ClientConfigurationForGoogle
Realm Operations
Resource path:
/realm-config/services/SocialIdentityProviders/googleConfig
Resource version: 1.0
create
Usage
am> create ClientConfigurationForGoogle --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v4/token" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo" }, "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret id would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret id 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "openid, profile, email" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
delete
Usage
am> delete ClientConfigurationForGoogle --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ClientConfigurationForGoogle --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ClientConfigurationForGoogle --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ClientConfigurationForGoogle --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ClientConfigurationForGoogle --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ClientConfigurationForGoogle --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ClientConfigurationForGoogle --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v4/token" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo" }, "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret id would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret id 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "openid, profile, email" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" } } }