OAuth2ClientAgentGroups
Realm Operations
Agent Groups handler that is responsible for managing agent groups
Resource path: /realm-config/agents/groups/OAuth2Client
Resource version: 1.0
create
Usage:
am> create OAuth2ClientAgentGroups --realm Realm --id id --body body
Parameters:
--id
The unique identifier for the resource.
--body
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "advancedOAuth2ClientConfig" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured then AUTHORIZATION_CODE flow would be permitted by default.", "propertyOrder" : 23800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "javascriptOrigins" : { "title" : "JavaScript Origins", "description" : "", "propertyOrder" : 23650, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseTypes" : { "title" : "Response Types", "description" : "Response types this client will support and use.", "propertyOrder" : 23800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "contacts" : { "title" : "Contacts", "description" : "Email addresses of users who can administrate this client.", "propertyOrder" : 23900, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sectorIdentifierUri" : { "title" : "Sector Identifier URI", "description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.", "propertyOrder" : 24300, "required" : false, "type" : "string", "exampleValue" : "" }, "requestUris" : { "title" : "Request uris", "description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters and MUST use either HTTP or HTTPS. Otherwise the value will be ignored.", "propertyOrder" : 23700, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "isConsentImplied" : { "title" : "Implied consent", "description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.", "propertyOrder" : 26200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "policyUri" : { "title" : "Privacy Policy URI", "description" : "The URI for the client's privacy policy, for use in user-facing consent pages.", "propertyOrder" : 25375, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "name" : { "title" : "Display name", "description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".", "propertyOrder" : 23500, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "mixUpMitigation" : { "title" : "OAuth 2.0 Mix-Up Mitigation enabled", "description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.", "propertyOrder" : 26300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEndpointAuthMethod" : { "title" : "Token Endpoint Authentication Method", "description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.", "propertyOrder" : 24000, "required" : true, "type" : "string", "exampleValue" : "" }, "descriptions" : { "title" : "Display description", "description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".", "propertyOrder" : 23600, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientUri" : { "title" : "Client URI", "description" : "The URI for finding further information about the client from user-facing UIs.", "propertyOrder" : 25325, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "logoUri" : { "title" : "Logo URI", "description" : "The URI for the client's logo, for use in user-facing UIs such as consent pages and application pages.", "propertyOrder" : 25350, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "updateAccessToken" : { "title" : "Access Token", "description" : "The access token used to update the client.", "propertyOrder" : 25100, "required" : false, "type" : "string", "exampleValue" : "" }, "subjectType" : { "title" : "Subject Type", "description" : "The subject type added to responses for this client. This value must be included in \"Subject Type Supported\" in OAuth2Provider service setting.", "propertyOrder" : 24400, "required" : true, "type" : "string", "exampleValue" : "" } } }, "signEncOAuth2ClientConfig" : { "type" : "object", "title" : "Signing and Encryption", "propertyOrder" : 3, "properties" : { "idTokenEncryptionAlgorithm" : { "title" : "ID Token Encryption Algorithm", "description" : "Algorithm the ID Token for this client must be encrypted with.", "propertyOrder" : 24700, "required" : true, "type" : "string", "exampleValue" : "" }, "userinfoSignedResponseAlg" : { "title" : "User info signed response algorithm", "description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.", "propertyOrder" : 27200, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenIntrospectionResponseFormat" : { "title" : "Token introspection response format", "description" : "The token introspection endpoint offers different output format. see https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03", "propertyOrder" : 27800, "required" : true, "type" : "string", "exampleValue" : "" }, "clientJwtPublicKey" : { "title" : "Client JWT Bearer Public Key", "description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.", "propertyOrder" : 25400, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenIntrospectionSignedResponseAlg" : { "title" : "Token introspection response signing algorithm", "description" : "Algorithm used for signing the introspection JWT response.", "propertyOrder" : 27810, "required" : true, "type" : "string", "exampleValue" : "" }, "userinfoResponseFormat" : { "title" : "User info response format.", "description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse", "propertyOrder" : 27100, "required" : true, "type" : "string", "exampleValue" : "" }, "requestParameterEncryptedEncryptionAlgorithm" : { "title" : "Request parameter encryption method", "description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 27700, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenIntrospectionEncryptedResponseEncryptionAlgorithm" : { "title" : "Token introspection encrypted response encryption algorithm", "description" : "JWE 'enc' algorithm REQUIRED for encrypting token introspection responses. Sets the algorithm that will be used to encrypt the Plaintext of a JWE when the chosen introspection response format is 'signed then encrypted'.", "propertyOrder" : 27830, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUri" : { "title" : "Json Web Key URI", "description" : "The uri that contains the client's public keys in Json Web Key format.", "propertyOrder" : 24100, "required" : false, "type" : "string", "exampleValue" : "https://{{jwks-www}}/oauth2/{{realm}}/connect/jwk_uri" }, "tokenIntrospectionEncryptedResponseAlg" : { "title" : "Token introspection response encryption algorithm", "description" : "JWE \"alg\" algorithm REQUIRED for encrypting introspection responses. Sets the algorithm that will be used to encrypt the Content Encryption Key when the chosen introspection response format is 'signed then encrypted'.", "propertyOrder" : 27820, "required" : true, "type" : "string", "exampleValue" : "" }, "requestParameterSignedAlg" : { "title" : "Request parameter signing algorithm", "description" : "JWS algorithm for signing the request parameter.", "propertyOrder" : 27500, "required" : false, "type" : "string", "exampleValue" : "" }, "mTLSSubjectDN" : { "title" : "mTLS Subject DN", "description" : "Expected Subject DN of certificate used for mTLS client certificate authentication. Defaults to CN=<client_id>. Only applicable when using CA-signed certificates.", "propertyOrder" : 25406, "required" : false, "type" : "string", "exampleValue" : "" }, "jwkStoreCacheMissCacheTime" : { "title" : "JWKs URI content cache miss cache time", "description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.", "propertyOrder" : 24120, "required" : true, "type" : "integer", "exampleValue" : "" }, "idTokenSignedResponseAlg" : { "title" : "ID Token Signing Algorithm", "description" : "Algorithm the ID Token for this client must be signed with.", "propertyOrder" : 24500, "required" : true, "type" : "string", "exampleValue" : "" }, "userinfoEncryptedResponseEncryptionAlgorithm" : { "title" : "User info encrypted response encryption algorithm", "description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 27400, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpointAuthSigningAlgorithm" : { "title" : "Token Endpoint Authentication Signing Algorithm", "description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.", "propertyOrder" : 24130, "required" : true, "type" : "string", "exampleValue" : "" }, "publicKeyLocation" : { "title" : "Public key selector", "description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.", "propertyOrder" : 25700, "required" : true, "type" : "string", "exampleValue" : "" }, "idTokenEncryptionEnabled" : { "title" : "Enable ID Token Encryption", "description" : "Select to enable ID token encryption.", "propertyOrder" : 24600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwksCacheTimeout" : { "title" : "JWKs URI content cache timeout in ms", "description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.", "propertyOrder" : 24110, "required" : true, "type" : "integer", "exampleValue" : "" }, "userinfoEncryptedResponseAlg" : { "title" : "User info encrypted response algorithm", "description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.", "propertyOrder" : 27300, "required" : false, "type" : "string", "exampleValue" : "" }, "mTLSCertificateBoundAccessTokens" : { "title" : "Use Certificate-Bound Access Tokens", "description" : "Whether access tokens issued to this client should be bound to the X.509 certificate it uses to authenticate to the token endpoint. If enabled (and the provider supports it) then an x5t#S256 confirmation key will be added to all access tokens with the SHA-256 hash of the client's certificate.", "propertyOrder" : 25507, "required" : true, "type" : "boolean", "exampleValue" : "" }, "mTLSTrustedCert" : { "title" : "mTLS Self-Signed Certificate", "description" : "Self-signed PEM-encoded X.509 certificate for mTLS client certificate authentication.", "propertyOrder" : 25405, "required" : false, "type" : "string", "exampleValue" : "" }, "jwkSet" : { "title" : "Json Web Key", "description" : "Raw JSON Web Key value containing the client's public keys.", "propertyOrder" : 24200, "required" : false, "type" : "string", "exampleValue" : "" }, "idTokenEncryptionMethod" : { "title" : "ID Token Encryption Method", "description" : "Encryption method the ID Token for this client must be encrypted with.", "propertyOrder" : 24800, "required" : true, "type" : "string", "exampleValue" : "" }, "requestParameterEncryptedAlg" : { "title" : "Request parameter encryption algorithm", "description" : "JWE algorithm for encrypting the request parameter.", "propertyOrder" : 27600, "required" : false, "type" : "string", "exampleValue" : "" }, "idTokenPublicEncryptionKey" : { "title" : "Client ID Token Public Encryption Key", "description" : "A Base64 encoded public key for encrypting ID Tokens.", "propertyOrder" : 24900, "required" : false, "type" : "string", "exampleValue" : "" } } }, "coreOAuth2ClientConfig" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "loopbackInterfaceRedirection" : { "title" : "Allow wildcard ports in redirect URIs", "description" : "This flag indicates whether wildcards can be used for port numbers in redirect URIs. When this toggle is set to true and a wildcard is used the only allowed combinations of protocols and hosts are: http://127.0.0.1, https://127.0.0.1, http://[::1], https://[::1], http://localhost, https://localhost The wild cards are permitted only for the port values. For example - <code>http://localhost:80*</code>, <code>http://localhost:80?0/{path}</code>, <code>http://localhost:80[8-9]0/{path}</code>", "propertyOrder" : 23150, "required" : false, "type" : "boolean", "exampleValue" : "" }, "clientName" : { "title" : "Client Name", "description" : "This value is a readable name for this client.", "propertyOrder" : 25300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "status" : { "title" : "Status", "description" : "Status of the agent configuration.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizationCodeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.", "propertyOrder" : 25800, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.", "propertyOrder" : 26000, "required" : true, "type" : "integer", "exampleValue" : "" }, "clientType" : { "title" : "Client type", "description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.", "propertyOrder" : 23100, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectionUris" : { "title" : "Redirection URIs", "description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).", "propertyOrder" : 23200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.", "propertyOrder" : 25900, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Scope(s)", "description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.", "propertyOrder" : 23700, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopes" : { "title" : "Scope(s)", "description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.", "propertyOrder" : 23300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreOpenIDClientConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 2, "properties" : { "defaultMaxAge" : { "title" : "Default Max Age", "description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.", "propertyOrder" : 25500, "required" : true, "type" : "integer", "exampleValue" : "" }, "clientSessionUri" : { "title" : "Client Session URI", "description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message", "propertyOrder" : 25200, "required" : false, "type" : "string", "exampleValue" : "" }, "defaultMaxAgeEnabled" : { "title" : "Default Max Age Enabled", "description" : "Whether or not the default max age is enforced.", "propertyOrder" : 25600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claims" : { "title" : "Claim(s)", "description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>", "propertyOrder" : 23400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultAcrValues" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 25650, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.", "propertyOrder" : 26100, "required" : true, "type" : "integer", "exampleValue" : "" }, "postLogoutRedirectUri" : { "title" : "Post Logout Redirect URIs", "description" : "URIs that can be redirected to after the client logout process.", "propertyOrder" : 25000, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreUmaClientConfig" : { "type" : "object", "title" : "UMA", "propertyOrder" : 4, "properties" : { "claimsRedirectionUris" : { "title" : "Claims Redirection URIs", "description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).", "propertyOrder" : 23200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
delete
Usage:
am> delete OAuth2ClientAgentGroups --realm Realm --id id
Parameters:
--id
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage:
am> action OAuth2ClientAgentGroups --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage:
am> action OAuth2ClientAgentGroups --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage:
am> action OAuth2ClientAgentGroups --realm Realm --actionName nextdescendents
query
Querying the agent groups of a specific type
Usage:
am> query OAuth2ClientAgentGroups --realm Realm --filter filter
Parameters:
--filter
A CREST formatted query filter, where "true" will query all.
read
Usage:
am> read OAuth2ClientAgentGroups --realm Realm --id id
Parameters:
--id
The unique identifier for the resource.
update
Usage:
am> update OAuth2ClientAgentGroups --realm Realm --id id --body body
Parameters:
--id
The unique identifier for the resource.
--body
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "advancedOAuth2ClientConfig" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured then AUTHORIZATION_CODE flow would be permitted by default.", "propertyOrder" : 23800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "javascriptOrigins" : { "title" : "JavaScript Origins", "description" : "", "propertyOrder" : 23650, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseTypes" : { "title" : "Response Types", "description" : "Response types this client will support and use.", "propertyOrder" : 23800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "contacts" : { "title" : "Contacts", "description" : "Email addresses of users who can administrate this client.", "propertyOrder" : 23900, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sectorIdentifierUri" : { "title" : "Sector Identifier URI", "description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.", "propertyOrder" : 24300, "required" : false, "type" : "string", "exampleValue" : "" }, "requestUris" : { "title" : "Request uris", "description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters and MUST use either HTTP or HTTPS. Otherwise the value will be ignored.", "propertyOrder" : 23700, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "isConsentImplied" : { "title" : "Implied consent", "description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.", "propertyOrder" : 26200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "policyUri" : { "title" : "Privacy Policy URI", "description" : "The URI for the client's privacy policy, for use in user-facing consent pages.", "propertyOrder" : 25375, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "name" : { "title" : "Display name", "description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".", "propertyOrder" : 23500, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "mixUpMitigation" : { "title" : "OAuth 2.0 Mix-Up Mitigation enabled", "description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.", "propertyOrder" : 26300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEndpointAuthMethod" : { "title" : "Token Endpoint Authentication Method", "description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.", "propertyOrder" : 24000, "required" : true, "type" : "string", "exampleValue" : "" }, "descriptions" : { "title" : "Display description", "description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".", "propertyOrder" : 23600, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientUri" : { "title" : "Client URI", "description" : "The URI for finding further information about the client from user-facing UIs.", "propertyOrder" : 25325, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "logoUri" : { "title" : "Logo URI", "description" : "The URI for the client's logo, for use in user-facing UIs such as consent pages and application pages.", "propertyOrder" : 25350, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "updateAccessToken" : { "title" : "Access Token", "description" : "The access token used to update the client.", "propertyOrder" : 25100, "required" : false, "type" : "string", "exampleValue" : "" }, "subjectType" : { "title" : "Subject Type", "description" : "The subject type added to responses for this client. This value must be included in \"Subject Type Supported\" in OAuth2Provider service setting.", "propertyOrder" : 24400, "required" : true, "type" : "string", "exampleValue" : "" } } }, "signEncOAuth2ClientConfig" : { "type" : "object", "title" : "Signing and Encryption", "propertyOrder" : 3, "properties" : { "idTokenEncryptionAlgorithm" : { "title" : "ID Token Encryption Algorithm", "description" : "Algorithm the ID Token for this client must be encrypted with.", "propertyOrder" : 24700, "required" : true, "type" : "string", "exampleValue" : "" }, "userinfoSignedResponseAlg" : { "title" : "User info signed response algorithm", "description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.", "propertyOrder" : 27200, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenIntrospectionResponseFormat" : { "title" : "Token introspection response format", "description" : "The token introspection endpoint offers different output format. see https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03", "propertyOrder" : 27800, "required" : true, "type" : "string", "exampleValue" : "" }, "clientJwtPublicKey" : { "title" : "Client JWT Bearer Public Key", "description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.", "propertyOrder" : 25400, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenIntrospectionSignedResponseAlg" : { "title" : "Token introspection response signing algorithm", "description" : "Algorithm used for signing the introspection JWT response.", "propertyOrder" : 27810, "required" : true, "type" : "string", "exampleValue" : "" }, "userinfoResponseFormat" : { "title" : "User info response format.", "description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse", "propertyOrder" : 27100, "required" : true, "type" : "string", "exampleValue" : "" }, "requestParameterEncryptedEncryptionAlgorithm" : { "title" : "Request parameter encryption method", "description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 27700, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenIntrospectionEncryptedResponseEncryptionAlgorithm" : { "title" : "Token introspection encrypted response encryption algorithm", "description" : "JWE 'enc' algorithm REQUIRED for encrypting token introspection responses. Sets the algorithm that will be used to encrypt the Plaintext of a JWE when the chosen introspection response format is 'signed then encrypted'.", "propertyOrder" : 27830, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUri" : { "title" : "Json Web Key URI", "description" : "The uri that contains the client's public keys in Json Web Key format.", "propertyOrder" : 24100, "required" : false, "type" : "string", "exampleValue" : "https://{{jwks-www}}/oauth2/{{realm}}/connect/jwk_uri" }, "tokenIntrospectionEncryptedResponseAlg" : { "title" : "Token introspection response encryption algorithm", "description" : "JWE \"alg\" algorithm REQUIRED for encrypting introspection responses. Sets the algorithm that will be used to encrypt the Content Encryption Key when the chosen introspection response format is 'signed then encrypted'.", "propertyOrder" : 27820, "required" : true, "type" : "string", "exampleValue" : "" }, "requestParameterSignedAlg" : { "title" : "Request parameter signing algorithm", "description" : "JWS algorithm for signing the request parameter.", "propertyOrder" : 27500, "required" : false, "type" : "string", "exampleValue" : "" }, "mTLSSubjectDN" : { "title" : "mTLS Subject DN", "description" : "Expected Subject DN of certificate used for mTLS client certificate authentication. Defaults to CN=<client_id>. Only applicable when using CA-signed certificates.", "propertyOrder" : 25406, "required" : false, "type" : "string", "exampleValue" : "" }, "jwkStoreCacheMissCacheTime" : { "title" : "JWKs URI content cache miss cache time", "description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.", "propertyOrder" : 24120, "required" : true, "type" : "integer", "exampleValue" : "" }, "idTokenSignedResponseAlg" : { "title" : "ID Token Signing Algorithm", "description" : "Algorithm the ID Token for this client must be signed with.", "propertyOrder" : 24500, "required" : true, "type" : "string", "exampleValue" : "" }, "userinfoEncryptedResponseEncryptionAlgorithm" : { "title" : "User info encrypted response encryption algorithm", "description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 27400, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpointAuthSigningAlgorithm" : { "title" : "Token Endpoint Authentication Signing Algorithm", "description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.", "propertyOrder" : 24130, "required" : true, "type" : "string", "exampleValue" : "" }, "publicKeyLocation" : { "title" : "Public key selector", "description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.", "propertyOrder" : 25700, "required" : true, "type" : "string", "exampleValue" : "" }, "idTokenEncryptionEnabled" : { "title" : "Enable ID Token Encryption", "description" : "Select to enable ID token encryption.", "propertyOrder" : 24600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwksCacheTimeout" : { "title" : "JWKs URI content cache timeout in ms", "description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.", "propertyOrder" : 24110, "required" : true, "type" : "integer", "exampleValue" : "" }, "userinfoEncryptedResponseAlg" : { "title" : "User info encrypted response algorithm", "description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.", "propertyOrder" : 27300, "required" : false, "type" : "string", "exampleValue" : "" }, "mTLSCertificateBoundAccessTokens" : { "title" : "Use Certificate-Bound Access Tokens", "description" : "Whether access tokens issued to this client should be bound to the X.509 certificate it uses to authenticate to the token endpoint. If enabled (and the provider supports it) then an x5t#S256 confirmation key will be added to all access tokens with the SHA-256 hash of the client's certificate.", "propertyOrder" : 25507, "required" : true, "type" : "boolean", "exampleValue" : "" }, "mTLSTrustedCert" : { "title" : "mTLS Self-Signed Certificate", "description" : "Self-signed PEM-encoded X.509 certificate for mTLS client certificate authentication.", "propertyOrder" : 25405, "required" : false, "type" : "string", "exampleValue" : "" }, "jwkSet" : { "title" : "Json Web Key", "description" : "Raw JSON Web Key value containing the client's public keys.", "propertyOrder" : 24200, "required" : false, "type" : "string", "exampleValue" : "" }, "idTokenEncryptionMethod" : { "title" : "ID Token Encryption Method", "description" : "Encryption method the ID Token for this client must be encrypted with.", "propertyOrder" : 24800, "required" : true, "type" : "string", "exampleValue" : "" }, "requestParameterEncryptedAlg" : { "title" : "Request parameter encryption algorithm", "description" : "JWE algorithm for encrypting the request parameter.", "propertyOrder" : 27600, "required" : false, "type" : "string", "exampleValue" : "" }, "idTokenPublicEncryptionKey" : { "title" : "Client ID Token Public Encryption Key", "description" : "A Base64 encoded public key for encrypting ID Tokens.", "propertyOrder" : 24900, "required" : false, "type" : "string", "exampleValue" : "" } } }, "coreOAuth2ClientConfig" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "loopbackInterfaceRedirection" : { "title" : "Allow wildcard ports in redirect URIs", "description" : "This flag indicates whether wildcards can be used for port numbers in redirect URIs. When this toggle is set to true and a wildcard is used the only allowed combinations of protocols and hosts are: http://127.0.0.1, https://127.0.0.1, http://[::1], https://[::1], http://localhost, https://localhost The wild cards are permitted only for the port values. For example - <code>http://localhost:80*</code>, <code>http://localhost:80?0/{path}</code>, <code>http://localhost:80[8-9]0/{path}</code>", "propertyOrder" : 23150, "required" : false, "type" : "boolean", "exampleValue" : "" }, "clientName" : { "title" : "Client Name", "description" : "This value is a readable name for this client.", "propertyOrder" : 25300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "status" : { "title" : "Status", "description" : "Status of the agent configuration.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizationCodeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.", "propertyOrder" : 25800, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.", "propertyOrder" : 26000, "required" : true, "type" : "integer", "exampleValue" : "" }, "clientType" : { "title" : "Client type", "description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.", "propertyOrder" : 23100, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectionUris" : { "title" : "Redirection URIs", "description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).", "propertyOrder" : 23200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.", "propertyOrder" : 25900, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Scope(s)", "description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.", "propertyOrder" : 23700, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopes" : { "title" : "Scope(s)", "description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.", "propertyOrder" : 23300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreOpenIDClientConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 2, "properties" : { "defaultMaxAge" : { "title" : "Default Max Age", "description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.", "propertyOrder" : 25500, "required" : true, "type" : "integer", "exampleValue" : "" }, "clientSessionUri" : { "title" : "Client Session URI", "description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message", "propertyOrder" : 25200, "required" : false, "type" : "string", "exampleValue" : "" }, "defaultMaxAgeEnabled" : { "title" : "Default Max Age Enabled", "description" : "Whether or not the default max age is enforced.", "propertyOrder" : 25600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claims" : { "title" : "Claim(s)", "description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>", "propertyOrder" : 23400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultAcrValues" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 25650, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.", "propertyOrder" : 26100, "required" : true, "type" : "integer", "exampleValue" : "" }, "postLogoutRedirectUri" : { "title" : "Post Logout Redirect URIs", "description" : "URIs that can be redirected to after the client logout process.", "propertyOrder" : 25000, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreUmaClientConfig" : { "type" : "object", "title" : "UMA", "propertyOrder" : 4, "properties" : { "claimsRedirectionUris" : { "title" : "Claims Redirection URIs", "description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).", "propertyOrder" : 23200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }