifetime" : {
              "title" : "OpenID Connect JWT Token Lifetime (seconds)",
              "description" : "The amount of time the JWT will be valid for, in seconds.",
              "propertyOrder" : 210,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "overrideableOIDCClaims" : {
              "title" : "Overrideable Id_Token Claims",
              "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.",
              "propertyOrder" : 155,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedClaims" : {
              "title" : "Supported Claims",
              "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
              "propertyOrder" : 190,
              "required" : false,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedIDTokenEncryptionAlgorithms" : {
              "title" : "ID Token Encryption Algorithms supported",
              "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
              "propertyOrder" : 170,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "oidcClaimsScript" : {
              "title" : "OIDC Claims Script",
              "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
              "propertyOrder" : 80,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "supportedIDTokenSigningAlgorithms" : {
              "title" : "ID Token Signing Algorithms supported",
              "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>",
              "propertyOrder" : 160,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "coreOAuth2Config" : {
          "type" : "object",
          "title" : "Core",
          "propertyOrder" : 0,
          "properties" : {
            "statelessTokensEnabled" : {
              "title" : "Use Client-Based Access & Refresh Tokens",
              "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
              "propertyOrder" : 3,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "issueRefreshToken" : {
              "title" : "Issue Refresh Tokens",
              "description" : "Whether to issue a refresh token when returning an access token.",
              "propertyOrder" : 40,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "macaroonTokensEnabled" : {
              "title" : "Use Macaroon Access and Refresh Tokens",
              "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.",
              "propertyOrder" : 6,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "accessTokenModificationScript" : {
              "title" : "OAuth2 Access Token Modification Script",
              "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.",
              "propertyOrder" : 75,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "accessTokenMayActScript" : {
              "title" : "OAuth2 Access Token May Act Script",
              "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.",
              "propertyOrder" : 78,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "oidcMayActScript" : {
              "title" : "OIDC ID Token May Act Script",
              "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.",
              "propertyOrder" : 79,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "accessTokenLifetime" : {
              "title" : "Access Token Lifetime (seconds)",
              "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.",
              "propertyOrder" : 30,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "refreshTokenLifetime" : {
              "title" : "Refresh Token Lifetime (seconds)",
              "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.",
              "propertyOrder" : 20,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "codeLifetime" : {
              "title" : "Authorization Code Lifetime (seconds)",
              "description" : "The time an authorization code is valid for, in seconds.",
              "propertyOrder" : 10,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "issueRefreshTokenOnRefreshedToken" : {
              "title" : "Issue Refresh Tokens on Refreshing Access Tokens",
              "description" : "Whether to issue a refresh token when refreshing an access token.",
              "propertyOrder" : 50,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "usePolicyEngineForScope" : {
              "title" : "Use Policy Engine for Scope decisions",
              "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
              "propertyOrder" : 55,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "consent" : {
          "type" : "object",
          "title" : "Consent",
          "propertyOrder" : 6,
          "properties" : {
            "remoteConsentServiceId" : {
              "title" : "Remote Consent Service ID",
              "description" : "The ID of an existing remote consent service agent.",
              "propertyOrder" : 448,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "clientsCanSkipConsent" : {
              "title" : "Allow Clients to Skip Consent",
              "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
              "propertyOrder" : 420,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedRcsRequestEncryptionMethods" : {
              "title" : "Remote Consent Service Request Encryption Methods Supported",
              "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 451,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsResponseEncryptionMethods" : {
              "title" : "Remote Consent Service Response Encryption Methods Supported",
              "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
              "propertyOrder" : 454,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsResponseSigningAlgorithms" : {
              "title" : "Remote Consent Service Response Signing Algorithms Supported",
              "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 452,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "savedConsentAttribute" : {
              "title" : "Saved Consent Attribute Name",
              "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
              "propertyOrder" : 110,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "enableRemoteConsent" : {
              "title" : "Enable Remote Consent",
              "description" : "",
              "propertyOrder" : 447,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "supportedRcsResponseEncryptionAlgorithms" : {
              "title" : "Remote Consent Service Response Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
              "propertyOrder" : 453,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsRequestEncryptionAlgorithms" : {
              "title" : "Remote Consent Service Request Encryption Algorithms Supported",
              "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
              "propertyOrder" : 450,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "supportedRcsRequestSigningAlgorithms" : {
              "title" : "Remote Consent Service Request Signing Algorithms Supported",
              "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
              "propertyOrder" : 449,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "cibaConfig" : {
          "type" : "object",
          "title" : "CIBA",
          "propertyOrder" : 7,
          "properties" : {
            "cibaAuthReqIdLifetime" : {
              "title" : "Back Channel Authentication ID Lifetime (seconds)",
              "description" : "The time back channel authentication request id is valid for, in seconds.",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "cibaMinimumPollingInterval" : {
              "title" : "Polling Wait Interval (seconds)",
              "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "supportedCibaSigningAlgorithms" : {
              "title" : "Signing Algorithms Supported",
              "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>",
              "propertyOrder" : 900,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}