Amster

OAuth2ClientAgentGroups

Realm Operations

Agent Groups handler that is responsible for managing agent groups

Resource path:

/realm-config/agents/groups/OAuth2Client

Resource version: 1.0

create

Usage

am> create OAuth2ClientAgentGroups --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "advancedOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "sectorIdentifierUri" : {
          "title" : "Sector Identifier URI",
          "description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
          "propertyOrder" : 24300,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "contacts" : {
          "title" : "Contacts",
          "description" : "Email addresses of users who can administrate this client.",
          "propertyOrder" : 23900,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "clientUri" : {
          "title" : "Client URI",
          "description" : "The URI for finding further information about the client from user-facing UIs.",
          "propertyOrder" : 25325,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured then AUTHORIZATION_CODE flow would be permitted by default.",
          "propertyOrder" : 23800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenEndpointAuthMethod" : {
          "title" : "Token Endpoint Authentication Method",
          "description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
          "propertyOrder" : 24000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "name" : {
          "title" : "Display name",
          "description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
          "propertyOrder" : 23500,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "javascriptOrigins" : {
          "title" : "JavaScript Origins",
          "description" : "",
          "propertyOrder" : 23650,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "requestUris" : {
          "title" : "Request uris",
          "description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters and MUST use either HTTP or HTTPS. Otherwise the value will be ignored.",
          "propertyOrder" : 23700,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "subjectType" : {
          "title" : "Subject Type",
          "description" : "The subject type added to responses for this client. This value must be included in \"Subject Type Supported\" in OAuth2 Provider service setting.",
          "propertyOrder" : 24400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "refreshTokenGracePeriod" : {
          "title" : "Refresh Token Grace Period (seconds)",
          "description" : "The time in seconds that a refresh token may be replayed to allow a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue.<br>Only applies to stateful tokens in a one-to-one storage scheme. This value should be kept as short as possible, and must not exceed 120 seconds. To deactivate the grace period set the value to -1. If this value is set to 0, the Refresh Token Grace Period of the OAuth2 Provider will be used instead.",
          "propertyOrder" : 26150,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "tosURI" : {
          "title" : "Terms of Service URI",
          "description" : "The URI for the client's terms of service.",
          "propertyOrder" : 25390,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "customProperties" : {
          "title" : "Custom Properties",
          "description" : "Additional properties that allow users to augment the set of properties supported by the OAuth2 Client. <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
          "propertyOrder" : 35100,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "descriptions" : {
          "title" : "Display description",
          "description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
          "propertyOrder" : 23600,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "policyUri" : {
          "title" : "Privacy Policy URI",
          "description" : "The URI for the client's privacy policy, for use in user-facing consent pages.",
          "propertyOrder" : 25375,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "softwareIdentity" : {
          "title" : "Software Identity",
          "description" : "A unique identifier assigned by the client developer or software publisher to identity the client software.",
          "propertyOrder" : 35400,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "responseTypes" : {
          "title" : "Response Types",
          "description" : "Response types this client will support and use.",
          "propertyOrder" : 23800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "softwareVersion" : {
          "title" : "Software Version",
          "description" : "A version identifier string for the identifier defined in the Software Identity.",
          "propertyOrder" : 35500,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenExchangeAuthLevel" : {
          "title" : "Token Exchange Auth Level",
          "description" : "Auth level granted to tokens generated as a result of a Token Exchange, where the input token had no original auth_level claim. (e.g. When exchanging ID Token for an Access Token)",
          "propertyOrder" : 10100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "isConsentImplied" : {
          "title" : "Implied consent",
          "description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
          "propertyOrder" : 26200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "mixUpMitigation" : {
          "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
          "description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
          "propertyOrder" : 26300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "logoUri" : {
          "title" : "Logo URI",
          "description" : "The URI for the client's logo, for use in user-facing UIs such as consent pages and application pages.",
          "propertyOrder" : 25350,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "require_pushed_authorization_requests" : {
          "title" : "Require Pushed Authorization Requests",
          "description" : "If enabled, the client must use the PAR endpoint to initiate authorization requests. Note that, even if this value is set to false, the authorization server may be configured to enforce PAR for all clients.",
          "propertyOrder" : 35600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "updateAccessToken" : {
          "title" : "Access Token",
          "description" : "The access token used to update the client.",
          "propertyOrder" : 25100,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "signEncOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Signing and Encryption",
      "propertyOrder" : 3,
      "properties" : {
        "userinfoSignedResponseAlg" : {
          "title" : "User info signed response algorithm",
          "description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
          "propertyOrder" : 27200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "jwkStoreCacheMissCacheTime" : {
          "title" : "JWKs URI content cache miss cache time",
          "description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
          "propertyOrder" : 24120,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "tokenIntrospectionResponseFormat" : {
          "title" : "Token introspection response format",
          "description" : "The token introspection endpoint offers different output format. see https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03",
          "propertyOrder" : 27800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationResponseEncryptionAlgorithm" : {
          "title" : "Authorization Response JWT Encryption Algorithm",
          "description" : "Algorithm the Authorization Response JWT for this client must be encrypted with.",
          "propertyOrder" : 24803,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "jwksUri" : {
          "title" : "Json Web Key URI",
          "description" : "The uri that contains the client's public keys in Json Web Key format.",
          "propertyOrder" : 24100,
          "required" : false,
          "type" : "string",
          "exampleValue" : "https://{{jwks-www}}/oauth2/{{realm}}/connect/jwk_uri"
        },
        "userinfoEncryptedResponseEncryptionAlgorithm" : {
          "title" : "User info encrypted response encryption algorithm",
          "description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationResponseSigningAlgorithm" : {
          "title" : "Authorization Response JWT Signing Algorithm",
          "description" : "Algorithm the Authorization Response JWT for this client must be signed with.",
          "propertyOrder" : 24801,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenIntrospectionSignedResponseAlg" : {
          "title" : "Token introspection response signing algorithm",
          "description" : "Algorithm used for signing the introspection JWT response.",
          "propertyOrder" : 27810,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenEncryptionAlgorithm" : {
          "title" : "ID Token Encryption Algorithm",
          "description" : "Algorithm the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm" : {
          "title" : "Token introspection encrypted response encryption algorithm",
          "description" : "JWE 'enc' algorithm REQUIRED for encrypting token introspection responses. Sets the algorithm that will be used to encrypt the Plaintext of a JWE when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27830,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userinfoEncryptedResponseAlg" : {
          "title" : "User info encrypted response algorithm",
          "description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
          "propertyOrder" : 27300,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "mTLSSubjectDN" : {
          "title" : "mTLS Subject DN",
          "description" : "Expected Subject DN of certificate used for mTLS client certificate authentication. Defaults to CN=&lt;client_id&gt;. Only applicable when using CA-signed certificates.",
          "propertyOrder" : 25406,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "publicKeyLocation" : {
          "title" : "Public key selector",
          "description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
          "propertyOrder" : 25700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenSignedResponseAlg" : {
          "title" : "ID Token Signing Algorithm",
          "description" : "Algorithm the ID Token for this client must be signed with.",
          "propertyOrder" : 24500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenEndpointAuthSigningAlgorithm" : {
          "title" : "Token Endpoint Authentication Signing Algorithm",
          "description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
          "propertyOrder" : 24130,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenPublicEncryptionKey" : {
          "title" : "Client ID Token Public Encryption Key",
          "description" : "A Base64 encoded public key for encrypting ID Tokens.",
          "propertyOrder" : 24900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "requestParameterSignedAlg" : {
          "title" : "Request parameter signing algorithm",
          "description" : "JWS algorithm for signing the request parameter.",
          "propertyOrder" : 27500,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationResponseEncryptionMethod" : {
          "title" : "Authorization Response JWT Encryption Method",
          "description" : "Encryption method the Authorization Response JWT for this client must be encrypted with.",
          "propertyOrder" : 24804,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientJwtPublicKey" : {
          "title" : "Client JWT Bearer Public Key",
          "description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
          "propertyOrder" : 25400,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "mTLSCertificateBoundAccessTokens" : {
          "title" : "Use Certificate-Bound Access Tokens",
          "description" : "Whether access tokens issued to this client should be bound to the X.509 certificate it uses to authenticate to the token endpoint. If enabled (and the provider supports it) then an x5t#S256 confirmation key will be added to all access tokens with the SHA-256 hash of the client's certificate.",
          "propertyOrder" : 25507,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "jwkSet" : {
          "title" : "Json Web Key",
          "description" : "Raw JSON Web Key value containing the client's public keys.",
          "propertyOrder" : 24200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenIntrospectionEncryptedResponseAlg" : {
          "title" : "Token introspection response encryption algorithm",
          "description" : "JWE \"alg\" algorithm REQUIRED for encrypting introspection responses. Sets the algorithm that will be used to encrypt the Content Encryption Key when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27820,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenEncryptionEnabled" : {
          "title" : "Enable ID Token Encryption",
          "description" : "Select to enable ID token encryption.",
          "propertyOrder" : 24600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "requestParameterEncryptedEncryptionAlgorithm" : {
          "title" : "Request parameter encryption method",
          "description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userinfoResponseFormat" : {
          "title" : "User info response format.",
          "description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
          "propertyOrder" : 27100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "jwksCacheTimeout" : {
          "title" : "JWKs URI content cache timeout in ms",
          "description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
          "propertyOrder" : 24110,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "idTokenEncryptionMethod" : {
          "title" : "ID Token Encryption Method",
          "description" : "Encryption method the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "requestParameterEncryptedAlg" : {
          "title" : "Request parameter encryption algorithm",
          "description" : "JWE algorithm for encrypting the request parameter.",
          "propertyOrder" : 27600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "mTLSTrustedCert" : {
          "title" : "mTLS Self-Signed Certificate",
          "description" : "Self-signed PEM-encoded X.509 certificate for mTLS client certificate authentication.",
          "propertyOrder" : 25405,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "clientType" : {
          "title" : "Client type",
          "description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
          "propertyOrder" : 23100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "status" : {
          "title" : "Status",
          "description" : "Status of the agent configuration.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationCodeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 25800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "scopes" : {
          "title" : "Scope(s)",
          "description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23300,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultScopes" : {
          "title" : "Default Scope(s)",
          "description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23700,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loopbackInterfaceRedirection" : {
          "title" : "Allow wildcard ports in redirect URIs",
          "description" : "This flag indicates whether wildcards can be used for port numbers in redirect URIs. When this toggle is set to true and a wildcard is used the only allowed combinations of protocols and hosts are: http://127.0.0.1, https://127.0.0.1, http://[::1], https://[::1], http://localhost, https://localhost The wild cards are permitted only for the port values. For example - <code>http://localhost:80*</code>, <code>http://localhost:80?0/{path}</code>, <code>http://localhost:80[8-9]0/{path}</code>",
          "propertyOrder" : 23150,
          "required" : false,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
          "propertyOrder" : 25900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "redirectionUris" : {
          "title" : "Redirection URIs",
          "description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "clientName" : {
          "title" : "Client Name",
          "description" : "This value is a readable name for this client.",
          "propertyOrder" : 25300,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "coreOpenIDClientConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 2,
      "properties" : {
        "backchannel_logout_uri" : {
          "title" : "Backchannel Logout URL",
          "description" : "RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. This URL SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the use of http RP URIs.",
          "propertyOrder" : 35200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "claims" : {
          "title" : "Claim(s)",
          "description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
          "propertyOrder" : 23400,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "postLogoutRedirectUri" : {
          "title" : "Post Logout Redirect URIs",
          "description" : "URIs that can be redirected to after the client logout process.",
          "propertyOrder" : 25000,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultMaxAgeEnabled" : {
          "title" : "Default Max Age Enabled",
          "description" : "Whether or not the default max age is enforced.",
          "propertyOrder" : 25600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultAcrValues" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 25650,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "defaultMaxAge" : {
          "title" : "Default Max Age",
          "description" : "Minimum value 0. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
          "propertyOrder" : 25500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "backchannel_logout_session_required" : {
          "title" : "Backchannel Logout Session Required",
          "description" : "Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the Backchannel Logout URL is used.",
          "propertyOrder" : 35300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "clientSessionUri" : {
          "title" : "Client Session URI",
          "description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
          "propertyOrder" : 25200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreUmaClientConfig" : {
      "type" : "object",
      "title" : "UMA",
      "propertyOrder" : 4,
      "properties" : {
        "claimsRedirectionUris" : {
          "title" : "Claims Redirection URIs",
          "description" : "Redirection URIs for returning to the client from UMA claims collection. If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    }
  }
}

delete

Usage

am> delete OAuth2ClientAgentGroups --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OAuth2ClientAgentGroups --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OAuth2ClientAgentGroups --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OAuth2ClientAgentGroups --realm Realm --actionName nextdescendents

query

Querying the agent groups of a specific type

Usage

am> query OAuth2ClientAgentGroups --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read OAuth2ClientAgentGroups --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update OAuth2ClientAgentGroups --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "advancedOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "sectorIdentifierUri" : {
          "title" : "Sector Identifier URI",
          "description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
          "propertyOrder" : 24300,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "contacts" : {
          "title" : "Contacts",
          "description" : "Email addresses of users who can administrate this client.",
          "propertyOrder" : 23900,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "clientUri" : {
          "title" : "Client URI",
          "description" : "The URI for finding further information about the client from user-facing UIs.",
          "propertyOrder" : 25325,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured then AUTHORIZATION_CODE flow would be permitted by default.",
          "propertyOrder" : 23800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "tokenEndpointAuthMethod" : {
          "title" : "Token Endpoint Authentication Method",
          "description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
          "propertyOrder" : 24000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "name" : {
          "title" : "Display name",
          "description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
          "propertyOrder" : 23500,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "javascriptOrigins" : {
          "title" : "JavaScript Origins",
          "description" : "",
          "propertyOrder" : 23650,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "requestUris" : {
          "title" : "Request uris",
          "description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters and MUST use either HTTP or HTTPS. Otherwise the value will be ignored.",
          "propertyOrder" : 23700,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "subjectType" : {
          "title" : "Subject Type",
          "description" : "The subject type added to responses for this client. This value must be included in \"Subject Type Supported\" in OAuth2 Provider service setting.",
          "propertyOrder" : 24400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "refreshTokenGracePeriod" : {
          "title" : "Refresh Token Grace Period (seconds)",
          "description" : "The time in seconds that a refresh token may be replayed to allow a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue.<br>Only applies to stateful tokens in a one-to-one storage scheme. This value should be kept as short as possible, and must not exceed 120 seconds. To deactivate the grace period set the value to -1. If this value is set to 0, the Refresh Token Grace Period of the OAuth2 Provider will be used instead.",
          "propertyOrder" : 26150,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "tosURI" : {
          "title" : "Terms of Service URI",
          "description" : "The URI for the client's terms of service.",
          "propertyOrder" : 25390,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "customProperties" : {
          "title" : "Custom Properties",
          "description" : "Additional properties that allow users to augment the set of properties supported by the OAuth2 Client. <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
          "propertyOrder" : 35100,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "descriptions" : {
          "title" : "Display description",
          "description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
          "propertyOrder" : 23600,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "policyUri" : {
          "title" : "Privacy Policy URI",
          "description" : "The URI for the client's privacy policy, for use in user-facing consent pages.",
          "propertyOrder" : 25375,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "softwareIdentity" : {
          "title" : "Software Identity",
          "description" : "A unique identifier assigned by the client developer or software publisher to identity the client software.",
          "propertyOrder" : 35400,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "responseTypes" : {
          "title" : "Response Types",
          "description" : "Response types this client will support and use.",
          "propertyOrder" : 23800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "softwareVersion" : {
          "title" : "Software Version",
          "description" : "A version identifier string for the identifier defined in the Software Identity.",
          "propertyOrder" : 35500,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenExchangeAuthLevel" : {
          "title" : "Token Exchange Auth Level",
          "description" : "Auth level granted to tokens generated as a result of a Token Exchange, where the input token had no original auth_level claim. (e.g. When exchanging ID Token for an Access Token)",
          "propertyOrder" : 10100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "isConsentImplied" : {
          "title" : "Implied consent",
          "description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
          "propertyOrder" : 26200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "mixUpMitigation" : {
          "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
          "description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
          "propertyOrder" : 26300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "logoUri" : {
          "title" : "Logo URI",
          "description" : "The URI for the client's logo, for use in user-facing UIs such as consent pages and application pages.",
          "propertyOrder" : 25350,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "require_pushed_authorization_requests" : {
          "title" : "Require Pushed Authorization Requests",
          "description" : "If enabled, the client must use the PAR endpoint to initiate authorization requests. Note that, even if this value is set to false, the authorization server may be configured to enforce PAR for all clients.",
          "propertyOrder" : 35600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "updateAccessToken" : {
          "title" : "Access Token",
          "description" : "The access token used to update the client.",
          "propertyOrder" : 25100,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "signEncOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Signing and Encryption",
      "propertyOrder" : 3,
      "properties" : {
        "userinfoSignedResponseAlg" : {
          "title" : "User info signed response algorithm",
          "description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
          "propertyOrder" : 27200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "jwkStoreCacheMissCacheTime" : {
          "title" : "JWKs URI content cache miss cache time",
          "description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
          "propertyOrder" : 24120,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "tokenIntrospectionResponseFormat" : {
          "title" : "Token introspection response format",
          "description" : "The token introspection endpoint offers different output format. see https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03",
          "propertyOrder" : 27800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationResponseEncryptionAlgorithm" : {
          "title" : "Authorization Response JWT Encryption Algorithm",
          "description" : "Algorithm the Authorization Response JWT for this client must be encrypted with.",
          "propertyOrder" : 24803,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "jwksUri" : {
          "title" : "Json Web Key URI",
          "description" : "The uri that contains the client's public keys in Json Web Key format.",
          "propertyOrder" : 24100,
          "required" : false,
          "type" : "string",
          "exampleValue" : "https://{{jwks-www}}/oauth2/{{realm}}/connect/jwk_uri"
        },
        "userinfoEncryptedResponseEncryptionAlgorithm" : {
          "title" : "User info encrypted response encryption algorithm",
          "description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationResponseSigningAlgorithm" : {
          "title" : "Authorization Response JWT Signing Algorithm",
          "description" : "Algorithm the Authorization Response JWT for this client must be signed with.",
          "propertyOrder" : 24801,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenIntrospectionSignedResponseAlg" : {
          "title" : "Token introspection response signing algorithm",
          "description" : "Algorithm used for signing the introspection JWT response.",
          "propertyOrder" : 27810,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenEncryptionAlgorithm" : {
          "title" : "ID Token Encryption Algorithm",
          "description" : "Algorithm the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm" : {
          "title" : "Token introspection encrypted response encryption algorithm",
          "description" : "JWE 'enc' algorithm REQUIRED for encrypting token introspection responses. Sets the algorithm that will be used to encrypt the Plaintext of a JWE when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27830,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userinfoEncryptedResponseAlg" : {
          "title" : "User info encrypted response algorithm",
          "description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
          "propertyOrder" : 27300,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "mTLSSubjectDN" : {
          "title" : "mTLS Subject DN",
          "description" : "Expected Subject DN of certificate used for mTLS client certificate authentication. Defaults to CN=&lt;client_id&gt;. Only applicable when using CA-signed certificates.",
          "propertyOrder" : 25406,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "publicKeyLocation" : {
          "title" : "Public key selector",
          "description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
          "propertyOrder" : 25700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenSignedResponseAlg" : {
          "title" : "ID Token Signing Algorithm",
          "description" : "Algorithm the ID Token for this client must be signed with.",
          "propertyOrder" : 24500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenEndpointAuthSigningAlgorithm" : {
          "title" : "Token Endpoint Authentication Signing Algorithm",
          "description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
          "propertyOrder" : 24130,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenPublicEncryptionKey" : {
          "title" : "Client ID Token Public Encryption Key",
          "description" : "A Base64 encoded public key for encrypting ID Tokens.",
          "propertyOrder" : 24900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "requestParameterSignedAlg" : {
          "title" : "Request parameter signing algorithm",
          "description" : "JWS algorithm for signing the request parameter.",
          "propertyOrder" : 27500,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationResponseEncryptionMethod" : {
          "title" : "Authorization Response JWT Encryption Method",
          "description" : "Encryption method the Authorization Response JWT for this client must be encrypted with.",
          "propertyOrder" : 24804,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientJwtPublicKey" : {
          "title" : "Client JWT Bearer Public Key",
          "description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
          "propertyOrder" : 25400,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "mTLSCertificateBoundAccessTokens" : {
          "title" : "Use Certificate-Bound Access Tokens",
          "description" : "Whether access tokens issued to this client should be bound to the X.509 certificate it uses to authenticate to the token endpoint. If enabled (and the provider supports it) then an x5t#S256 confirmation key will be added to all access tokens with the SHA-256 hash of the client's certificate.",
          "propertyOrder" : 25507,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "jwkSet" : {
          "title" : "Json Web Key",
          "description" : "Raw JSON Web Key value containing the client's public keys.",
          "propertyOrder" : 24200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "tokenIntrospectionEncryptedResponseAlg" : {
          "title" : "Token introspection response encryption algorithm",
          "description" : "JWE \"alg\" algorithm REQUIRED for encrypting introspection responses. Sets the algorithm that will be used to encrypt the Content Encryption Key when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27820,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "idTokenEncryptionEnabled" : {
          "title" : "Enable ID Token Encryption",
          "description" : "Select to enable ID token encryption.",
          "propertyOrder" : 24600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "requestParameterEncryptedEncryptionAlgorithm" : {
          "title" : "Request parameter encryption method",
          "description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userinfoResponseFormat" : {
          "title" : "User info response format.",
          "description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
          "propertyOrder" : 27100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "jwksCacheTimeout" : {
          "title" : "JWKs URI content cache timeout in ms",
          "description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
          "propertyOrder" : 24110,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "idTokenEncryptionMethod" : {
          "title" : "ID Token Encryption Method",
          "description" : "Encryption method the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "requestParameterEncryptedAlg" : {
          "title" : "Request parameter encryption algorithm",
          "description" : "JWE algorithm for encrypting the request parameter.",
          "propertyOrder" : 27600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "mTLSTrustedCert" : {
          "title" : "mTLS Self-Signed Certificate",
          "description" : "Self-signed PEM-encoded X.509 certificate for mTLS client certificate authentication.",
          "propertyOrder" : 25405,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "clientType" : {
          "title" : "Client type",
          "description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
          "propertyOrder" : 23100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "status" : {
          "title" : "Status",
          "description" : "Status of the agent configuration.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizationCodeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 25800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "scopes" : {
          "title" : "Scope(s)",
          "description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23300,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultScopes" : {
          "title" : "Default Scope(s)",
          "description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23700,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loopbackInterfaceRedirection" : {
          "title" : "Allow wildcard ports in redirect URIs",
          "description" : "This flag indicates whether wildcards can be used for port numbers in redirect URIs. When this toggle is set to true and a wildcard is used the only allowed combinations of protocols and hosts are: http://127.0.0.1, https://127.0.0.1, http://[::1], https://[::1], http://localhost, https://localhost The wild cards are permitted only for the port values. For example - <code>http://localhost:80*</code>, <code>http://localhost:80?0/{path}</code>, <code>http://localhost:80[8-9]0/{path}</code>",
          "propertyOrder" : 23150,
          "required" : false,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
          "propertyOrder" : 25900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "redirectionUris" : {
          "title" : "Redirection URIs",
          "description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "clientName" : {
          "title" : "Client Name",
          "description" : "This value is a readable name for this client.",
          "propertyOrder" : 25300,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "coreOpenIDClientConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 2,
      "properties" : {
        "backchannel_logout_uri" : {
          "title" : "Backchannel Logout URL",
          "description" : "RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. This URL SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the use of http RP URIs.",
          "propertyOrder" : 35200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "claims" : {
          "title" : "Claim(s)",
          "description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
          "propertyOrder" : 23400,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "postLogoutRedirectUri" : {
          "title" : "Post Logout Redirect URIs",
          "description" : "URIs that can be redirected to after the client logout process.",
          "propertyOrder" : 25000,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultMaxAgeEnabled" : {
          "title" : "Default Max Age Enabled",
          "description" : "Whether or not the default max age is enforced.",
          "propertyOrder" : 25600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultAcrValues" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 25650,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "defaultMaxAge" : {
          "title" : "Default Max Age",
          "description" : "Minimum value 0. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
          "propertyOrder" : 25500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "backchannel_logout_session_required" : {
          "title" : "Backchannel Logout Session Required",
          "description" : "Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the Backchannel Logout URL is used.",
          "propertyOrder" : 35300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "clientSessionUri" : {
          "title" : "Client Session URI",
          "description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
          "propertyOrder" : 25200,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "coreUmaClientConfig" : {
      "type" : "object",
      "title" : "UMA",
      "propertyOrder" : 4,
      "properties" : {
        "claimsRedirectionUris" : {
          "title" : "Claims Redirection URIs",
          "description" : "Redirection URIs for returning to the client from UMA claims collection. If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    }
  }
}