HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism
The HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism is used to define OAuth2 authorization using an introspection (RFC7662) compliant authorization server.
Parent
The HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism object inherits from HTTP OAuth2 Authorization Mechanism.
Dependencies
HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanisms depend on the following objects:
HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism Properties
You can use configuration expressions to set property values at startup time. For details, see Property Value Substitution.
access-token-cache-enabled
Synopsis |
Indicates whether the HTTP OAuth2 Authorization Mechanism is enabled for use. |
Default Value |
false |
Allowed Values |
true false |
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
access-token-cache-expiration
Synopsis |
Token cache expiration |
Default Value |
None |
Allowed Values |
|
Multi-valued |
No |
Required |
No |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
authzid-json-pointer
Synopsis |
Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. |
Default Value |
None |
Allowed Values |
A string. |
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
client-id
Synopsis |
Client’s ID to use during the HTTP basic authentication against the authorization server. |
Default Value |
None |
Allowed Values |
A string. |
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
client-secret
Synopsis |
Client’s secret to use during the HTTP basic authentication against the authorization server. |
Default Value |
None |
Allowed Values |
A string. |
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
enabled
Synopsis |
Indicates whether the HTTP Authorization Mechanism is enabled. |
Default Value |
None |
Allowed Values |
true false |
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
identity-mapper
Synopsis |
Specifies the name of the identity mapper(s) to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token. |
Default Value |
None |
Allowed Values |
The name of an existing identity-mapper. The referenced identity mapper(s) must be enabled when the HTTP OAuth2 Authorization Mechanism is enabled. |
Multi-valued |
Yes |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
key-manager-provider
Synopsis |
Specifies the name of the key manager that should be used with this HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism . |
Default Value |
None |
Allowed Values |
The name of an existing key-manager-provider. The referenced key manager provider must be enabled. |
Multi-valued |
No |
Required |
No |
Admin Action Required |
None Changes to this property take effect immediately, but only for subsequent requests to the authorization server. |
Advanced |
No |
Read-Only |
No |
required-scope
Synopsis |
Scopes required to grant access to the service. |
Default Value |
None |
Allowed Values |
A string. |
Multi-valued |
Yes |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
ssl-cert-nickname
Synopsis |
Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism should use when performing SSL communication. |
Description |
The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism is configured to use SSL. |
Default Value |
Let the server decide. |
Allowed Values |
A string. |
Multi-valued |
Yes |
Required |
No |
Admin Action Required |
The object must be disabled and re-enabled for changes to take effect. |
Advanced |
No |
Read-Only |
No |
ssl-cipher-suite
Synopsis |
Specifies the names of the SSL cipher suites that are allowed for use in SSL or TLS communication. |
Default Value |
Uses the default set of SSL cipher suites provided by the server’s JVM. |
Allowed Values |
A string. |
Multi-valued |
Yes |
Required |
No |
Admin Action Required |
None Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change. |
Advanced |
No |
Read-Only |
No |
ssl-protocol
Synopsis |
Specifies the names of the SSL protocols that are allowed for use in SSL or TLS communication. |
Default Value |
Uses the default set of SSL protocols provided by the server’s JVM. |
Allowed Values |
A string. |
Multi-valued |
Yes |
Required |
No |
Admin Action Required |
None Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change. |
Advanced |
No |
Read-Only |
No |
token-introspection-url
Synopsis |
Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect) |
Default Value |
None |
Allowed Values |
A string. |
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
No |
Read-Only |
No |
trust-manager-provider
Synopsis |
Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server. |
Default Value |
By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted. |
Allowed Values |
The name of an existing trust-manager-provider. The referenced trust manager provider must be enabled when SSL is enabled. |
Multi-valued |
No |
Required |
No |
Admin Action Required |
None Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations. |
Advanced |
No |
Read-Only |
No |
Advanced Properties
Use the --advanced
option to access advanced properties.
java-class
Synopsis |
Specifies the fully-qualified name of the Java class that provides the HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism implementation. |
Default Value |
org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism |
Allowed Values |
A Java class that extends or implements:
|
Multi-valued |
No |
Required |
Yes |
Admin Action Required |
None |
Advanced |
Yes |
Read-Only |
No |