Amster

SocialAuthOAuth2Module

Realm Operations

Resource path:

/realm-config/authentication/modules/authSocialOAuth2

Resource version: 1.0

create

Usage

am> create SocialAuthOAuth2Module --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "accountProvisioning" : {
      "type" : "object",
      "title" : "Account Provisioning",
      "propertyOrder" : 1,
      "properties" : {
        "accountMapperConfiguration" : {
          "title" : "Account Mapper Configuration",
          "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : "sub=uid"
        },
        "anonymousUserName" : {
          "title" : "Anonymous User",
          "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "createAccount" : {
          "title" : "Create account if it does not exist",
          "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
          "propertyOrder" : 1360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "promptPasswordFlag" : {
          "title" : "Prompt for password setting and activation code",
          "description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
          "propertyOrder" : 1905,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "attributeMapperConfiguration" : {
          "title" : "Attribute Mapper Configuration",
          "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
        },
        "accountProviderClass" : {
          "title" : "Account Provider",
          "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "enableRegistrationService" : {
          "title" : "Use IDM as Registration Service",
          "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
          "propertyOrder" : 1350,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "mapToAnonymousUser" : {
          "title" : "Map to anonymous user",
          "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "saveAttributesInSession" : {
          "title" : "Save attributes in the session",
          "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
          "propertyOrder" : 2400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "attributeMappingClasses" : {
          "title" : "Attribute Mapper",
          "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
        },
        "accountMapperClass" : {
          "title" : "Account Mapper",
          "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
        }
      }
    },
    "emailSettings" : {
      "type" : "object",
      "title" : "Email",
      "propertyOrder" : 2,
      "properties" : {
        "smtpSslEnabled" : {
          "title" : "SMTP SSL Enabled",
          "description" : "Tick this option if the SMTP Server provides SSL",
          "propertyOrder" : 1940,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "smtpPassword" : {
          "title" : "SMTP User Password",
          "description" : "The Password of the SMTP User Name",
          "propertyOrder" : 1935,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "smtpFromAddress" : {
          "title" : "SMTP From address",
          "description" : "The email address on behalf of whom the messages will be sent",
          "propertyOrder" : 1945,
          "required" : true,
          "type" : "string",
          "exampleValue" : "info@forgerock.com"
        },
        "emailAttribute" : {
          "title" : "Email attribute in the Response",
          "description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
          "propertyOrder" : 1910,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "emailGateway" : {
          "title" : "Mail Server Gateway implementation class",
          "description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
          "propertyOrder" : 1915,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "smtpPort" : {
          "title" : "SMTP port",
          "description" : "The TCP port that will be used by the SMTP gateway",
          "propertyOrder" : 1925,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "smtpUsername" : {
          "title" : "SMTP User Name",
          "description" : "If the SMTP Service requires authentication, configure the user name here",
          "propertyOrder" : 1930,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "smtpHost" : {
          "title" : "SMTP host",
          "description" : "The mail host that will be used by the Email Gateway implementation",
          "propertyOrder" : 1920,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "subjectProperty" : {
          "title" : "Subject Property",
          "description" : "Property used to identify which attribute an auth server identifies a user by.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : "sub"
        },
        "clientSecret" : {
          "title" : "Client Secret",
          "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "userInfoEndpoint" : {
          "title" : "User Profile Service URL",
          "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
        },
        "usesBasicAuth" : {
          "title" : "Use Basic Auth",
          "description" : "When enabled, the client will use basic auth for authenticating with  the social auth provider. Enabled by default.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "issuerName" : {
          "title" : "Token Issuer",
          "description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
          "propertyOrder" : 2500,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://accounts.google.com"
        },
        "ssoProxyUrl" : {
          "title" : "Proxy URL",
          "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "mixUpMitigation" : {
          "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
          "description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
          "propertyOrder" : 2600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "clientId" : {
          "title" : "Client Id",
          "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "scope" : {
          "title" : "Scope",
          "description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "minItems" : 1,
          "type" : "array",
          "exampleValue" : "profile email"
        },
        "provider" : {
          "title" : "Social Provider",
          "description" : "Social Provider for which this module is being setup.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : "Google"
        },
        "authorizeEndpoint" : {
          "title" : "Authentication Endpoint URL",
          "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
        },
        "logoutServiceUrl" : {
          "title" : "OAuth 2.0 Provider Logout Service",
          "description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
          "propertyOrder" : 2150,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenEndpoint" : {
          "title" : "Access Token Endpoint URL",
          "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
        },
        "logoutBehaviour" : {
          "title" : "Logout Options",
          "description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
          "propertyOrder" : 2155,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "scopeDelimiter" : {
          "title" : "Scope Delimiter",
          "description" : "Delimiter used to separate scope values. Default value is space.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

delete

Usage

am> delete SocialAuthOAuth2Module --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action SocialAuthOAuth2Module --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action SocialAuthOAuth2Module --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action SocialAuthOAuth2Module --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query SocialAuthOAuth2Module --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read SocialAuthOAuth2Module --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update SocialAuthOAuth2Module --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "accountProvisioning" : {
      "type" : "object",
      "title" : "Account Provisioning",
      "propertyOrder" : 1,
      "properties" : {
        "accountMapperConfiguration" : {
          "title" : "Account Mapper Configuration",
          "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : "sub=uid"
        },
        "anonymousUserName" : {
          "title" : "Anonymous User",
          "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "createAccount" : {
          "title" : "Create account if it does not exist",
          "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
          "propertyOrder" : 1360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "promptPasswordFlag" : {
          "title" : "Prompt for password setting and activation code",
          "description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
          "propertyOrder" : 1905,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "attributeMapperConfiguration" : {
          "title" : "Attribute Mapper Configuration",
          "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
        },
        "accountProviderClass" : {
          "title" : "Account Provider",
          "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "enableRegistrationService" : {
          "title" : "Use IDM as Registration Service",
          "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
          "propertyOrder" : 1350,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "mapToAnonymousUser" : {
          "title" : "Map to anonymous user",
          "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "saveAttributesInSession" : {
          "title" : "Save attributes in the session",
          "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
          "propertyOrder" : 2400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "attributeMappingClasses" : {
          "title" : "Attribute Mapper",
          "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
        },
        "accountMapperClass" : {
          "title" : "Account Mapper",
          "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
        }
      }
    },
    "emailSettings" : {
      "type" : "object",
      "title" : "Email",
      "propertyOrder" : 2,
      "properties" : {
        "smtpSslEnabled" : {
          "title" : "SMTP SSL Enabled",
          "description" : "Tick this option if the SMTP Server provides SSL",
          "propertyOrder" : 1940,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "smtpPassword" : {
          "title" : "SMTP User Password",
          "description" : "The Password of the SMTP User Name",
          "propertyOrder" : 1935,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "smtpFromAddress" : {
          "title" : "SMTP From address",
          "description" : "The email address on behalf of whom the messages will be sent",
          "propertyOrder" : 1945,
          "required" : true,
          "type" : "string",
          "exampleValue" : "info@forgerock.com"
        },
        "emailAttribute" : {
          "title" : "Email attribute in the Response",
          "description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
          "propertyOrder" : 1910,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "emailGateway" : {
          "title" : "Mail Server Gateway implementation class",
          "description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
          "propertyOrder" : 1915,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "smtpPort" : {
          "title" : "SMTP port",
          "description" : "The TCP port that will be used by the SMTP gateway",
          "propertyOrder" : 1925,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "smtpUsername" : {
          "title" : "SMTP User Name",
          "description" : "If the SMTP Service requires authentication, configure the user name here",
          "propertyOrder" : 1930,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "smtpHost" : {
          "title" : "SMTP host",
          "description" : "The mail host that will be used by the Email Gateway implementation",
          "propertyOrder" : 1920,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "subjectProperty" : {
          "title" : "Subject Property",
          "description" : "Property used to identify which attribute an auth server identifies a user by.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : "sub"
        },
        "clientSecret" : {
          "title" : "Client Secret",
          "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "userInfoEndpoint" : {
          "title" : "User Profile Service URL",
          "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
        },
        "usesBasicAuth" : {
          "title" : "Use Basic Auth",
          "description" : "When enabled, the client will use basic auth for authenticating with  the social auth provider. Enabled by default.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "issuerName" : {
          "title" : "Token Issuer",
          "description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
          "propertyOrder" : 2500,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://accounts.google.com"
        },
        "ssoProxyUrl" : {
          "title" : "Proxy URL",
          "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "mixUpMitigation" : {
          "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
          "description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
          "propertyOrder" : 2600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "clientId" : {
          "title" : "Client Id",
          "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "scope" : {
          "title" : "Scope",
          "description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "minItems" : 1,
          "type" : "array",
          "exampleValue" : "profile email"
        },
        "provider" : {
          "title" : "Social Provider",
          "description" : "Social Provider for which this module is being setup.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : "Google"
        },
        "authorizeEndpoint" : {
          "title" : "Authentication Endpoint URL",
          "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
        },
        "logoutServiceUrl" : {
          "title" : "OAuth 2.0 Provider Logout Service",
          "description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
          "propertyOrder" : 2150,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenEndpoint" : {
          "title" : "Access Token Endpoint URL",
          "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
        },
        "logoutBehaviour" : {
          "title" : "Logout Options",
          "description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
          "propertyOrder" : 2155,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "scopeDelimiter" : {
          "title" : "Scope Delimiter",
          "description" : "Delimiter used to separate scope values. Default value is space.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

Global Operations

Resource path:

/global-config/authentication/modules/authSocialOAuth2

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action SocialAuthOAuth2Module --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action SocialAuthOAuth2Module --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action SocialAuthOAuth2Module --global --actionName nextdescendents

read

Usage

am> read SocialAuthOAuth2Module --global

update

Usage

am> update SocialAuthOAuth2Module --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "emailSettings" : {
          "type" : "object",
          "title" : "Email",
          "propertyOrder" : 2,
          "properties" : {
            "smtpUsername" : {
              "title" : "SMTP User Name",
              "description" : "If the SMTP Service requires authentication, configure the user name here",
              "propertyOrder" : 1930,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "smtpPassword" : {
              "title" : "SMTP User Password",
              "description" : "The Password of the SMTP User Name",
              "propertyOrder" : 1935,
              "required" : true,
              "type" : "string",
              "format" : "password",
              "exampleValue" : ""
            },
            "emailAttribute" : {
              "title" : "Email attribute in the Response",
              "description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
              "propertyOrder" : 1910,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "smtpFromAddress" : {
              "title" : "SMTP From address",
              "description" : "The email address on behalf of whom the messages will be sent",
              "propertyOrder" : 1945,
              "required" : true,
              "type" : "string",
              "exampleValue" : "info@forgerock.com"
            },
            "smtpPort" : {
              "title" : "SMTP port",
              "description" : "The TCP port that will be used by the SMTP gateway",
              "propertyOrder" : 1925,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "smtpSslEnabled" : {
              "title" : "SMTP SSL Enabled",
              "description" : "Tick this option if the SMTP Server provides SSL",
              "propertyOrder" : 1940,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "smtpHost" : {
              "title" : "SMTP host",
              "description" : "The mail host that will be used by the Email Gateway implementation",
              "propertyOrder" : 1920,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "emailGateway" : {
              "title" : "Mail Server Gateway implementation class",
              "description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
              "propertyOrder" : 1915,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "core" : {
          "type" : "object",
          "title" : "Core",
          "propertyOrder" : 0,
          "properties" : {
            "authenticationLevel" : {
              "title" : "Authentication Level",
              "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "issuerName" : {
              "title" : "Token Issuer",
              "description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
              "propertyOrder" : 2500,
              "required" : true,
              "type" : "string",
              "exampleValue" : "https://accounts.google.com"
            },
            "usesBasicAuth" : {
              "title" : "Use Basic Auth",
              "description" : "When enabled, the client will use basic auth for authenticating with  the social auth provider. Enabled by default.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "userInfoEndpoint" : {
              "title" : "User Profile Service URL",
              "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "string",
              "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
            },
            "subjectProperty" : {
              "title" : "Subject Property",
              "description" : "Property used to identify which attribute an auth server identifies a user by.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "string",
              "exampleValue" : "sub"
            },
            "logoutBehaviour" : {
              "title" : "Logout Options",
              "description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
              "propertyOrder" : 2155,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenEndpoint" : {
              "title" : "Access Token Endpoint URL",
              "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "string",
              "exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
            },
            "ssoProxyUrl" : {
              "title" : "Proxy URL",
              "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "provider" : {
              "title" : "Social Provider",
              "description" : "Social Provider for which this module is being setup.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : "Google"
            },
            "clientId" : {
              "title" : "Client Id",
              "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "logoutServiceUrl" : {
              "title" : "OAuth 2.0 Provider Logout Service",
              "description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
              "propertyOrder" : 2150,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "scope" : {
              "title" : "Scope",
              "description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
              "propertyOrder" : 900,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : "profile email"
            },
            "clientSecret" : {
              "title" : "Client Secret",
              "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
              "propertyOrder" : 500,
              "required" : true,
              "type" : "string",
              "format" : "password",
              "exampleValue" : ""
            },
            "authorizeEndpoint" : {
              "title" : "Authentication Endpoint URL",
              "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "string",
              "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
            },
            "mixUpMitigation" : {
              "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
              "description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
              "propertyOrder" : 2600,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "scopeDelimiter" : {
              "title" : "Scope Delimiter",
              "description" : "Delimiter used to separate scope values. Default value is space.",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "accountProvisioning" : {
          "type" : "object",
          "title" : "Account Provisioning",
          "propertyOrder" : 1,
          "properties" : {
            "accountProviderClass" : {
              "title" : "Account Provider",
              "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
              "propertyOrder" : 1400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "accountMapperConfiguration" : {
              "title" : "Account Mapper Configuration",
              "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
              "propertyOrder" : 1600,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : "sub=uid"
            },
            "mapToAnonymousUser" : {
              "title" : "Map to anonymous user",
              "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
              "propertyOrder" : 2000,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "anonymousUserName" : {
              "title" : "Anonymous User",
              "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
              "propertyOrder" : 2100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "promptPasswordFlag" : {
              "title" : "Prompt for password setting and activation code",
              "description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
              "propertyOrder" : 1905,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "saveAttributesInSession" : {
              "title" : "Save attributes in the session",
              "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
              "propertyOrder" : 2400,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "enableRegistrationService" : {
              "title" : "Use IDM as Registration Service",
              "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
              "propertyOrder" : 1350,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "createAccount" : {
              "title" : "Create account if it does not exist",
              "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
              "propertyOrder" : 1360,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "attributeMappingClasses" : {
              "title" : "Attribute Mapper",
              "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
              "propertyOrder" : 1700,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
            },
            "accountMapperClass" : {
              "title" : "Account Mapper",
              "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
              "propertyOrder" : 1500,
              "required" : true,
              "type" : "string",
              "exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
            },
            "attributeMapperConfiguration" : {
              "title" : "Attribute Mapper Configuration",
              "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
              "propertyOrder" : 1800,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}
Copyright © 2010-2023 ForgeRock, all rights reserved.