OAuth2Provider
Realm Operations
Resource path:
/realm-config/services/oauth-oidc
Resource version: 0.0
create
Usage
am> create OAuth2Provider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "oidcMayActScript" : { "title" : "OIDC ID Token May Act Script", "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 79, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Side Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "scopesPolicySet" : { "title" : "Scopes Policy Set", "description" : "The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth2 provider. If blank will default to the oauth2Scopes policy set.", "propertyOrder" : 58, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenMayActScript" : { "title" : "OAuth2 Access Token May Act Script", "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 78, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "overrideableOIDCClaims" : { "title" : "Overrideable Id_Token Claims", "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.", "propertyOrder" : 155, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Enable Session Management", "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtSigningKidHeaderMappings" : { "title" : "JWT Signing kid Header Mappings", "description" : "Custom <code>kid</code> header values for JWTs signed with the signing key mapped to the specified secret alias. <p><p>AM only applies custom <code>kid</code> mappings if you set a value for <b>Remote JSON Web Key URL</b>. Use these mappings to guarantee that the <code>kid</code> header of a signed JWT references the correct key in a remote JWKS. If you don't configure a custom <code>kid</code> for a JWT signing key, AM generates a default <code>kid</code> value.</p>", "propertyOrder" : 145, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionEnc" : { "title" : "Authorization Response Encryption Methods Supported", "description" : "Encryption methods supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 464, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForMaxAge" : { "title" : "Use Force Authentication for max_age", "description" : "When this setting is <code>false</code> (default)<ul><li>Attempted authorization when the max_age has passed will log the existing session out and start a re-authentication</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will create a new session</li></ul> When this setting is <code>true</code> <ul><li>Attempted authorization when the max_age has passed will not destroy the existing session</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will return the same session. The advanced server property org.forgerock.openam.authentication.forceAuth.enabled must be set to <code>true</code></li></ul> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for max_age</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionAlgorithms" : { "title" : "Authorization Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 463, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "useForceAuthnForPromptLogin" : { "title" : "Use Force Authentication for prompt=login", "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 640, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseSigningAlgorithms" : { "title" : "Authorization Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Authorize endpoint as a JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 462, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "persistentClaims" : { "title" : "Persistent Claims", "description" : "Set of custom claims which can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.", "propertyOrder" : 85, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Side Token Compression", "description" : "Whether client-side access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "requestObjectProcessing" : { "title" : "Request Object Processing Specification", "description" : "The specification used to validate request objects: <p><p><strong>OIDC</strong><ul><li>Request objects MAY be unsigned.</li><li>Authorization request parameters are assembled from the request object and form/query parameters. If the same parameter exists in the request object and in the authorization request, AM uses the parameter in the request object.</li><li>The <code>response_type</code> and the <code>scope</code> parameter (including <code>openid</code>) should be specified outside the request object.</li></ul><p><strong>JAR</strong><ul><li>Request objects MUST be signed or signed and encrypted.</li><li>Authorization request parameters are assembled only from the request object, even if the same parameter is provided as a query/form parameter.</li></ul><p><p>AM only uses this field if it can't determine the rules to apply based on the incoming request. If <strong>OIDC</strong> is selected and the OAuth 2.0 request supplies a request object but is not OIDC (no <code>openid</code> <code>scope</code> or <code>id_token</code> <code>response_type</code> in the request syntax), the request object is processed according to <strong>JAR</strong>. <p><strong>TIP</strong> To override the dynamic determination based on the incoming request, and enforce the provider's configuration for request object processing, set the system property <code>am.oauth2.provider.request.object.processing.enforced</code> to <code>true</code>. <p>JAR rules are always applied to PAR endpoint requests.", "propertyOrder" : 1050, "required" : true, "type" : "string", "exampleValue" : "" }, "includeSubnameInTokenClaims" : { "title" : "Include subname claim in tokens issued by the OAuth2 Provider", "description" : "When this setting is true, Access and ID Tokens issued will contain a claim \"subname\" with a value equal to the name of the token's subject.", "propertyOrder" : 1440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "parRequestUriLifetime" : { "title" : "PAR Request URI Lifetime (seconds)", "description" : "The amount of time the PAR Request URI is valid for.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "nbfClaimRequiredInRequestObject" : { "title" : "Require nbf claim in Request Object", "description" : "Enforce presence of nbf claim in Request Object.", "propertyOrder" : 1020, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requirePushedAuthorizationRequests" : { "title" : "Require Pushed Authorization Requests", "description" : "If enabled, clients must use the PAR endpoint to initiate authorization requests. This applies to all clients, including clients where require_pushed_authorization_requests is false.", "propertyOrder" : 1410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "Base64-encoded X.509 certificate, in PEM or DER format, used to verify OCSP responses.<br><br>If specified, AM uses this certificate to verify the signature on all OCSP responses. If this field is empty, the appropriate certificate is determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenExchangeClasses" : { "title" : "Token Exchanger Plugins", "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.", "propertyOrder" : 95, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.oauth2.provider.hash.salt.secret</code> to a secret in a secret store.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "refreshTokenGracePeriod" : { "title" : "Refresh Token Grace Period (seconds)", "description" : "The period, in seconds, that a refresh token can be replayed. This allows a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue. <br> Applies only to tokens in a one-to-one storage scheme. Keep this value as short as possible â it must not exceed 120 seconds. To deactivate the grace period set the value to 0.", "propertyOrder" : 1420, "required" : true, "type" : "integer", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tokenValidatorClasses" : { "title" : "Token Validator Plugins", "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.", "propertyOrder" : 96, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Allowlist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "maxAgeOfRequestObjectNbfClaim" : { "title" : "Max nbf age", "description" : "The maximum permitted age (in minutes) of Request Object nbf claim. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1040, "required" : true, "type" : "integer", "exampleValue" : "" }, "maxDifferenceBetweenRequestObjectNbfAndExp" : { "title" : "Max nbf and exp difference", "description" : "The maximum permitted difference (in minutes) between Request Object nbf and exp claims. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1030, "required" : true, "type" : "integer", "exampleValue" : "" }, "expClaimRequiredInRequestObject" : { "title" : "Require exp claim in Request Object", "description" : "Enforce presence of exp claim in Request Object.", "propertyOrder" : 1010, "required" : true, "type" : "boolean", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeClientIdClaimInStatelessTokens" : { "title" : "Include Client ID Claim In Stateless Access & Refresh Tokens", "description" : "With this setting enabled, the client_id claim is included in new stateless access & refresh tokens, and read if available from existing tokens.", "propertyOrder" : 1450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>BASE64_ENCODED_CERT</code> - A PEM or DER formatted certificate that has been URL-encoded.</li> <li><code>X_FORWARDED_CLIENT_CERT</code> - The proxy provides the certificate in the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a> header. </li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "allowClientCredentialsInTokenRequestQueryParameters" : { "title" : "Allow Client Credentials in Token Endpoint Query Parameters", "description" : "When this setting is true, client credentials may be included in token endpoint requests as query parameters.The recommended and default value for this setting is to disallow this behaviour.", "propertyOrder" : 1430, "required" : true, "type" : "boolean", "exampleValue" : "" }, "acceptAudienceParametersInTokenExchangeRequests" : { "title" : "Accept Audience Parameters in Token Exchange Requests", "description" : "When enabled, AM validates audience parameter values in token exchange requests against the values defined in Allowed Resource Server Audience Values on the client. If validation fails, the token exchange request is rejected.", "propertyOrder" : 1590, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Side Tokens", "description" : "Whether client-side access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant and device code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "enableApplicationContext" : { "title" : "Enable Application Context", "description" : "When enabled, this setting makes the application context available in all OAuth2 / OIDC flows as the <code>oauthApplication</code> binding in scripted decision node scripts.", "propertyOrder" : 1540, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "pluginsConfig" : { "type" : "object", "title" : "Plugins", "propertyOrder" : 8, "properties" : { "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 81, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderPluginType" : { "title" : "Authorize Endpoint Data Provider Plugin Type", "description" : "When the plugin type is SCRIPTED then the Authorize Endpoint Data Provider Script will be executed and when plugin type is JAVA then the Authorize Endpoint Data Provider Plugin Implementation Class will be executed.", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopePluginType" : { "title" : "Scope Validation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Validation Script will be executed and when plugin type is JAVA then the Scope Validation Plugin Implementation Class will be executed.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsPluginType" : { "title" : "OIDC Claims Plugin Type", "description" : "When the plugin type is SCRIPTED then the OIDC Claims Script will be executed and when plugin type is JAVA then the OIDC Claims Plugin Implementation Class will be executed.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModifierClass" : { "title" : "Access Token Modifier Plugin Implementation Class", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields. <p>This plugin provides the custom implementation for the access token modifier plugin interface: <code>org.forgerock.oauth2.core.plugins.AccessTokenModifier</code>", "propertyOrder" : 77, "required" : true, "type" : "string", "exampleValue" : "" }, "userCodeGeneratorClass" : { "title" : "Device Code Flow User Code Generator Implementation Class", "description" : "The class that provides the custom implementation for the device code flow user code generator plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator</code>", "propertyOrder" : 1310, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeScript" : { "title" : "Scope Validation Script", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.", "propertyOrder" : 1201, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeClass" : { "title" : "Scope Evaluation Plugin Implementation Class", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned. <p>This plugin provides the custom implementation for the evaluate scope plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeEvaluator</code>", "propertyOrder" : 1102, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderClass" : { "title" : "Authorize Endpoint Data Provider Plugin Implementation Class", "description" : "The plugin that is executed to return additional data from the authorization request. <p>This plugin provides the custom implementation for the authorize endpoint data provider plugin interface: <code>org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider</code>", "propertyOrder" : 1302, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeScript" : { "title" : "Scope Evaluation Script", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned.", "propertyOrder" : 1101, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsClass" : { "title" : "OIDC Claims Plugin Implementation Class", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session. <p>This plugin provides the custom implementation for the OIDC claims plugin interface: <code>org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin</code>", "propertyOrder" : 82, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenEnricherClass" : { "title" : "Access Token Enricher Plugin Implementation Class", "description" : "The class that provides the custom implementation for the access token enricher plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher</code>", "propertyOrder" : 1303, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationPluginType" : { "title" : "Access Token Modification Plugin Type", "description" : "When the plugin type is SCRIPTED then the Access Token Modification Script will be executed and when plugin type is JAVA then the Access Token Modifier Plugin Implementation Class will be executed.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeClass" : { "title" : "Scope Validation Plugin Implementation Class", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests. <p>This plugin provides the custom implementation for the scope validation plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeValidator</code>", "propertyOrder" : 1202, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "Access Token Modification Script", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 76, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderScript" : { "title" : "Authorize Endpoint Data Provider Script", "description" : "The plugin that is executed to return additional data from the authorization request.", "propertyOrder" : 1301, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopePluginType" : { "title" : "Scope Evaluation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Evaluation Script will be executed and when plugin type is JAVA then the Scope Evaluation Plugin Implementation Class will be executed.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScript" : { "title" : "Dynamic Client Registration Script", "description" : "The script that is executed after registering, updating, or deleting a client via Dynamic Client Registration.", "propertyOrder" : 465, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeLength" : { "title" : "User Code Character Length", "description" : "The character length of the generated User Code.", "propertyOrder" : 405, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeCharacterSet" : { "title" : "User Code Character Set", "description" : "The set of characters that will be used to generate the user code. The common sets are:<ul> <li>A subset of base58 with potentially ambiguous characters 0, 1, U, u, 8, 9 l, O, I, V, v, B, g and I removed: <pre>234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz</pre></li> <li>A-Z characters, with no digits and removing vowels: <pre>BCDFGHJKLMNPQRSTVWXZ</pre></li> <li>Numerical characters: <pre>0123456789</pre></li> </ul>", "propertyOrder" : 407, "required" : true, "minLength" : 10, "type" : "string", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" }, "realmAllowUnauthorisedAccessToUserCodeForm" : { "title" : "Allow unauthenticated user code entry", "description" : "If enabled, during an OAuth 2.0 device code authentication flow users can access and input a user code without first logging in.", "propertyOrder" : 409, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action OAuth2Provider --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action OAuth2Provider --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action OAuth2Provider --realm Realm --actionName nextdescendents
update
Usage
am> update OAuth2Provider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "oidcMayActScript" : { "title" : "OIDC ID Token May Act Script", "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 79, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Side Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "scopesPolicySet" : { "title" : "Scopes Policy Set", "description" : "The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth2 provider. If blank will default to the oauth2Scopes policy set.", "propertyOrder" : 58, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenMayActScript" : { "title" : "OAuth2 Access Token May Act Script", "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 78, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "overrideableOIDCClaims" : { "title" : "Overrideable Id_Token Claims", "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.", "propertyOrder" : 155, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Enable Session Management", "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtSigningKidHeaderMappings" : { "title" : "JWT Signing kid Header Mappings", "description" : "Custom <code>kid</code> header values for JWTs signed with the signing key mapped to the specified secret alias. <p><p>AM only applies custom <code>kid</code> mappings if you set a value for <b>Remote JSON Web Key URL</b>. Use these mappings to guarantee that the <code>kid</code> header of a signed JWT references the correct key in a remote JWKS. If you don't configure a custom <code>kid</code> for a JWT signing key, AM generates a default <code>kid</code> value.</p>", "propertyOrder" : 145, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionEnc" : { "title" : "Authorization Response Encryption Methods Supported", "description" : "Encryption methods supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 464, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForMaxAge" : { "title" : "Use Force Authentication for max_age", "description" : "When this setting is <code>false</code> (default)<ul><li>Attempted authorization when the max_age has passed will log the existing session out and start a re-authentication</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will create a new session</li></ul> When this setting is <code>true</code> <ul><li>Attempted authorization when the max_age has passed will not destroy the existing session</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will return the same session. The advanced server property org.forgerock.openam.authentication.forceAuth.enabled must be set to <code>true</code></li></ul> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for max_age</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionAlgorithms" : { "title" : "Authorization Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 463, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "useForceAuthnForPromptLogin" : { "title" : "Use Force Authentication for prompt=login", "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 640, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseSigningAlgorithms" : { "title" : "Authorization Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Authorize endpoint as a JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 462, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "persistentClaims" : { "title" : "Persistent Claims", "description" : "Set of custom claims which can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.", "propertyOrder" : 85, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Side Token Compression", "description" : "Whether client-side access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "requestObjectProcessing" : { "title" : "Request Object Processing Specification", "description" : "The specification used to validate request objects: <p><p><strong>OIDC</strong><ul><li>Request objects MAY be unsigned.</li><li>Authorization request parameters are assembled from the request object and form/query parameters. If the same parameter exists in the request object and in the authorization request, AM uses the parameter in the request object.</li><li>The <code>response_type</code> and the <code>scope</code> parameter (including <code>openid</code>) should be specified outside the request object.</li></ul><p><strong>JAR</strong><ul><li>Request objects MUST be signed or signed and encrypted.</li><li>Authorization request parameters are assembled only from the request object, even if the same parameter is provided as a query/form parameter.</li></ul><p><p>AM only uses this field if it can't determine the rules to apply based on the incoming request. If <strong>OIDC</strong> is selected and the OAuth 2.0 request supplies a request object but is not OIDC (no <code>openid</code> <code>scope</code> or <code>id_token</code> <code>response_type</code> in the request syntax), the request object is processed according to <strong>JAR</strong>. <p><strong>TIP</strong> To override the dynamic determination based on the incoming request, and enforce the provider's configuration for request object processing, set the system property <code>am.oauth2.provider.request.object.processing.enforced</code> to <code>true</code>. <p>JAR rules are always applied to PAR endpoint requests.", "propertyOrder" : 1050, "required" : true, "type" : "string", "exampleValue" : "" }, "includeSubnameInTokenClaims" : { "title" : "Include subname claim in tokens issued by the OAuth2 Provider", "description" : "When this setting is true, Access and ID Tokens issued will contain a claim \"subname\" with a value equal to the name of the token's subject.", "propertyOrder" : 1440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "parRequestUriLifetime" : { "title" : "PAR Request URI Lifetime (seconds)", "description" : "The amount of time the PAR Request URI is valid for.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "nbfClaimRequiredInRequestObject" : { "title" : "Require nbf claim in Request Object", "description" : "Enforce presence of nbf claim in Request Object.", "propertyOrder" : 1020, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requirePushedAuthorizationRequests" : { "title" : "Require Pushed Authorization Requests", "description" : "If enabled, clients must use the PAR endpoint to initiate authorization requests. This applies to all clients, including clients where require_pushed_authorization_requests is false.", "propertyOrder" : 1410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "Base64-encoded X.509 certificate, in PEM or DER format, used to verify OCSP responses.<br><br>If specified, AM uses this certificate to verify the signature on all OCSP responses. If this field is empty, the appropriate certificate is determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenExchangeClasses" : { "title" : "Token Exchanger Plugins", "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.", "propertyOrder" : 95, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.oauth2.provider.hash.salt.secret</code> to a secret in a secret store.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "refreshTokenGracePeriod" : { "title" : "Refresh Token Grace Period (seconds)", "description" : "The period, in seconds, that a refresh token can be replayed. This allows a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue. <br> Applies only to tokens in a one-to-one storage scheme. Keep this value as short as possible â it must not exceed 120 seconds. To deactivate the grace period set the value to 0.", "propertyOrder" : 1420, "required" : true, "type" : "integer", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tokenValidatorClasses" : { "title" : "Token Validator Plugins", "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.", "propertyOrder" : 96, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Allowlist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "maxAgeOfRequestObjectNbfClaim" : { "title" : "Max nbf age", "description" : "The maximum permitted age (in minutes) of Request Object nbf claim. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1040, "required" : true, "type" : "integer", "exampleValue" : "" }, "maxDifferenceBetweenRequestObjectNbfAndExp" : { "title" : "Max nbf and exp difference", "description" : "The maximum permitted difference (in minutes) between Request Object nbf and exp claims. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1030, "required" : true, "type" : "integer", "exampleValue" : "" }, "expClaimRequiredInRequestObject" : { "title" : "Require exp claim in Request Object", "description" : "Enforce presence of exp claim in Request Object.", "propertyOrder" : 1010, "required" : true, "type" : "boolean", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeClientIdClaimInStatelessTokens" : { "title" : "Include Client ID Claim In Stateless Access & Refresh Tokens", "description" : "With this setting enabled, the client_id claim is included in new stateless access & refresh tokens, and read if available from existing tokens.", "propertyOrder" : 1450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>BASE64_ENCODED_CERT</code> - A PEM or DER formatted certificate that has been URL-encoded.</li> <li><code>X_FORWARDED_CLIENT_CERT</code> - The proxy provides the certificate in the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a> header. </li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "allowClientCredentialsInTokenRequestQueryParameters" : { "title" : "Allow Client Credentials in Token Endpoint Query Parameters", "description" : "When this setting is true, client credentials may be included in token endpoint requests as query parameters.The recommended and default value for this setting is to disallow this behaviour.", "propertyOrder" : 1430, "required" : true, "type" : "boolean", "exampleValue" : "" }, "acceptAudienceParametersInTokenExchangeRequests" : { "title" : "Accept Audience Parameters in Token Exchange Requests", "description" : "When enabled, AM validates audience parameter values in token exchange requests against the values defined in Allowed Resource Server Audience Values on the client. If validation fails, the token exchange request is rejected.", "propertyOrder" : 1590, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Side Tokens", "description" : "Whether client-side access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant and device code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "enableApplicationContext" : { "title" : "Enable Application Context", "description" : "When enabled, this setting makes the application context available in all OAuth2 / OIDC flows as the <code>oauthApplication</code> binding in scripted decision node scripts.", "propertyOrder" : 1540, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "pluginsConfig" : { "type" : "object", "title" : "Plugins", "propertyOrder" : 8, "properties" : { "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 81, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderPluginType" : { "title" : "Authorize Endpoint Data Provider Plugin Type", "description" : "When the plugin type is SCRIPTED then the Authorize Endpoint Data Provider Script will be executed and when plugin type is JAVA then the Authorize Endpoint Data Provider Plugin Implementation Class will be executed.", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopePluginType" : { "title" : "Scope Validation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Validation Script will be executed and when plugin type is JAVA then the Scope Validation Plugin Implementation Class will be executed.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsPluginType" : { "title" : "OIDC Claims Plugin Type", "description" : "When the plugin type is SCRIPTED then the OIDC Claims Script will be executed and when plugin type is JAVA then the OIDC Claims Plugin Implementation Class will be executed.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModifierClass" : { "title" : "Access Token Modifier Plugin Implementation Class", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields. <p>This plugin provides the custom implementation for the access token modifier plugin interface: <code>org.forgerock.oauth2.core.plugins.AccessTokenModifier</code>", "propertyOrder" : 77, "required" : true, "type" : "string", "exampleValue" : "" }, "userCodeGeneratorClass" : { "title" : "Device Code Flow User Code Generator Implementation Class", "description" : "The class that provides the custom implementation for the device code flow user code generator plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator</code>", "propertyOrder" : 1310, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeScript" : { "title" : "Scope Validation Script", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.", "propertyOrder" : 1201, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeClass" : { "title" : "Scope Evaluation Plugin Implementation Class", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned. <p>This plugin provides the custom implementation for the evaluate scope plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeEvaluator</code>", "propertyOrder" : 1102, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderClass" : { "title" : "Authorize Endpoint Data Provider Plugin Implementation Class", "description" : "The plugin that is executed to return additional data from the authorization request. <p>This plugin provides the custom implementation for the authorize endpoint data provider plugin interface: <code>org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider</code>", "propertyOrder" : 1302, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeScript" : { "title" : "Scope Evaluation Script", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned.", "propertyOrder" : 1101, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsClass" : { "title" : "OIDC Claims Plugin Implementation Class", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session. <p>This plugin provides the custom implementation for the OIDC claims plugin interface: <code>org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin</code>", "propertyOrder" : 82, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenEnricherClass" : { "title" : "Access Token Enricher Plugin Implementation Class", "description" : "The class that provides the custom implementation for the access token enricher plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher</code>", "propertyOrder" : 1303, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationPluginType" : { "title" : "Access Token Modification Plugin Type", "description" : "When the plugin type is SCRIPTED then the Access Token Modification Script will be executed and when plugin type is JAVA then the Access Token Modifier Plugin Implementation Class will be executed.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeClass" : { "title" : "Scope Validation Plugin Implementation Class", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests. <p>This plugin provides the custom implementation for the scope validation plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeValidator</code>", "propertyOrder" : 1202, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "Access Token Modification Script", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 76, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderScript" : { "title" : "Authorize Endpoint Data Provider Script", "description" : "The plugin that is executed to return additional data from the authorization request.", "propertyOrder" : 1301, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopePluginType" : { "title" : "Scope Evaluation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Evaluation Script will be executed and when plugin type is JAVA then the Scope Evaluation Plugin Implementation Class will be executed.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScript" : { "title" : "Dynamic Client Registration Script", "description" : "The script that is executed after registering, updating, or deleting a client via Dynamic Client Registration.", "propertyOrder" : 465, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeLength" : { "title" : "User Code Character Length", "description" : "The character length of the generated User Code.", "propertyOrder" : 405, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeCharacterSet" : { "title" : "User Code Character Set", "description" : "The set of characters that will be used to generate the user code. The common sets are:<ul> <li>A subset of base58 with potentially ambiguous characters 0, 1, U, u, 8, 9 l, O, I, V, v, B, g and I removed: <pre>234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz</pre></li> <li>A-Z characters, with no digits and removing vowels: <pre>BCDFGHJKLMNPQRSTVWXZ</pre></li> <li>Numerical characters: <pre>0123456789</pre></li> </ul>", "propertyOrder" : 407, "required" : true, "minLength" : 10, "type" : "string", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" }, "realmAllowUnauthorisedAccessToUserCodeForm" : { "title" : "Allow unauthenticated user code entry", "description" : "If enabled, during an OAuth 2.0 device code authentication flow users can access and input a user code without first logging in.", "propertyOrder" : 409, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/services/oauth-oidc
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action OAuth2Provider --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action OAuth2Provider --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action OAuth2Provider --global --actionName nextdescendents
update
Usage
am> update OAuth2Provider --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "jwtTokenUnreasonableLifetime" : { "title" : "JWT Unreasonable Lifetime (seconds)", "description" : "Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "blacklistPurgeDelay" : { "title" : "Denylist Purge Delay (minutes)", "description" : "Length of time to denylist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the denylist.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "blacklistCacheSize" : { "title" : "Token Denylist Cache Size", "description" : "Number of denylisted tokens to cache in memory to speed up denylist checks and reduce load on the CTS.", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "storageScheme" : { "title" : "CTS Storage Scheme", "description" : "Storage scheme to be used when storing OAuth2 tokens to CTS.<br><br>In order to support rolling upgrades, this should be set to the latest storage scheme supported by all OpenAM instances within your cluster. Select the latest storage scheme once all OpenAM instances in the cluster have been upgraded.<br/><br/><b>One-to-One Storage Scheme</b><br/>Under this storage scheme, each OAuth2 token maps to an individual CTS entry.<br/><i>This storage scheme is inefficient - use the Grant-Set Storage Scheme once all servers have been upgraded to a version which supports it.</i><br/><br/><b>Grant-Set Storage Scheme</b><br/>Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtTokenRequiredClaims" : { "title" : "JWT Required Claims", "description" : "Specify a custom list of claims that will be treated as required during validation of OAuth2 authorization grant and/or client authentication jwt, in addition to the default mandatory claims (\"iss\", \"aud\", \"exp\"). AM will throw an error if any of these claims are not present. Note that this attribute does not apply to a request object jwt.", "propertyOrder" : 800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "statelessGrantTokenUpgradeCompatibilityMode" : { "title" : "Client-Side Grant Token Upgrade Compatibility Mode", "description" : "Enable OpenAM to consume and create client-side OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume client-side OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.", "propertyOrder" : 400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "blacklistPollInterval" : { "title" : "Denylist Poll Interval (seconds)", "description" : "How frequently to poll for token denylist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token denylist changes from other servers. This is used to maintain a highly compressed view of the overall current token denylist, improving performance. A lower number will reduce the delay for denylisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "allowUnauthorisedAccessToUserCodeForm" : { "title" : "OAuth 2.0 allow unauthenticated user code entry", "description" : "If enabled, during an OAuth 2.0 device code authentication flow users can access and input a user code without first logging in.<br><b>NOTE</b>: This setting is only used if the value for <code>Allow unauthenticated user code entry</code> can't be determined at the realm level.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtTokenLifetimeValidationEnabled" : { "title" : "Enforce JWT Unreasonable Lifetime", "description" : "Enable the enforcement of JWT token unreasonable lifetime during validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. This enforcement may be disabled, but should only be done if the security implications have been evaluated.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaults" : { "properties" : { "pluginsConfig" : { "type" : "object", "title" : "Plugins", "propertyOrder" : 8, "properties" : { "accessTokenModifierClass" : { "title" : "Access Token Modifier Plugin Implementation Class", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields. <p>This plugin provides the custom implementation for the access token modifier plugin interface: <code>org.forgerock.oauth2.core.plugins.AccessTokenModifier</code>", "propertyOrder" : 77, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenEnricherClass" : { "title" : "Access Token Enricher Plugin Implementation Class", "description" : "The class that provides the custom implementation for the access token enricher plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher</code>", "propertyOrder" : 1303, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopePluginType" : { "title" : "Scope Evaluation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Evaluation Script will be executed and when plugin type is JAVA then the Scope Evaluation Plugin Implementation Class will be executed.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopePluginType" : { "title" : "Scope Validation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Validation Script will be executed and when plugin type is JAVA then the Scope Validation Plugin Implementation Class will be executed.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "userCodeGeneratorClass" : { "title" : "Device Code Flow User Code Generator Implementation Class", "description" : "The class that provides the custom implementation for the device code flow user code generator plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator</code>", "propertyOrder" : 1310, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeScript" : { "title" : "Scope Evaluation Script", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned.", "propertyOrder" : 1101, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderPluginType" : { "title" : "Authorize Endpoint Data Provider Plugin Type", "description" : "When the plugin type is SCRIPTED then the Authorize Endpoint Data Provider Script will be executed and when plugin type is JAVA then the Authorize Endpoint Data Provider Plugin Implementation Class will be executed.", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsPluginType" : { "title" : "OIDC Claims Plugin Type", "description" : "When the plugin type is SCRIPTED then the OIDC Claims Script will be executed and when plugin type is JAVA then the OIDC Claims Plugin Implementation Class will be executed.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeScript" : { "title" : "Scope Validation Script", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.", "propertyOrder" : 1201, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderScript" : { "title" : "Authorize Endpoint Data Provider Script", "description" : "The plugin that is executed to return additional data from the authorization request.", "propertyOrder" : 1301, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 81, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "Access Token Modification Script", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 76, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeClass" : { "title" : "Scope Validation Plugin Implementation Class", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests. <p>This plugin provides the custom implementation for the scope validation plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeValidator</code>", "propertyOrder" : 1202, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationPluginType" : { "title" : "Access Token Modification Plugin Type", "description" : "When the plugin type is SCRIPTED then the Access Token Modification Script will be executed and when plugin type is JAVA then the Access Token Modifier Plugin Implementation Class will be executed.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderClass" : { "title" : "Authorize Endpoint Data Provider Plugin Implementation Class", "description" : "The plugin that is executed to return additional data from the authorization request. <p>This plugin provides the custom implementation for the authorize endpoint data provider plugin interface: <code>org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider</code>", "propertyOrder" : 1302, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsClass" : { "title" : "OIDC Claims Plugin Implementation Class", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session. <p>This plugin provides the custom implementation for the OIDC claims plugin interface: <code>org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin</code>", "propertyOrder" : 82, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeClass" : { "title" : "Scope Evaluation Plugin Implementation Class", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned. <p>This plugin provides the custom implementation for the evaluate scope plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeEvaluator</code>", "propertyOrder" : 1102, "required" : true, "type" : "string", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenExchangeClasses" : { "title" : "Token Exchanger Plugins", "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.", "propertyOrder" : 95, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeClientIdClaimInStatelessTokens" : { "title" : "Include Client ID Claim In Stateless Access & Refresh Tokens", "description" : "With this setting enabled, the client_id claim is included in new stateless access & refresh tokens, and read if available from existing tokens.", "propertyOrder" : 1450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant and device code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenGracePeriod" : { "title" : "Refresh Token Grace Period (seconds)", "description" : "The period, in seconds, that a refresh token can be replayed. This allows a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue. <br> Applies only to tokens in a one-to-one storage scheme. Keep this value as short as possible â it must not exceed 120 seconds. To deactivate the grace period set the value to 0.", "propertyOrder" : 1420, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.oauth2.provider.hash.salt.secret</code> to a secret in a secret store.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "enableApplicationContext" : { "title" : "Enable Application Context", "description" : "When enabled, this setting makes the application context available in all OAuth2 / OIDC flows as the <code>oauthApplication</code> binding in scripted decision node scripts.", "propertyOrder" : 1540, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestObjectProcessing" : { "title" : "Request Object Processing Specification", "description" : "The specification used to validate request objects: <p><p><strong>OIDC</strong><ul><li>Request objects MAY be unsigned.</li><li>Authorization request parameters are assembled from the request object and form/query parameters. If the same parameter exists in the request object and in the authorization request, AM uses the parameter in the request object.</li><li>The <code>response_type</code> and the <code>scope</code> parameter (including <code>openid</code>) should be specified outside the request object.</li></ul><p><strong>JAR</strong><ul><li>Request objects MUST be signed or signed and encrypted.</li><li>Authorization request parameters are assembled only from the request object, even if the same parameter is provided as a query/form parameter.</li></ul><p><p>AM only uses this field if it can't determine the rules to apply based on the incoming request. If <strong>OIDC</strong> is selected and the OAuth 2.0 request supplies a request object but is not OIDC (no <code>openid</code> <code>scope</code> or <code>id_token</code> <code>response_type</code> in the request syntax), the request object is processed according to <strong>JAR</strong>. <p><strong>TIP</strong> To override the dynamic determination based on the incoming request, and enforce the provider's configuration for request object processing, set the system property <code>am.oauth2.provider.request.object.processing.enforced</code> to <code>true</code>. <p>JAR rules are always applied to PAR endpoint requests.", "propertyOrder" : 1050, "required" : true, "type" : "string", "exampleValue" : "" }, "parRequestUriLifetime" : { "title" : "PAR Request URI Lifetime (seconds)", "description" : "The amount of time the PAR Request URI is valid for.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "allowClientCredentialsInTokenRequestQueryParameters" : { "title" : "Allow Client Credentials in Token Endpoint Query Parameters", "description" : "When this setting is true, client credentials may be included in token endpoint requests as query parameters.The recommended and default value for this setting is to disallow this behaviour.", "propertyOrder" : 1430, "required" : true, "type" : "boolean", "exampleValue" : "" }, "nbfClaimRequiredInRequestObject" : { "title" : "Require nbf claim in Request Object", "description" : "Enforce presence of nbf claim in Request Object.", "propertyOrder" : 1020, "required" : true, "type" : "boolean", "exampleValue" : "" }, "expClaimRequiredInRequestObject" : { "title" : "Require exp claim in Request Object", "description" : "Enforce presence of exp claim in Request Object.", "propertyOrder" : 1010, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Allowlist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>BASE64_ENCODED_CERT</code> - A PEM or DER formatted certificate that has been URL-encoded.</li> <li><code>X_FORWARDED_CLIENT_CERT</code> - The proxy provides the certificate in the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a> header. </li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenValidatorClasses" : { "title" : "Token Validator Plugins", "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.", "propertyOrder" : 96, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "maxDifferenceBetweenRequestObjectNbfAndExp" : { "title" : "Max nbf and exp difference", "description" : "The maximum permitted difference (in minutes) between Request Object nbf and exp claims. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1030, "required" : true, "type" : "integer", "exampleValue" : "" }, "maxAgeOfRequestObjectNbfClaim" : { "title" : "Max nbf age", "description" : "The maximum permitted age (in minutes) of Request Object nbf claim. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1040, "required" : true, "type" : "integer", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "Base64-encoded X.509 certificate, in PEM or DER format, used to verify OCSP responses.<br><br>If specified, AM uses this certificate to verify the signature on all OCSP responses. If this field is empty, the appropriate certificate is determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "persistentClaims" : { "title" : "Persistent Claims", "description" : "Set of custom claims which can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.", "propertyOrder" : 85, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "requirePushedAuthorizationRequests" : { "title" : "Require Pushed Authorization Requests", "description" : "If enabled, clients must use the PAR endpoint to initiate authorization requests. This applies to all clients, including clients where require_pushed_authorization_requests is false.", "propertyOrder" : 1410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "acceptAudienceParametersInTokenExchangeRequests" : { "title" : "Accept Audience Parameters in Token Exchange Requests", "description" : "When enabled, AM validates audience parameter values in token exchange requests against the values defined in Allowed Resource Server Audience Values on the client. If validation fails, the token exchange request is rejected.", "propertyOrder" : 1590, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Side Token Compression", "description" : "Whether client-side access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Side Tokens", "description" : "Whether client-side access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeSubnameInTokenClaims" : { "title" : "Include subname claim in tokens issued by the OAuth2 Provider", "description" : "When this setting is true, Access and ID Tokens issued will contain a claim \"subname\" with a value equal to the name of the token's subject.", "propertyOrder" : 1440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedAuthorizationResponseSigningAlgorithms" : { "title" : "Authorization Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Authorize endpoint as a JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 462, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForMaxAge" : { "title" : "Use Force Authentication for max_age", "description" : "When this setting is <code>false</code> (default)<ul><li>Attempted authorization when the max_age has passed will log the existing session out and start a re-authentication</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will create a new session</li></ul> When this setting is <code>true</code> <ul><li>Attempted authorization when the max_age has passed will not destroy the existing session</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will return the same session. The advanced server property org.forgerock.openam.authentication.forceAuth.enabled must be set to <code>true</code></li></ul> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for max_age</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionAlgorithms" : { "title" : "Authorization Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 463, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Enable Session Management", "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionEnc" : { "title" : "Authorization Response Encryption Methods Supported", "description" : "Encryption methods supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 464, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtSigningKidHeaderMappings" : { "title" : "JWT Signing kid Header Mappings", "description" : "Custom <code>kid</code> header values for JWTs signed with the signing key mapped to the specified secret alias. <p><p>AM only applies custom <code>kid</code> mappings if you set a value for <b>Remote JSON Web Key URL</b>. Use these mappings to guarantee that the <code>kid</code> header of a signed JWT references the correct key in a remote JWKS. If you don't configure a custom <code>kid</code> for a JWT signing key, AM generates a default <code>kid</code> value.</p>", "propertyOrder" : 145, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForPromptLogin" : { "title" : "Use Force Authentication for prompt=login", "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 640, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "overrideableOIDCClaims" : { "title" : "Overrideable Id_Token Claims", "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.", "propertyOrder" : 155, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "scopesPolicySet" : { "title" : "Scopes Policy Set", "description" : "The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth2 provider. If blank will default to the oauth2Scopes policy set.", "propertyOrder" : 58, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenMayActScript" : { "title" : "OAuth2 Access Token May Act Script", "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 78, "required" : true, "type" : "string", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Side Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "oidcMayActScript" : { "title" : "OIDC ID Token May Act Script", "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 79, "required" : true, "type" : "string", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeLength" : { "title" : "User Code Character Length", "description" : "The character length of the generated User Code.", "propertyOrder" : 405, "required" : true, "type" : "integer", "exampleValue" : "" }, "realmAllowUnauthorisedAccessToUserCodeForm" : { "title" : "Allow unauthenticated user code entry", "description" : "If enabled, during an OAuth 2.0 device code authentication flow users can access and input a user code without first logging in.", "propertyOrder" : 409, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceUserCodeCharacterSet" : { "title" : "User Code Character Set", "description" : "The set of characters that will be used to generate the user code. The common sets are:<ul> <li>A subset of base58 with potentially ambiguous characters 0, 1, U, u, 8, 9 l, O, I, V, v, B, g and I removed: <pre>234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz</pre></li> <li>A-Z characters, with no digits and removing vowels: <pre>BCDFGHJKLMNPQRSTVWXZ</pre></li> <li>Numerical characters: <pre>0123456789</pre></li> </ul>", "propertyOrder" : 407, "required" : true, "minLength" : 10, "type" : "string", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScript" : { "title" : "Dynamic Client Registration Script", "description" : "The script that is executed after registering, updating, or deleting a client via Dynamic Client Registration.", "propertyOrder" : 465, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }