OIDCIDTokenValidator
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/OidcNode
Resource version: 1.0
create
Usage
am> create OIDCIDTokenValidator --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "audienceName" : { "title" : "Audience name", "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "script" : { "title" : "Transformation Script", "description" : "A script that can transform the ID token's claims into object data.", "propertyOrder" : 800, "type" : "string", "exampleValue" : "" }, "oidcValidationValue" : { "title" : "OpenID Connect Validation Value", "description" : "Specifies the full URL to the discovery or JWK location, corresponding to the configuration type selected in the OpenID Connect Validation Value property. If client_secret entered, entry is ignored and the value of the Client Secret is used.<p> Example: https://accounts.google.com/.well-known/openid-configuration", "propertyOrder" : 200, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "inputs" : { "title" : "Script Inputs", "description" : "A list of state inputs that can be used by the script.", "propertyOrder" : 900, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcValidationType" : { "title" : "OpenID Connect Validation Type", "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "unreasonableLifetimeLimit" : { "title" : "Unreasonable Lifetime Limit", "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.", "propertyOrder" : 1000, "type" : "integer", "exampleValue" : "" }, "authorisedParties" : { "title" : "Authorized parties", "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.", "propertyOrder" : 700, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "idTokenIssuer" : { "title" : "Token Issuer", "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>", "propertyOrder" : 500, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "secretId" : { "title" : "Client Secret Id", "description" : "Specifies the id of the client secret. One of the configured secret stores in AM should contain a secret with the given id. <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "clientsecret" }, "headerName" : { "title" : "ID Token Header Name", "description" : "Name of header referencing the ID Token.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" } }, "required" : [ "oidcValidationType", "oidcValidationValue", "audienceName", "inputs", "unreasonableLifetimeLimit", "authorisedParties", "headerName", "idTokenIssuer", "script" ] }
delete
Usage
am> delete OIDCIDTokenValidator --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action OIDCIDTokenValidator --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action OIDCIDTokenValidator --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action OIDCIDTokenValidator --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action OIDCIDTokenValidator --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query OIDCIDTokenValidator --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read OIDCIDTokenValidator --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update OIDCIDTokenValidator --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "audienceName" : { "title" : "Audience name", "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "script" : { "title" : "Transformation Script", "description" : "A script that can transform the ID token's claims into object data.", "propertyOrder" : 800, "type" : "string", "exampleValue" : "" }, "oidcValidationValue" : { "title" : "OpenID Connect Validation Value", "description" : "Specifies the full URL to the discovery or JWK location, corresponding to the configuration type selected in the OpenID Connect Validation Value property. If client_secret entered, entry is ignored and the value of the Client Secret is used.<p> Example: https://accounts.google.com/.well-known/openid-configuration", "propertyOrder" : 200, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "inputs" : { "title" : "Script Inputs", "description" : "A list of state inputs that can be used by the script.", "propertyOrder" : 900, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcValidationType" : { "title" : "OpenID Connect Validation Type", "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "unreasonableLifetimeLimit" : { "title" : "Unreasonable Lifetime Limit", "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.", "propertyOrder" : 1000, "type" : "integer", "exampleValue" : "" }, "authorisedParties" : { "title" : "Authorized parties", "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.", "propertyOrder" : 700, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "idTokenIssuer" : { "title" : "Token Issuer", "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>", "propertyOrder" : 500, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "secretId" : { "title" : "Client Secret Id", "description" : "Specifies the id of the client secret. One of the configured secret stores in AM should contain a secret with the given id. <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "clientsecret" }, "headerName" : { "title" : "ID Token Header Name", "description" : "Name of header referencing the ID Token.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" } }, "required" : [ "oidcValidationType", "oidcValidationValue", "audienceName", "inputs", "unreasonableLifetimeLimit", "authorisedParties", "headerName", "idTokenIssuer", "script" ] }