SocialAuthInstagramModule
Realm Operations
Resource path:
/realm-config/authentication/modules/authSocialInstagram
Resource version: 1.0
create
Usage
am> create SocialAuthInstagramModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "core" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "logoutServiceUrl" : { "title" : "OAuth 2.0 Provider Logout Service", "description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.", "propertyOrder" : 2150, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "Delimiter used to separate scope values. Default value is space.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "ssoProxyUrl" : { "title" : "Proxy URL", "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client Id", "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "subjectProperty" : { "title" : "Subject Property", "description" : "Property used to identify which attribute an auth server identifies a user by.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "logoutBehaviour" : { "title" : "Logout Options", "description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.", "propertyOrder" : 2155, "required" : true, "type" : "string", "exampleValue" : "" }, "scope" : { "title" : "Scope", "description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "usesBasicAuth" : { "title" : "Use Basic Auth", "description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "provider" : { "title" : "Social Provider", "description" : "Social Provider for which this module is being setup.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }, "accountProvisioning" : { "type" : "object", "title" : "Account Provisioning", "propertyOrder" : 1, "properties" : { "anonymousUserName" : { "title" : "Anonymous User", "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "accountProviderClass" : { "title" : "Account Provider", "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "attributeMappingClasses" : { "title" : "Attribute Mapper", "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "saveAttributesInSession" : { "title" : "Save attributes in the session", "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session", "propertyOrder" : 2400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "createAccount" : { "title" : "Create account if it does not exist", "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>", "propertyOrder" : 1360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accountMapperClass" : { "title" : "Account Mapper", "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "mapToAnonymousUser" : { "title" : "Map to anonymous user", "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.", "propertyOrder" : 2000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "enableRegistrationService" : { "title" : "Use IDM as Registration Service", "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>", "propertyOrder" : 1350, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accountMapperConfiguration" : { "title" : "Account Mapper Configuration", "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>", "propertyOrder" : 1600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "attributeMapperConfiguration" : { "title" : "Attribute Mapper Configuration", "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
delete
Usage
am> delete SocialAuthInstagramModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action SocialAuthInstagramModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action SocialAuthInstagramModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action SocialAuthInstagramModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query SocialAuthInstagramModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read SocialAuthInstagramModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update SocialAuthInstagramModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "core" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "logoutServiceUrl" : { "title" : "OAuth 2.0 Provider Logout Service", "description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.", "propertyOrder" : 2150, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "Delimiter used to separate scope values. Default value is space.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "ssoProxyUrl" : { "title" : "Proxy URL", "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client Id", "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "subjectProperty" : { "title" : "Subject Property", "description" : "Property used to identify which attribute an auth server identifies a user by.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "logoutBehaviour" : { "title" : "Logout Options", "description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.", "propertyOrder" : 2155, "required" : true, "type" : "string", "exampleValue" : "" }, "scope" : { "title" : "Scope", "description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "usesBasicAuth" : { "title" : "Use Basic Auth", "description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "provider" : { "title" : "Social Provider", "description" : "Social Provider for which this module is being setup.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }, "accountProvisioning" : { "type" : "object", "title" : "Account Provisioning", "propertyOrder" : 1, "properties" : { "anonymousUserName" : { "title" : "Anonymous User", "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "accountProviderClass" : { "title" : "Account Provider", "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "attributeMappingClasses" : { "title" : "Attribute Mapper", "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "saveAttributesInSession" : { "title" : "Save attributes in the session", "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session", "propertyOrder" : 2400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "createAccount" : { "title" : "Create account if it does not exist", "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>", "propertyOrder" : 1360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accountMapperClass" : { "title" : "Account Mapper", "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "mapToAnonymousUser" : { "title" : "Map to anonymous user", "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.", "propertyOrder" : 2000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "enableRegistrationService" : { "title" : "Use IDM as Registration Service", "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>", "propertyOrder" : 1350, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accountMapperConfiguration" : { "title" : "Account Mapper Configuration", "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>", "propertyOrder" : 1600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "attributeMapperConfiguration" : { "title" : "Attribute Mapper Configuration", "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/authentication/modules/authSocialInstagram
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action SocialAuthInstagramModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action SocialAuthInstagramModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action SocialAuthInstagramModule --global --actionName nextdescendents
update
Usage
am> update SocialAuthInstagramModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "core" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "scope" : { "title" : "Scope", "description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "logoutServiceUrl" : { "title" : "OAuth 2.0 Provider Logout Service", "description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.", "propertyOrder" : 2150, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "Delimiter used to separate scope values. Default value is space.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "subjectProperty" : { "title" : "Subject Property", "description" : "Property used to identify which attribute an auth server identifies a user by.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "logoutBehaviour" : { "title" : "Logout Options", "description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.", "propertyOrder" : 2155, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "ssoProxyUrl" : { "title" : "Proxy URL", "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "provider" : { "title" : "Social Provider", "description" : "Social Provider for which this module is being setup.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client Id", "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "usesBasicAuth" : { "title" : "Use Basic Auth", "description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "accountProvisioning" : { "type" : "object", "title" : "Account Provisioning", "propertyOrder" : 1, "properties" : { "enableRegistrationService" : { "title" : "Use IDM as Registration Service", "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>", "propertyOrder" : 1350, "required" : true, "type" : "boolean", "exampleValue" : "" }, "mapToAnonymousUser" : { "title" : "Map to anonymous user", "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.", "propertyOrder" : 2000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "attributeMapperConfiguration" : { "title" : "Attribute Mapper Configuration", "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "accountMapperClass" : { "title" : "Account Mapper", "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "createAccount" : { "title" : "Create account if it does not exist", "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>", "propertyOrder" : 1360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accountProviderClass" : { "title" : "Account Provider", "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "attributeMappingClasses" : { "title" : "Attribute Mapper", "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.", "propertyOrder" : 1700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "accountMapperConfiguration" : { "title" : "Account Mapper Configuration", "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>", "propertyOrder" : 1600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "saveAttributesInSession" : { "title" : "Save attributes in the session", "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session", "propertyOrder" : 2400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "anonymousUserName" : { "title" : "Anonymous User", "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }