OpenIdConnectModule

Realm Operations

Resource path:

/realm-config/authentication/modules/openidconnect

Resource version: 1.0

create

Usage

am> create OpenIdConnectModule --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "useSubClaimIfNoMatch" : {
      "title" : "Use \"sub\" claim if no match",
      "description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "idTokenHeaderName" : {
      "title" : "Name of header referencing the ID Token",
      "description" : "",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "jwtToLdapAttributeMappings" : {
      "title" : "Mapping of jwt attributes to local LDAP attributes",
      "description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "principalMapperClass" : {
      "title" : "Principal mapper class",
      "description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "accountProviderClass" : {
      "title" : "Account provider class",
      "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idTokenIssuer" : {
      "title" : "Name of OpenID Connect ID Token Issuer",
      "description" : "Value must match the iss field in issued ID Token",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "cryptoContextValue" : {
      "title" : "OpenID Connect validation configuration value",
      "description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "audienceName" : {
      "title" : "Audience name",
      "description" : "A case sensitive string<br><br>The audience name for this OpenID Connect module. This will be used to check that the ID token received is intended for this module as an audience.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientSecret" : {
      "title" : "Client Secret",
      "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
      "propertyOrder" : 301,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "cryptoContextType" : {
      "title" : "OpenID Connect validation configuration type",
      "description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "acceptedAuthorizedParties" : {
      "title" : "List of accepted authorized parties",
      "description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
      "propertyOrder" : 800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

delete

Usage

am> delete OpenIdConnectModule --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OpenIdConnectModule --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OpenIdConnectModule --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OpenIdConnectModule --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query OpenIdConnectModule --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read OpenIdConnectModule --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update OpenIdConnectModule --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "useSubClaimIfNoMatch" : {
      "title" : "Use \"sub\" claim if no match",
      "description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "idTokenHeaderName" : {
      "title" : "Name of header referencing the ID Token",
      "description" : "",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "jwtToLdapAttributeMappings" : {
      "title" : "Mapping of jwt attributes to local LDAP attributes",
      "description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "principalMapperClass" : {
      "title" : "Principal mapper class",
      "description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "accountProviderClass" : {
      "title" : "Account provider class",
      "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idTokenIssuer" : {
      "title" : "Name of OpenID Connect ID Token Issuer",
      "description" : "Value must match the iss field in issued ID Token",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "cryptoContextValue" : {
      "title" : "OpenID Connect validation configuration value",
      "description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "audienceName" : {
      "title" : "Audience name",
      "description" : "A case sensitive string<br><br>The audience name for this OpenID Connect module. This will be used to check that the ID token received is intended for this module as an audience.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientSecret" : {
      "title" : "Client Secret",
      "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
      "propertyOrder" : 301,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "cryptoContextType" : {
      "title" : "OpenID Connect validation configuration type",
      "description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "acceptedAuthorizedParties" : {
      "title" : "List of accepted authorized parties",
      "description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
      "propertyOrder" : 800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

Global Operations

Resource path:

/global-config/authentication/modules/openidconnect

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OpenIdConnectModule --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OpenIdConnectModule --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OpenIdConnectModule --global --actionName nextdescendents

read

Usage

am> read OpenIdConnectModule --global

update

Usage

am> update OpenIdConnectModule --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "clientSecret" : {
          "title" : "Client Secret",
          "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 301,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "cryptoContextValue" : {
          "title" : "OpenID Connect validation configuration value",
          "description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "principalMapperClass" : {
          "title" : "Principal mapper class",
          "description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "cryptoContextType" : {
          "title" : "OpenID Connect validation configuration type",
          "description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accountProviderClass" : {
          "title" : "Account provider class",
          "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "audienceName" : {
          "title" : "Audience name",
          "description" : "A case sensitive string<br><br>The audience name for this OpenID Connect module. This will be used to check that the ID token received is intended for this module as an audience.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "useSubClaimIfNoMatch" : {
          "title" : "Use \"sub\" claim if no match",
          "description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "idTokenIssuer" : {
          "title" : "Name of OpenID Connect ID Token Issuer",
          "description" : "Value must match the iss field in issued ID Token",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "acceptedAuthorizedParties" : {
          "title" : "List of accepted authorized parties",
          "description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
          "propertyOrder" : 800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "minItems" : 1,
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtToLdapAttributeMappings" : {
          "title" : "Mapping of jwt attributes to local LDAP attributes",
          "description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
          "propertyOrder" : 600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "minItems" : 1,
          "type" : "array",
          "exampleValue" : ""
        },
        "idTokenHeaderName" : {
          "title" : "Name of header referencing the ID Token",
          "description" : "",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}