---
title: OpenIdConnectModule
description: Resource path:
component: pingam
version: 8.1
page_id: pingam:entity-reference:sec-amster-entity-openidconnectmodule
canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-openidconnectmodule.html
section_ids:
sec-amster-entity-openidconnectmodule-realm-ops: Realm Operations
sec-amster-entity-openidconnectmodule-realm-ops-create: create
sec-amster-entity-openidconnectmodule-realm-ops-delete: delete
sec-amster-entity-openidconnectmodule-realm-ops-getalltypes: getAllTypes
sec-amster-entity-openidconnectmodule-realm-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-openidconnectmodule-realm-ops-nextdescendents: nextdescendents
sec-amster-entity-openidconnectmodule-realm-ops-query: query
sec-amster-entity-openidconnectmodule-realm-ops-read: read
sec-amster-entity-openidconnectmodule-realm-ops-update: update
sec-amster-entity-openidconnectmodule-global-ops: Global Operations
sec-amster-entity-openidconnectmodule-global-ops-getalltypes: getAllTypes
sec-amster-entity-openidconnectmodule-global-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-openidconnectmodule-global-ops-nextdescendents: nextdescendents
sec-amster-entity-openidconnectmodule-global-ops-read: read
sec-amster-entity-openidconnectmodule-global-ops-update: update
---
# OpenIdConnectModule
## Realm Operations
Resource path:
```
/realm-config/authentication/modules/openidconnect
```
Resource version: `0.0`
### create
**Usage**
```
am> create OpenIdConnectModule --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.
If discovery or jwk url entered, entry must be in valid url format,
e.g. https://accounts.google.com/.well-known/openid-configuration
NB If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string
The audience name for this OpenID Connect module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values
A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.
This class is used by the module to find the account from the attributes mapped by the Account Mapper org.forgerock.openam.authentication.modules.common.mapping.AccountProvider interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute
Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See OpenID Connect Core 1.0 Specification section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository
Any custom implementation must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter
For more information on the OAuth client_secret parameter refer to the RFC 6749, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password",
"exampleValue" : ""
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"description" : "",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : ""
}
}
}
```
### delete
**Usage**
```
am> delete OpenIdConnectModule --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action OpenIdConnectModule --realm Realm --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action OpenIdConnectModule --realm Realm --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action OpenIdConnectModule --realm Realm --actionName nextdescendents
```
### query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
**Usage**
```
am> query OpenIdConnectModule --realm Realm --filter filter
```
**Parameters**
* *\--filter*
A CREST formatted query filter, where "true" will query all.
### read
**Usage**
```
am> read OpenIdConnectModule --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### update
**Usage**
```
am> update OpenIdConnectModule --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.
If discovery or jwk url entered, entry must be in valid url format,
e.g. https://accounts.google.com/.well-known/openid-configuration
NB If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string
The audience name for this OpenID Connect module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values
A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.
This class is used by the module to find the account from the attributes mapped by the Account Mapper org.forgerock.openam.authentication.modules.common.mapping.AccountProvider interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute
Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See OpenID Connect Core 1.0 Specification section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository
Any custom implementation must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter
For more information on the OAuth client_secret parameter refer to the RFC 6749, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password",
"exampleValue" : ""
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"description" : "",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : ""
}
}
}
```
## Global Operations
Resource path:
```
/global-config/authentication/modules/openidconnect
```
Resource version: `1.0`
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action OpenIdConnectModule --global --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action OpenIdConnectModule --global --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action OpenIdConnectModule --global --actionName nextdescendents
```
### read
**Usage**
```
am> read OpenIdConnectModule --global
```
### update
**Usage**
```
am> update OpenIdConnectModule --global --body body
```
**Parameters**
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string
The audience name for this OpenID Connect module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"description" : "",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.
If discovery or jwk url entered, entry must be in valid url format,
e.g. https://accounts.google.com/.well-known/openid-configuration
NB If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter
For more information on the OAuth client_secret parameter refer to the RFC 6749, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password",
"exampleValue" : ""
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values
A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.
This class is used by the module to find the account from the attributes mapped by the Account Mapper org.forgerock.openam.authentication.modules.common.mapping.AccountProvider interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository
Any custom implementation must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute
Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See OpenID Connect Core 1.0 Specification section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
```