Amster

SocialAuthTwitterModule

Realm Operations

Resource path:

/realm-config/authentication/modules/authSocialTwitter

Resource version: 2.0

create

Usage

am> create SocialAuthTwitterModule --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "ssoProxyUrl" : {
          "title" : "Proxy URL",
          "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientSecret" : {
          "title" : "Client Secret",
          "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "userInfoEndpoint" : {
          "title" : "User Profile Service URL",
          "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizeEndpoint" : {
          "title" : "Authentication Endpoint URL",
          "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "requestTokenEndpoint" : {
          "title" : "Request Token Endpoint URL",
          "description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "subjectProperty" : {
          "title" : "Subject Property",
          "description" : "Property used to identify which attribute an auth server identifies a user by.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usesBasicAuth" : {
          "title" : "Use Basic Auth",
          "description" : "When enabled, the client will use basic auth for authenticating with  the social auth provider. Enabled by default.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "tokenEndpoint" : {
          "title" : "Access Token Endpoint URL",
          "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientId" : {
          "title" : "Client Id",
          "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "provider" : {
          "title" : "Social Provider",
          "description" : "Social Provider for which this module is being setup.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "accountProvisioning" : {
      "type" : "object",
      "title" : "Account Provisioning",
      "propertyOrder" : 1,
      "properties" : {
        "saveAttributesInSession" : {
          "title" : "Save attributes in the session",
          "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
          "propertyOrder" : 2400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accountMapperClass" : {
          "title" : "Account Mapper",
          "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accountMapperConfiguration" : {
          "title" : "Account Mapper Configuration",
          "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "anonymousUserName" : {
          "title" : "Anonymous User",
          "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "attributeMappingClasses" : {
          "title" : "Attribute Mapper",
          "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enableRegistrationService" : {
          "title" : "Use IDM as Registration Service",
          "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
          "propertyOrder" : 1350,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "mapToAnonymousUser" : {
          "title" : "Map to anonymous user",
          "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "attributeMapperConfiguration" : {
          "title" : "Attribute Mapper Configuration",
          "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "createAccount" : {
          "title" : "Create account if it does not exist",
          "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
          "propertyOrder" : 1360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accountProviderClass" : {
          "title" : "Account Provider",
          "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

delete

Usage

am> delete SocialAuthTwitterModule --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action SocialAuthTwitterModule --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action SocialAuthTwitterModule --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action SocialAuthTwitterModule --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query SocialAuthTwitterModule --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read SocialAuthTwitterModule --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update SocialAuthTwitterModule --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "ssoProxyUrl" : {
          "title" : "Proxy URL",
          "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientSecret" : {
          "title" : "Client Secret",
          "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "userInfoEndpoint" : {
          "title" : "User Profile Service URL",
          "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authorizeEndpoint" : {
          "title" : "Authentication Endpoint URL",
          "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "requestTokenEndpoint" : {
          "title" : "Request Token Endpoint URL",
          "description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "subjectProperty" : {
          "title" : "Subject Property",
          "description" : "Property used to identify which attribute an auth server identifies a user by.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usesBasicAuth" : {
          "title" : "Use Basic Auth",
          "description" : "When enabled, the client will use basic auth for authenticating with  the social auth provider. Enabled by default.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "tokenEndpoint" : {
          "title" : "Access Token Endpoint URL",
          "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientId" : {
          "title" : "Client Id",
          "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "provider" : {
          "title" : "Social Provider",
          "description" : "Social Provider for which this module is being setup.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "accountProvisioning" : {
      "type" : "object",
      "title" : "Account Provisioning",
      "propertyOrder" : 1,
      "properties" : {
        "saveAttributesInSession" : {
          "title" : "Save attributes in the session",
          "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
          "propertyOrder" : 2400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accountMapperClass" : {
          "title" : "Account Mapper",
          "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "accountMapperConfiguration" : {
          "title" : "Account Mapper Configuration",
          "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "anonymousUserName" : {
          "title" : "Anonymous User",
          "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "attributeMappingClasses" : {
          "title" : "Attribute Mapper",
          "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enableRegistrationService" : {
          "title" : "Use IDM as Registration Service",
          "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
          "propertyOrder" : 1350,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "mapToAnonymousUser" : {
          "title" : "Map to anonymous user",
          "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "attributeMapperConfiguration" : {
          "title" : "Attribute Mapper Configuration",
          "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "createAccount" : {
          "title" : "Create account if it does not exist",
          "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
          "propertyOrder" : 1360,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "accountProviderClass" : {
          "title" : "Account Provider",
          "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

Global Operations

Resource path:

/global-config/authentication/modules/authSocialTwitter

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action SocialAuthTwitterModule --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action SocialAuthTwitterModule --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action SocialAuthTwitterModule --global --actionName nextdescendents

read

Usage

am> read SocialAuthTwitterModule --global

update

Usage

am> update SocialAuthTwitterModule --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "core" : {
          "type" : "object",
          "title" : "Core",
          "propertyOrder" : 0,
          "properties" : {
            "userInfoEndpoint" : {
              "title" : "User Profile Service URL",
              "description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "usesBasicAuth" : {
              "title" : "Use Basic Auth",
              "description" : "When enabled, the client will use basic auth for authenticating with  the social auth provider. Enabled by default.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "subjectProperty" : {
              "title" : "Subject Property",
              "description" : "Property used to identify which attribute an auth server identifies a user by.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "requestTokenEndpoint" : {
              "title" : "Request Token Endpoint URL",
              "description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "provider" : {
              "title" : "Social Provider",
              "description" : "Social Provider for which this module is being setup.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "clientId" : {
              "title" : "Client Id",
              "description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "ssoProxyUrl" : {
              "title" : "Proxy URL",
              "description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "tokenEndpoint" : {
              "title" : "Access Token Endpoint URL",
              "description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "authorizeEndpoint" : {
              "title" : "Authentication Endpoint URL",
              "description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "clientSecret" : {
              "title" : "Client Secret",
              "description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
              "propertyOrder" : 500,
              "required" : true,
              "type" : "string",
              "format" : "password",
              "exampleValue" : ""
            },
            "authenticationLevel" : {
              "title" : "Authentication Level",
              "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        },
        "accountProvisioning" : {
          "type" : "object",
          "title" : "Account Provisioning",
          "propertyOrder" : 1,
          "properties" : {
            "mapToAnonymousUser" : {
              "title" : "Map to anonymous user",
              "description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
              "propertyOrder" : 2000,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "accountProviderClass" : {
              "title" : "Account Provider",
              "description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
              "propertyOrder" : 1400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "anonymousUserName" : {
              "title" : "Anonymous User",
              "description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
              "propertyOrder" : 2100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "attributeMapperConfiguration" : {
              "title" : "Attribute Mapper Configuration",
              "description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
              "propertyOrder" : 1800,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "saveAttributesInSession" : {
              "title" : "Save attributes in the session",
              "description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
              "propertyOrder" : 2400,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "accountMapperConfiguration" : {
              "title" : "Account Mapper Configuration",
              "description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
              "propertyOrder" : 1600,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "attributeMappingClasses" : {
              "title" : "Attribute Mapper",
              "description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
              "propertyOrder" : 1700,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "accountMapperClass" : {
              "title" : "Account Mapper",
              "description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
              "propertyOrder" : 1500,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "createAccount" : {
              "title" : "Create account if it does not exist",
              "description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
              "propertyOrder" : 1360,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "enableRegistrationService" : {
              "title" : "Use IDM as Registration Service",
              "description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
              "propertyOrder" : 1350,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}