Amster

OIDCIDTokenValidator

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/OidcNode

Resource version: 1.0

create

Usage

am> create OIDCIDTokenValidator --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "audienceName" : {
      "title" : "Audience name",
      "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "script" : {
      "title" : "Transformation Script",
      "description" : "A script that can transform the ID token's claims into object data.",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "oidcValidationValue" : {
      "title" : "OpenID Connect Validation Value",
      "description" : "Specifies the full URL to the discovery or JWK location, corresponding to the configuration type selected in the OpenID Connect Validation Value property. If client_secret entered, entry is ignored and the value of the Client Secret is used.<p> Example: https://accounts.google.com/.well-known/openid-configuration",
      "propertyOrder" : 200,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration"
    },
    "inputs" : {
      "title" : "Script Inputs",
      "description" : "A list of state inputs that can be used by the script.",
      "propertyOrder" : 900,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "oidcValidationType" : {
      "title" : "OpenID Connect Validation Type",
      "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.",
      "propertyOrder" : 100,
      "type" : "string",
      "exampleValue" : ""
    },
    "unreasonableLifetimeLimit" : {
      "title" : "Unreasonable Lifetime Limit",
      "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.",
      "propertyOrder" : 1000,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authorisedParties" : {
      "title" : "Authorized parties",
      "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.",
      "propertyOrder" : 700,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "idTokenIssuer" : {
      "title" : "Token Issuer",
      "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com"
    },
    "secretId" : {
      "title" : "Client Secret Id",
      "description" : "Specifies the id of the client secret. One of the configured secret stores in AM should contain a secret with the given id. <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : "clientsecret"
    },
    "headerName" : {
      "title" : "ID Token Header Name",
      "description" : "Name of header referencing the ID Token.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    }
  },
  "required" : [ "oidcValidationType", "oidcValidationValue", "audienceName", "inputs", "unreasonableLifetimeLimit", "authorisedParties", "headerName", "idTokenIssuer", "script" ]
}

delete

Usage

am> delete OIDCIDTokenValidator --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OIDCIDTokenValidator --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OIDCIDTokenValidator --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action OIDCIDTokenValidator --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OIDCIDTokenValidator --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query OIDCIDTokenValidator --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read OIDCIDTokenValidator --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update OIDCIDTokenValidator --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "audienceName" : {
      "title" : "Audience name",
      "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "script" : {
      "title" : "Transformation Script",
      "description" : "A script that can transform the ID token's claims into object data.",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "oidcValidationValue" : {
      "title" : "OpenID Connect Validation Value",
      "description" : "Specifies the full URL to the discovery or JWK location, corresponding to the configuration type selected in the OpenID Connect Validation Value property. If client_secret entered, entry is ignored and the value of the Client Secret is used.<p> Example: https://accounts.google.com/.well-known/openid-configuration",
      "propertyOrder" : 200,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration"
    },
    "inputs" : {
      "title" : "Script Inputs",
      "description" : "A list of state inputs that can be used by the script.",
      "propertyOrder" : 900,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "oidcValidationType" : {
      "title" : "OpenID Connect Validation Type",
      "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.",
      "propertyOrder" : 100,
      "type" : "string",
      "exampleValue" : ""
    },
    "unreasonableLifetimeLimit" : {
      "title" : "Unreasonable Lifetime Limit",
      "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.",
      "propertyOrder" : 1000,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authorisedParties" : {
      "title" : "Authorized parties",
      "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.",
      "propertyOrder" : 700,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "idTokenIssuer" : {
      "title" : "Token Issuer",
      "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com"
    },
    "secretId" : {
      "title" : "Client Secret Id",
      "description" : "Specifies the id of the client secret. One of the configured secret stores in AM should contain a secret with the given id. <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : "clientsecret"
    },
    "headerName" : {
      "title" : "ID Token Header Name",
      "description" : "Name of header referencing the ID Token.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    }
  },
  "required" : [ "oidcValidationType", "oidcValidationValue", "audienceName", "inputs", "unreasonableLifetimeLimit", "authorisedParties", "headerName", "idTokenIssuer", "script" ]
}