OAuth2Provider
Realm Operations
Resource path: /realm-config/services/oauth-oidc
Resource version: 1.0
create
Usage:
am> create OAuth2Provider --realm Realm --body bodyParameters:
--bodyThe resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Based Tokens", "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Whitelist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopeImplementationClass" : { "title" : "Scope Implementation Class", "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.", "propertyOrder" : 70, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Based Token Compression", "description" : "Whether client-based access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" } } }, "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Based Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "OAuth2 Access Token Modification Script", "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Store Ops Tokens", "description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
delete
Usage:
am> delete OAuth2Provider --realm RealmgetAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage:
am> action OAuth2Provider --realm Realm --actionName getAllTypesgetCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage:
am> action OAuth2Provider --realm Realm --actionName getCreatableTypesnextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage:
am> action OAuth2Provider --realm Realm --actionName nextdescendentsread
Usage:
am> read OAuth2Provider --realm Realmupdate
Usage:
am> update OAuth2Provider --realm Realm --body bodyParameters:
--bodyThe resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Based Tokens", "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Whitelist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopeImplementationClass" : { "title" : "Scope Implementation Class", "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.", "propertyOrder" : 70, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Based Token Compression", "description" : "Whether client-based access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" } } }, "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Based Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "OAuth2 Access Token Modification Script", "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Store Ops Tokens", "description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
Global Operations
Resource path: /global-config/services/oauth-oidc
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage:
am> action OAuth2Provider --global --actionName getAllTypesgetCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage:
am> action OAuth2Provider --global --actionName getCreatableTypesnextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage:
am> action OAuth2Provider --global --actionName nextdescendentsread
Usage:
am> read OAuth2Provider --globalupdate
Usage:
am> update OAuth2Provider --global --body bodyParameters:
--bodyThe resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "storageScheme" : { "title" : "CTS Storage Scheme", "description" : "Storage scheme to be used when storing OAuth2 tokens to CTS.<br><br>In order to support rolling upgrades, this should be set to the latest storage scheme supported by all OpenAM instances within your cluster. Select the latest storage scheme once all OpenAM instances in the cluster have been upgraded.<br/><br/><b>One-to-One Storage Scheme</b><br/>Under this storage scheme, each OAuth2 token maps to an individual CTS entry.<br/><i>This storage scheme is inefficient - use the Grant-Set Storage Scheme once all servers have been upgraded to a version which supports it.</i><br/><br/><b>Grant-Set Storage Scheme</b><br/>Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.", "propertyOrder" : 6, "required" : true, "type" : "string", "exampleValue" : "" }, "blacklistCacheSize" : { "title" : "Token Blacklist Cache Size", "description" : "Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.", "propertyOrder" : 0, "required" : true, "type" : "integer", "exampleValue" : "" }, "blacklistPollInterval" : { "title" : "Blacklist Poll Interval (seconds)", "description" : "How frequently to poll for token blacklist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token blacklist changes from other servers. This is used to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.", "propertyOrder" : 1, "required" : true, "type" : "integer", "exampleValue" : "" }, "jwtTokenUnreasonableLifetime" : { "title" : "JWT Unreasonable Lifetime (seconds)", "description" : "Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration.", "propertyOrder" : 8, "required" : true, "type" : "integer", "exampleValue" : "" }, "blacklistPurgeDelay" : { "title" : "Blacklist Purge Delay (minutes)", "description" : "Length of time to blacklist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the blacklist.", "propertyOrder" : 2, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessGrantTokenUpgradeCompatibilityMode" : { "title" : "Client-Based Grant Token Upgrade Compatibility Mode", "description" : "Enable OpenAM to consume and create client-based OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume client-based OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.", "propertyOrder" : 5, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtTokenLifetimeValidationEnabled" : { "title" : "Enforce JWT Unreasonable Lifetime", "description" : "Enable the enforcement of JWT token unreasonable lifetime during validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. This enforcement may be disabled, but should only be done if the security implications have been evaluated.", "propertyOrder" : 7, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaults" : { "properties" : { "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Store Ops Tokens", "description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>URLENCODED_PEM</code> - a URL-encoded PEM format certificate. This is the format used by Nginx.</li><li><code>X_FORWARDED_CLIENT_CERT</code> - the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a>format used by Envoy and Istio.</li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "scopeImplementationClass" : { "title" : "Scope Implementation Class", "description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.", "propertyOrder" : 70, "required" : true, "type" : "string", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Whitelist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Based Token Compression", "description" : "Whether client-based access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Based Tokens", "description" : "Whether client-based access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "PEM-encoded certificate to use to verify OCSP responses.<br><br>If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "OAuth2 Access Token Modification Script", "description" : "The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Based Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }