OIDCIDTokenValidator
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/OidcNode
Resource version: 2.0
create
Usage
am> create OIDCIDTokenValidator --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "headerName" : { "title" : "ID Token Header Name", "description" : "Name of header referencing the ID Token.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" }, "oidcValidationValue" : { "title" : "OpenID Connect Validation Value", "description" : "Depending on the value of the <code>OpenID Connect Validation Type</code> property, this property holds the full URL to the discovery or JWK location. If <code>OpenID Connect Validation Type</code> is set to <code>Client Secret</code>, AM ignores this property and uses the value of the <code>Client Secret</code>. <p> Example: https://accounts.google.com/.well-known/openid-configuration", "propertyOrder" : 200, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "audienceName" : { "title" : "Audience name", "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "inputs" : { "title" : "Script Inputs", "description" : "A list of state inputs that can be used by the script.", "propertyOrder" : 900, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "script" : { "title" : "Transformation Script", "description" : "A script that can transform the ID token's claims into object data.", "propertyOrder" : 800, "type" : "string", "exampleValue" : "" }, "secretId" : { "title" : "Client Secret Label", "description" : "A secret label for mapping the OIDC Client Secret to a secret in the secret store. <br>The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "clientsecret" }, "idTokenIssuer" : { "title" : "Token Issuer", "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>", "propertyOrder" : 500, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "oidcValidationType" : { "title" : "OpenID Connect Validation Type", "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "unreasonableLifetimeLimit" : { "title" : "Unreasonable Lifetime Limit", "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.", "propertyOrder" : 1000, "type" : "integer", "exampleValue" : "" }, "authorisedParties" : { "title" : "Authorized parties", "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.", "propertyOrder" : 700, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" } }, "required" : [ "headerName", "oidcValidationValue", "audienceName", "inputs", "script", "idTokenIssuer", "oidcValidationType", "unreasonableLifetimeLimit", "authorisedParties" ] }
delete
Usage
am> delete OIDCIDTokenValidator --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action OIDCIDTokenValidator --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action OIDCIDTokenValidator --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action OIDCIDTokenValidator --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action OIDCIDTokenValidator --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query OIDCIDTokenValidator --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read OIDCIDTokenValidator --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update OIDCIDTokenValidator --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "headerName" : { "title" : "ID Token Header Name", "description" : "Name of header referencing the ID Token.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" }, "oidcValidationValue" : { "title" : "OpenID Connect Validation Value", "description" : "Depending on the value of the <code>OpenID Connect Validation Type</code> property, this property holds the full URL to the discovery or JWK location. If <code>OpenID Connect Validation Type</code> is set to <code>Client Secret</code>, AM ignores this property and uses the value of the <code>Client Secret</code>. <p> Example: https://accounts.google.com/.well-known/openid-configuration", "propertyOrder" : 200, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "audienceName" : { "title" : "Audience name", "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "inputs" : { "title" : "Script Inputs", "description" : "A list of state inputs that can be used by the script.", "propertyOrder" : 900, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "script" : { "title" : "Transformation Script", "description" : "A script that can transform the ID token's claims into object data.", "propertyOrder" : 800, "type" : "string", "exampleValue" : "" }, "secretId" : { "title" : "Client Secret Label", "description" : "A secret label for mapping the OIDC Client Secret to a secret in the secret store. <br>The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "clientsecret" }, "idTokenIssuer" : { "title" : "Token Issuer", "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>", "propertyOrder" : 500, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "oidcValidationType" : { "title" : "OpenID Connect Validation Type", "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "unreasonableLifetimeLimit" : { "title" : "Unreasonable Lifetime Limit", "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.", "propertyOrder" : 1000, "type" : "integer", "exampleValue" : "" }, "authorisedParties" : { "title" : "Authorized parties", "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.", "propertyOrder" : 700, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" } }, "required" : [ "headerName", "oidcValidationValue", "audienceName", "inputs", "script", "idTokenIssuer", "oidcValidationType", "unreasonableLifetimeLimit", "authorisedParties" ] }