OAuth2Provider
Realm Operations
Resource path:
/realm-config/services/oauth-oidc
Resource version: 2.0
create
Usage
am> create OAuth2Provider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "scopesPolicySet" : { "title" : "Scopes Policy Set", "description" : "The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth2 provider. If blank will default to the oauth2Scopes policy set.", "propertyOrder" : 58, "required" : true, "type" : "string", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Side Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenMayActScript" : { "title" : "OAuth2 Access Token May Act Script", "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 78, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcMayActScript" : { "title" : "OIDC ID Token May Act Script", "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 79, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "deviceUserCodeLength" : { "title" : "User Code Character Length", "description" : "The character length of the generated User Code.", "propertyOrder" : 405, "required" : true, "type" : "integer", "exampleValue" : "" }, "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeCharacterSet" : { "title" : "User Code Character Set", "description" : "The set of characters that will be used to generate the user code. The common sets are:<ul> <li>A subset of base58 with potentially ambiguous characters 0, 1, U, u, 8, 9 l, O, I, V, v, B, g and I removed: <pre>234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz</pre></li> <li>A-Z characters, with no digits and removing vowels: <pre>BCDFGHJKLMNPQRSTVWXZ</pre></li> <li>Numerical characters: <pre>0123456789</pre></li> </ul>", "propertyOrder" : 407, "required" : true, "minLength" : 10, "type" : "string", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseSigningAlgorithms" : { "title" : "Authorization Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Authorize endpoint as a JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 462, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForMaxAge" : { "title" : "Use Force Authentication for max_age", "description" : "When this setting is <code>false</code> (default)<ul><li>Attempted authorization when the max_age has passed will log the existing session out and start a re-authentication</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will create a new session</li></ul> When this setting is <code>true</code> <ul><li>Attempted authorization when the max_age has passed will not destroy the existing session</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will return the same session. The advanced server property org.forgerock.openam.authentication.forceAuth.enabled must be set to <code>true</code></li></ul> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for max_age</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionAlgorithms" : { "title" : "Authorization Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 463, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "useForceAuthnForPromptLogin" : { "title" : "Use Force Authentication for prompt=login", "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 640, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtSigningKidHeaderMappings" : { "title" : "JWT Signing kid Header Mappings", "description" : "Custom <code>kid</code> header values for JWTs signed with the signing key mapped to the specified secret alias. <p><p>AM only applies custom <code>kid</code> mappings if you set a value for <b>Remote JSON Web Key URL</b>. Use these mappings to guarantee that the <code>kid</code> header of a signed JWT references the correct key in a remote JWKS. If you don't configure a custom <code>kid</code> for a JWT signing key, AM generates a default <code>kid</code> value.</p>", "propertyOrder" : 145, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionEnc" : { "title" : "Authorization Response Encryption Methods Supported", "description" : "Encryption methods supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 464, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Enable Session Management", "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "pluginsConfig" : { "type" : "object", "title" : "Plugins", "propertyOrder" : 8, "properties" : { "oidcClaimsClass" : { "title" : "OIDC Claims Plugin Implementation Class", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session. <p>This plugin provides the custom implementation for the OIDC claims plugin interface: <code>org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin</code>", "propertyOrder" : 82, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenEnricherClass" : { "title" : "Access Token Enricher Plugin Implementation Class", "description" : "The class that provides the custom implementation for the access token enricher plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher</code>", "propertyOrder" : 1303, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModifierClass" : { "title" : "Access Token Modifier Plugin Implementation Class", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields. <p>This plugin provides the custom implementation for the access token modifier plugin interface: <code>org.forgerock.oauth2.core.plugins.AccessTokenModifier</code>", "propertyOrder" : 77, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeClass" : { "title" : "Scope Validation Plugin Implementation Class", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests. <p>This plugin provides the custom implementation for the scope validation plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeValidator</code>", "propertyOrder" : 1202, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderClass" : { "title" : "Authorize Endpoint Data Provider Plugin Implementation Class", "description" : "The plugin that is executed to return additional data from the authorization request. <p>This plugin provides the custom implementation for the authorize endpoint data provider plugin interface: <code>org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider</code>", "propertyOrder" : 1302, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationPluginType" : { "title" : "Access Token Modification Plugin Type", "description" : "When the plugin type is SCRIPTED then the Access Token Modification Script will be executed and when plugin type is JAVA then the Access Token Modifier Plugin Implementation Class will be executed.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "userCodeGeneratorClass" : { "title" : "Device Code Flow User Code Generator Implementation Class", "description" : "The class that provides the custom implementation for the device code flow user code generator plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator</code>", "propertyOrder" : 1310, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsPluginType" : { "title" : "OIDC Claims Plugin Type", "description" : "When the plugin type is SCRIPTED then the OIDC Claims Script will be executed and when plugin type is JAVA then the OIDC Claims Plugin Implementation Class will be executed.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeClass" : { "title" : "Scope Evaluation Plugin Implementation Class", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned. <p>This plugin provides the custom implementation for the evaluate scope plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeEvaluator</code>", "propertyOrder" : 1102, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderPluginType" : { "title" : "Authorize Endpoint Data Provider Plugin Type", "description" : "When the plugin type is SCRIPTED then the Authorize Endpoint Data Provider Script will be executed and when plugin type is JAVA then the Authorize Endpoint Data Provider Plugin Implementation Class will be executed.", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderScript" : { "title" : "Authorize Endpoint Data Provider Script", "description" : "The plugin that is executed to return additional data from the authorization request.", "propertyOrder" : 1301, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopePluginType" : { "title" : "Scope Evaluation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Evaluation Script will be executed and when plugin type is JAVA then the Scope Evaluation Plugin Implementation Class will be executed.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeScript" : { "title" : "Scope Evaluation Script", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned.", "propertyOrder" : 1101, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeScript" : { "title" : "Scope Validation Script", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.", "propertyOrder" : 1201, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopePluginType" : { "title" : "Scope Validation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Validation Script will be executed and when plugin type is JAVA then the Scope Validation Plugin Implementation Class will be executed.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "Access Token Modification Script", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 76, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 81, "required" : true, "type" : "string", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "requirePushedAuthorizationRequests" : { "title" : "Require Pushed Authorization Requests", "description" : "If enabled, clients must use the PAR endpoint to initiate authorization requests. This applies to all clients, including clients where require_pushed_authorization_requests is false.", "propertyOrder" : 1410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenValidatorClasses" : { "title" : "Token Validator Plugins", "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.", "propertyOrder" : 96, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "requestObjectProcessing" : { "title" : "Request Object Processing Specification", "description" : "The specification used to validate request objects: <p><p><strong>OIDC</strong><ul><li>Request objects MAY be unsigned.</li><li>Authorization request parameters are assembled from the request object and form/query parameters. If the same parameter exists in the request object and in the authorization request, AM uses the parameter in the request object.</li><li>The <code>response_type</code> and the <code>scope</code> parameter (including <code>openid</code>) should be specified outside the request object.</li></ul><p><strong>JAR</strong><ul><li>Request objects MUST be signed or signed and encrypted.</li><li>Authorization request parameters are assembled only from the request object, even if the same parameter is provided as a query/form parameter.</li></ul><p><p>AM only uses this field if it can't determine the rules to apply based on the incoming request. If <strong>OIDC</strong> is selected and the OAuth 2.0 request supplies a request object but is not OIDC (no <code>openid</code> <code>scope</code> or <code>id_token</code> <code>response_type</code> in the request syntax), the request object is processed according to <strong>JAR</strong>. <p><strong>TIP</strong> To override the dynamic determination based on the incoming request, and enforce the provider's configuration for request object processing, set the system property <code>am.oauth2.provider.request.object.processing.enforced</code> to <code>true</code>. <p>JAR rules are always applied to PAR endpoint requests.", "propertyOrder" : 1050, "required" : true, "type" : "string", "exampleValue" : "" }, "maxDifferenceBetweenRequestObjectNbfAndExp" : { "title" : "Max nbf and exp difference", "description" : "The maximum permitted difference (in minutes) between Request Object nbf and exp claims. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1030, "required" : true, "type" : "integer", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "expClaimRequiredInRequestObject" : { "title" : "Require exp claim in Request Object", "description" : "Enforce presence of exp claim in Request Object.", "propertyOrder" : 1010, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Side Token Compression", "description" : "Whether client-side access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>BASE64_ENCODED_CERT</code> - A PEM or DER formatted certificate that has been URL-encoded.</li> <li><code>X_FORWARDED_CLIENT_CERT</code> - The proxy provides the certificate in the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a> header. </li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "maxAgeOfRequestObjectNbfClaim" : { "title" : "Max nbf age", "description" : "The maximum permitted age (in minutes) of Request Object nbf claim. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1040, "required" : true, "type" : "integer", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenGracePeriod" : { "title" : "Refresh Token Grace Period (seconds)", "description" : "The period, in seconds, that a refresh token can be replayed. This allows a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue. <br> Applies only to tokens in a one-to-one storage scheme. Keep this value as short as possible â it must not exceed 120 seconds. To deactivate the grace period set the value to 0.", "propertyOrder" : 1420, "required" : true, "type" : "integer", "exampleValue" : "" }, "includeSubnameInTokenClaims" : { "title" : "Include subname claim in tokens issued by the OAuth2 Provider", "description" : "When this setting is true, Access and ID Tokens issued will contain a claim \"subname\" with a value equal to the name of the token's subject.", "propertyOrder" : 1440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "persistentClaims" : { "title" : "Persistent Claims", "description" : "Set of custom claims which can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.", "propertyOrder" : 85, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "Base64-encoded X.509 certificate, in PEM or DER format, used to verify OCSP responses.<br><br>If specified, AM uses this certificate to verify the signature on all OCSP responses. If this field is empty, the appropriate certificate is determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenExchangeClasses" : { "title" : "Token Exchanger Plugins", "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.", "propertyOrder" : 95, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Side Tokens", "description" : "Whether client-side access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "includeClientIdClaimInStatelessTokens" : { "title" : "Include Client ID Claim In Stateless Access & Refresh Tokens", "description" : "With this setting enabled, the client_id claim is included in new stateless access & refresh tokens, and read if available from existing tokens.", "propertyOrder" : 1450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowClientCredentialsInTokenRequestQueryParameters" : { "title" : "Allow Client Credentials in Token Endpoint Query Parameters", "description" : "When this setting is true, client credentials may be included in token endpoint requests as query parameters.The recommended and default value for this setting is to disallow this behaviour.", "propertyOrder" : 1430, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Allowlist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "nbfClaimRequiredInRequestObject" : { "title" : "Require nbf claim in Request Object", "description" : "Enforce presence of nbf claim in Request Object.", "propertyOrder" : 1020, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant and device code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "parRequestUriLifetime" : { "title" : "PAR Request URI Lifetime (seconds)", "description" : "The amount of time the PAR Request URI is valid for.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.oauth2.provider.hash.salt.secret</code> to a secret in a secret store.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "overrideableOIDCClaims" : { "title" : "Overrideable Id_Token Claims", "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.", "propertyOrder" : 155, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScript" : { "title" : "Dynamic Client Registration Script", "description" : "The script that is executed after registering, updating, or deleting a client via Dynamic Client Registration.", "propertyOrder" : 465, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action OAuth2Provider --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action OAuth2Provider --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action OAuth2Provider --realm Realm --actionName nextdescendents
update
Usage
am> update OAuth2Provider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "scopesPolicySet" : { "title" : "Scopes Policy Set", "description" : "The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth2 provider. If blank will default to the oauth2Scopes policy set.", "propertyOrder" : 58, "required" : true, "type" : "string", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Side Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "accessTokenMayActScript" : { "title" : "OAuth2 Access Token May Act Script", "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 78, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcMayActScript" : { "title" : "OIDC ID Token May Act Script", "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 79, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "deviceUserCodeLength" : { "title" : "User Code Character Length", "description" : "The character length of the generated User Code.", "propertyOrder" : 405, "required" : true, "type" : "integer", "exampleValue" : "" }, "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeCharacterSet" : { "title" : "User Code Character Set", "description" : "The set of characters that will be used to generate the user code. The common sets are:<ul> <li>A subset of base58 with potentially ambiguous characters 0, 1, U, u, 8, 9 l, O, I, V, v, B, g and I removed: <pre>234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz</pre></li> <li>A-Z characters, with no digits and removing vowels: <pre>BCDFGHJKLMNPQRSTVWXZ</pre></li> <li>Numerical characters: <pre>0123456789</pre></li> </ul>", "propertyOrder" : 407, "required" : true, "minLength" : 10, "type" : "string", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseSigningAlgorithms" : { "title" : "Authorization Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Authorize endpoint as a JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 462, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForMaxAge" : { "title" : "Use Force Authentication for max_age", "description" : "When this setting is <code>false</code> (default)<ul><li>Attempted authorization when the max_age has passed will log the existing session out and start a re-authentication</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will create a new session</li></ul> When this setting is <code>true</code> <ul><li>Attempted authorization when the max_age has passed will not destroy the existing session</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will return the same session. The advanced server property org.forgerock.openam.authentication.forceAuth.enabled must be set to <code>true</code></li></ul> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for max_age</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionAlgorithms" : { "title" : "Authorization Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 463, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "useForceAuthnForPromptLogin" : { "title" : "Use Force Authentication for prompt=login", "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 640, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtSigningKidHeaderMappings" : { "title" : "JWT Signing kid Header Mappings", "description" : "Custom <code>kid</code> header values for JWTs signed with the signing key mapped to the specified secret alias. <p><p>AM only applies custom <code>kid</code> mappings if you set a value for <b>Remote JSON Web Key URL</b>. Use these mappings to guarantee that the <code>kid</code> header of a signed JWT references the correct key in a remote JWKS. If you don't configure a custom <code>kid</code> for a JWT signing key, AM generates a default <code>kid</code> value.</p>", "propertyOrder" : 145, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionEnc" : { "title" : "Authorization Response Encryption Methods Supported", "description" : "Encryption methods supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 464, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Enable Session Management", "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "pluginsConfig" : { "type" : "object", "title" : "Plugins", "propertyOrder" : 8, "properties" : { "oidcClaimsClass" : { "title" : "OIDC Claims Plugin Implementation Class", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session. <p>This plugin provides the custom implementation for the OIDC claims plugin interface: <code>org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin</code>", "propertyOrder" : 82, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenEnricherClass" : { "title" : "Access Token Enricher Plugin Implementation Class", "description" : "The class that provides the custom implementation for the access token enricher plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher</code>", "propertyOrder" : 1303, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModifierClass" : { "title" : "Access Token Modifier Plugin Implementation Class", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields. <p>This plugin provides the custom implementation for the access token modifier plugin interface: <code>org.forgerock.oauth2.core.plugins.AccessTokenModifier</code>", "propertyOrder" : 77, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeClass" : { "title" : "Scope Validation Plugin Implementation Class", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests. <p>This plugin provides the custom implementation for the scope validation plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeValidator</code>", "propertyOrder" : 1202, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderClass" : { "title" : "Authorize Endpoint Data Provider Plugin Implementation Class", "description" : "The plugin that is executed to return additional data from the authorization request. <p>This plugin provides the custom implementation for the authorize endpoint data provider plugin interface: <code>org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider</code>", "propertyOrder" : 1302, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationPluginType" : { "title" : "Access Token Modification Plugin Type", "description" : "When the plugin type is SCRIPTED then the Access Token Modification Script will be executed and when plugin type is JAVA then the Access Token Modifier Plugin Implementation Class will be executed.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "userCodeGeneratorClass" : { "title" : "Device Code Flow User Code Generator Implementation Class", "description" : "The class that provides the custom implementation for the device code flow user code generator plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator</code>", "propertyOrder" : 1310, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsPluginType" : { "title" : "OIDC Claims Plugin Type", "description" : "When the plugin type is SCRIPTED then the OIDC Claims Script will be executed and when plugin type is JAVA then the OIDC Claims Plugin Implementation Class will be executed.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeClass" : { "title" : "Scope Evaluation Plugin Implementation Class", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned. <p>This plugin provides the custom implementation for the evaluate scope plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeEvaluator</code>", "propertyOrder" : 1102, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderPluginType" : { "title" : "Authorize Endpoint Data Provider Plugin Type", "description" : "When the plugin type is SCRIPTED then the Authorize Endpoint Data Provider Script will be executed and when plugin type is JAVA then the Authorize Endpoint Data Provider Plugin Implementation Class will be executed.", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderScript" : { "title" : "Authorize Endpoint Data Provider Script", "description" : "The plugin that is executed to return additional data from the authorization request.", "propertyOrder" : 1301, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopePluginType" : { "title" : "Scope Evaluation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Evaluation Script will be executed and when plugin type is JAVA then the Scope Evaluation Plugin Implementation Class will be executed.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeScript" : { "title" : "Scope Evaluation Script", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned.", "propertyOrder" : 1101, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeScript" : { "title" : "Scope Validation Script", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.", "propertyOrder" : 1201, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopePluginType" : { "title" : "Scope Validation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Validation Script will be executed and when plugin type is JAVA then the Scope Validation Plugin Implementation Class will be executed.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "Access Token Modification Script", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 76, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 81, "required" : true, "type" : "string", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "requirePushedAuthorizationRequests" : { "title" : "Require Pushed Authorization Requests", "description" : "If enabled, clients must use the PAR endpoint to initiate authorization requests. This applies to all clients, including clients where require_pushed_authorization_requests is false.", "propertyOrder" : 1410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenValidatorClasses" : { "title" : "Token Validator Plugins", "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.", "propertyOrder" : 96, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "requestObjectProcessing" : { "title" : "Request Object Processing Specification", "description" : "The specification used to validate request objects: <p><p><strong>OIDC</strong><ul><li>Request objects MAY be unsigned.</li><li>Authorization request parameters are assembled from the request object and form/query parameters. If the same parameter exists in the request object and in the authorization request, AM uses the parameter in the request object.</li><li>The <code>response_type</code> and the <code>scope</code> parameter (including <code>openid</code>) should be specified outside the request object.</li></ul><p><strong>JAR</strong><ul><li>Request objects MUST be signed or signed and encrypted.</li><li>Authorization request parameters are assembled only from the request object, even if the same parameter is provided as a query/form parameter.</li></ul><p><p>AM only uses this field if it can't determine the rules to apply based on the incoming request. If <strong>OIDC</strong> is selected and the OAuth 2.0 request supplies a request object but is not OIDC (no <code>openid</code> <code>scope</code> or <code>id_token</code> <code>response_type</code> in the request syntax), the request object is processed according to <strong>JAR</strong>. <p><strong>TIP</strong> To override the dynamic determination based on the incoming request, and enforce the provider's configuration for request object processing, set the system property <code>am.oauth2.provider.request.object.processing.enforced</code> to <code>true</code>. <p>JAR rules are always applied to PAR endpoint requests.", "propertyOrder" : 1050, "required" : true, "type" : "string", "exampleValue" : "" }, "maxDifferenceBetweenRequestObjectNbfAndExp" : { "title" : "Max nbf and exp difference", "description" : "The maximum permitted difference (in minutes) between Request Object nbf and exp claims. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1030, "required" : true, "type" : "integer", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "expClaimRequiredInRequestObject" : { "title" : "Require exp claim in Request Object", "description" : "Enforce presence of exp claim in Request Object.", "propertyOrder" : 1010, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Side Token Compression", "description" : "Whether client-side access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>BASE64_ENCODED_CERT</code> - A PEM or DER formatted certificate that has been URL-encoded.</li> <li><code>X_FORWARDED_CLIENT_CERT</code> - The proxy provides the certificate in the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a> header. </li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "maxAgeOfRequestObjectNbfClaim" : { "title" : "Max nbf age", "description" : "The maximum permitted age (in minutes) of Request Object nbf claim. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1040, "required" : true, "type" : "integer", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" }, "refreshTokenGracePeriod" : { "title" : "Refresh Token Grace Period (seconds)", "description" : "The period, in seconds, that a refresh token can be replayed. This allows a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue. <br> Applies only to tokens in a one-to-one storage scheme. Keep this value as short as possible â it must not exceed 120 seconds. To deactivate the grace period set the value to 0.", "propertyOrder" : 1420, "required" : true, "type" : "integer", "exampleValue" : "" }, "includeSubnameInTokenClaims" : { "title" : "Include subname claim in tokens issued by the OAuth2 Provider", "description" : "When this setting is true, Access and ID Tokens issued will contain a claim \"subname\" with a value equal to the name of the token's subject.", "propertyOrder" : 1440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "persistentClaims" : { "title" : "Persistent Claims", "description" : "Set of custom claims which can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.", "propertyOrder" : 85, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "Base64-encoded X.509 certificate, in PEM or DER format, used to verify OCSP responses.<br><br>If specified, AM uses this certificate to verify the signature on all OCSP responses. If this field is empty, the appropriate certificate is determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenExchangeClasses" : { "title" : "Token Exchanger Plugins", "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.", "propertyOrder" : 95, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Side Tokens", "description" : "Whether client-side access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "includeClientIdClaimInStatelessTokens" : { "title" : "Include Client ID Claim In Stateless Access & Refresh Tokens", "description" : "With this setting enabled, the client_id claim is included in new stateless access & refresh tokens, and read if available from existing tokens.", "propertyOrder" : 1450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowClientCredentialsInTokenRequestQueryParameters" : { "title" : "Allow Client Credentials in Token Endpoint Query Parameters", "description" : "When this setting is true, client credentials may be included in token endpoint requests as query parameters.The recommended and default value for this setting is to disallow this behaviour.", "propertyOrder" : 1430, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedScopes" : { "title" : "Client Registration Scope Allowlist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "nbfClaimRequiredInRequestObject" : { "title" : "Require nbf claim in Request Object", "description" : "Enforce presence of nbf claim in Request Object.", "propertyOrder" : 1020, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant and device code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "parRequestUriLifetime" : { "title" : "PAR Request URI Lifetime (seconds)", "description" : "The amount of time the PAR Request URI is valid for.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.oauth2.provider.hash.salt.secret</code> to a secret in a secret store.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "overrideableOIDCClaims" : { "title" : "Overrideable Id_Token Claims", "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.", "propertyOrder" : 155, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScript" : { "title" : "Dynamic Client Registration Script", "description" : "The script that is executed after registering, updating, or deleting a client via Dynamic Client Registration.", "propertyOrder" : 465, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/services/oauth-oidc
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action OAuth2Provider --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action OAuth2Provider --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action OAuth2Provider --global --actionName nextdescendents
update
Usage
am> update OAuth2Provider --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "jwtTokenRequiredClaims" : { "title" : "JWT Required Claims", "description" : "Specify a custom list of claims that will be treated as required during validation of OAuth2 authorization grant and/or client authentication jwt, in addition to the default mandatory claims (\"iss\", \"aud\", \"exp\"). AM will throw an error if any of these claims are not present. Note that this attribute does not apply to a request object jwt.", "propertyOrder" : 800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowUnauthorisedAccessToUserCodeForm" : { "title" : "OAuth 2.0 allow unauthenticated user code entry", "description" : "If enabled, during an OAuth 2.0 device code authentication flow users will be able to access and input a user code without first logging in. This is for backwards compatibility and should only be enabled on existing installations that require this legacy functionality.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "blacklistPollInterval" : { "title" : "Denylist Poll Interval (seconds)", "description" : "How frequently to poll for token denylist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token denylist changes from other servers. This is used to maintain a highly compressed view of the overall current token denylist, improving performance. A lower number will reduce the delay for denylisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "storageScheme" : { "title" : "CTS Storage Scheme", "description" : "Storage scheme to be used when storing OAuth2 tokens to CTS.<br><br>In order to support rolling upgrades, this should be set to the latest storage scheme supported by all OpenAM instances within your cluster. Select the latest storage scheme once all OpenAM instances in the cluster have been upgraded.<br/><br/><b>One-to-One Storage Scheme</b><br/>Under this storage scheme, each OAuth2 token maps to an individual CTS entry.<br/><i>This storage scheme is inefficient - use the Grant-Set Storage Scheme once all servers have been upgraded to a version which supports it.</i><br/><br/><b>Grant-Set Storage Scheme</b><br/>Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtTokenLifetimeValidationEnabled" : { "title" : "Enforce JWT Unreasonable Lifetime", "description" : "Enable the enforcement of JWT token unreasonable lifetime during validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. This enforcement may be disabled, but should only be done if the security implications have been evaluated.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "blacklistPurgeDelay" : { "title" : "Denylist Purge Delay (minutes)", "description" : "Length of time to denylist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the denylist.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessGrantTokenUpgradeCompatibilityMode" : { "title" : "Client-Side Grant Token Upgrade Compatibility Mode", "description" : "Enable OpenAM to consume and create client-side OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume client-side OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.", "propertyOrder" : 400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "blacklistCacheSize" : { "title" : "Token Denylist Cache Size", "description" : "Number of denylisted tokens to cache in memory to speed up denylist checks and reduce load on the CTS.", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "jwtTokenUnreasonableLifetime" : { "title" : "JWT Unreasonable Lifetime (seconds)", "description" : "Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.<br><br>The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://tools.ietf.org/html/rfc7523#section-3) states that an authorization server may reject JWTs with an \"exp\" claim value that is unreasonably far in the future and an \"iat\" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaults" : { "properties" : { "advancedOIDCConfig" : { "type" : "object", "title" : "Advanced OpenID Connect", "propertyOrder" : 4, "properties" : { "supportedUserInfoSigningAlgorithms" : { "title" : "UserInfo Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of the UserInfo endpoint. OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 456, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionEnc" : { "title" : "UserInfo Encryption Methods Supported", "description" : "Encryption methods supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 458, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "includeAllKtyAlgCombinationsInJwksUri" : { "title" : "Include all kty and alg combinations in jwks_uri", "description" : "By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. <a href=\"https://tools.ietf.org/html/rfc7517#section-4.5\">RFC7517 distinct key KIDs</a>", "propertyOrder" : 630, "required" : true, "type" : "boolean", "exampleValue" : "" }, "useForceAuthnForMaxAge" : { "title" : "Use Force Authentication for max_age", "description" : "When this setting is <code>false</code> (default)<ul><li>Attempted authorization when the max_age has passed will log the existing session out and start a re-authentication</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will create a new session</li></ul> When this setting is <code>true</code> <ul><li>Attempted authorization when the max_age has passed will not destroy the existing session</li></ul> <ul><li>Re-authentication triggered by the max_age parameter will return the same session. The advanced server property org.forgerock.openam.authentication.forceAuth.enabled must be set to <code>true</code></li></ul> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for max_age</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jkwsURI" : { "title" : "Remote JSON Web Key URL", "description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.", "propertyOrder" : 140, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedTokenEndpointAuthenticationSigningAlgorithms" : { "title" : "Supported Token Endpoint JWS Signing Algorithms.", "description" : "Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.", "propertyOrder" : 444, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionEnc" : { "title" : "Token Introspection Response Encryption Methods Supported", "description" : "Encryption methods supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 461, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedAuthorizationResponseSigningAlgorithms" : { "title" : "Authorization Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Authorize endpoint as a JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 462, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseSigningAlgorithms" : { "title" : "Token Introspection Response Signing Algorithms Supported", "description" : "Algorithms that are supported for signing the Token Introspection endpoint JWT response.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>EdDSA</code> - EdDSA with SHA-512.</li></ul>", "propertyOrder" : 459, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedUserInfoEncryptionAlgorithms" : { "title" : "UserInfo Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the UserInfo endpoint.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 457, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "alwaysAddClaimsToToken" : { "title" : "Always Return Claims in ID Tokens", "description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.", "propertyOrder" : 360, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claimsParameterSupported" : { "title" : "Enable \"claims_parameter_supported\"", "description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.", "propertyOrder" : 250, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaultACR" : { "title" : "Default ACR values", "description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.", "propertyOrder" : 320, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "idTokenInfoClientAuthenticationEnabled" : { "title" : "Idtokeninfo Endpoint Requires Client Authentication", "description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.", "propertyOrder" : 225, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionAlgorithms" : { "title" : "Authorization Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 463, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionAlgorithms" : { "title" : "Request Parameter Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 442, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "storeOpsTokens" : { "title" : "Enable Session Management", "description" : "If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled OpenAM will store <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session. ", "propertyOrder" : 410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedAuthorizationResponseEncryptionEnc" : { "title" : "Authorization Response Encryption Methods Supported", "description" : "Encryption methods supported by the Authorize endpoint as a JWT response.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 464, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedTokenIntrospectionResponseEncryptionAlgorithms" : { "title" : "Token Introspection Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported by the Token Introspection endpoint JWT response.<br><br>OpenAM supports the following UserInfo endpoint encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 460, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterEncryptionEnc" : { "title" : "Request Parameter Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 443, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "useForceAuthnForPromptLogin" : { "title" : "Use Force Authentication for prompt=login", "description" : "This setting only applies when using modules or chains for authentication. When the setting is false, using prompt=login will enforce that a new session is created. When this setting is true, force authentication will be used which will result in the return of the same session. <p>If you set <code>Use Force Authentication for prompt=login</code> to <code>true</code>, you must also set the <code>org.forgerock.openam.authentication.forceAuth.enabled</code> advanced server property to <code>true</code>.</p> <p>For security reasons, it is strongly recommended that you leave <code>Use Force Authentication for prompt=login</code> set to the default value (<code>false</code>), so that a new session is created when the user re-authenticates.</p>", "propertyOrder" : 640, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtSigningKidHeaderMappings" : { "title" : "JWT Signing kid Header Mappings", "description" : "Custom <code>kid</code> header values for JWTs signed with the signing key mapped to the specified secret alias. <p><p>AM only applies custom <code>kid</code> mappings if you set a value for <b>Remote JSON Web Key URL</b>. Use these mappings to guarantee that the <code>kid</code> header of a signed JWT references the correct key in a remote JWKS. If you don't configure a custom <code>kid</code> for a JWT signing key, AM generates a default <code>kid</code> value.</p>", "propertyOrder" : 145, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "authorisedOpenIdConnectSSOClients" : { "title" : "Authorized OIDC SSO Clients", "description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.", "propertyOrder" : 446, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRequestParameterSigningAlgorithms" : { "title" : "Request Parameter Signing Algorithms Supported", "description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 441, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "amrMappings" : { "title" : "OpenID Connect id_token amr Values to Auth Module Mappings", "description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.", "propertyOrder" : 330, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" }, "loaMapping" : { "title" : "OpenID Connect acr_values to Auth Chain Mapping", "description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.", "propertyOrder" : 310, "required" : false, "patternProperties" : { ".*" : { } }, "type" : "object", "exampleValue" : "" } } }, "consent" : { "type" : "object", "title" : "Consent", "propertyOrder" : 6, "properties" : { "remoteConsentServiceId" : { "title" : "Remote Consent Service ID", "description" : "The ID of an existing remote consent service agent.", "propertyOrder" : 448, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsResponseEncryptionAlgorithms" : { "title" : "Remote Consent Service Response Encryption Algorithms Supported", "description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 453, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientsCanSkipConsent" : { "title" : "Allow Clients to Skip Consent", "description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.", "propertyOrder" : 420, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsRequestSigningAlgorithms" : { "title" : "Remote Consent Service Request Signing Algorithms Supported", "description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 449, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsRequestEncryptionAlgorithms" : { "title" : "Remote Consent Service Request Encryption Algorithms Supported", "description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>", "propertyOrder" : 450, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedRcsResponseSigningAlgorithms" : { "title" : "Remote Consent Service Response Signing Algorithms Supported", "description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 452, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "enableRemoteConsent" : { "title" : "Enable Remote Consent", "description" : "", "propertyOrder" : 447, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedRcsResponseEncryptionMethods" : { "title" : "Remote Consent Service Response Encryption Methods Supported", "description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 454, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "savedConsentAttribute" : { "title" : "Saved Consent Attribute Name", "description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.", "propertyOrder" : 110, "required" : false, "type" : "string", "exampleValue" : "" }, "supportedRcsRequestEncryptionMethods" : { "title" : "Remote Consent Service Request Encryption Methods Supported", "description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 451, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "coreOAuth2Config" : { "type" : "object", "title" : "Core", "propertyOrder" : 0, "properties" : { "refreshTokenLifetime" : { "title" : "Refresh Token Lifetime (seconds)", "description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the refresh token will never expire.", "propertyOrder" : 20, "required" : true, "type" : "integer", "exampleValue" : "" }, "oidcMayActScript" : { "title" : "OIDC ID Token May Act Script", "description" : "The script that is executed when issuing an OIDC ID Token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 79, "required" : true, "type" : "string", "exampleValue" : "" }, "macaroonTokensEnabled" : { "title" : "Use Macaroon Access and Refresh Tokens", "description" : "When enabled, AM will issue access and refresh tokens as Macaroons with caveats.", "propertyOrder" : 6, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenLifetime" : { "title" : "Access Token Lifetime (seconds)", "description" : "The time an access token is valid for, in seconds. Note that if you set the value to <code>0</code>, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.", "propertyOrder" : 30, "required" : true, "type" : "integer", "exampleValue" : "" }, "statelessTokensEnabled" : { "title" : "Use Client-Side Access & Refresh Tokens", "description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.", "propertyOrder" : 3, "required" : true, "type" : "boolean", "exampleValue" : "" }, "scopesPolicySet" : { "title" : "Scopes Policy Set", "description" : "The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth2 provider. If blank will default to the oauth2Scopes policy set.", "propertyOrder" : 58, "required" : true, "type" : "string", "exampleValue" : "" }, "issueRefreshTokenOnRefreshedToken" : { "title" : "Issue Refresh Tokens on Refreshing Access Tokens", "description" : "Whether to issue a refresh token when refreshing an access token.", "propertyOrder" : 50, "required" : true, "type" : "boolean", "exampleValue" : "" }, "codeLifetime" : { "title" : "Authorization Code Lifetime (seconds)", "description" : "The time an authorization code is valid for, in seconds.", "propertyOrder" : 10, "required" : true, "type" : "integer", "exampleValue" : "" }, "issueRefreshToken" : { "title" : "Issue Refresh Tokens", "description" : "Whether to issue a refresh token when returning an access token.", "propertyOrder" : 40, "required" : true, "type" : "boolean", "exampleValue" : "" }, "accessTokenMayActScript" : { "title" : "OAuth2 Access Token May Act Script", "description" : "The script that is executed when issuing an access token explicitly to modify the <code>may_act</code> claim placed on the token.", "propertyOrder" : 78, "required" : true, "type" : "string", "exampleValue" : "" }, "usePolicyEngineForScope" : { "title" : "Use Policy Engine for Scope decisions", "description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.", "propertyOrder" : 55, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "advancedOAuth2Config" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 1, "properties" : { "supportedScopes" : { "title" : "Client Registration Scope Allowlist", "description" : "The set of scopes allowed when registering clients dynamically, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>", "propertyOrder" : 130, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "macaroonTokenFormat" : { "title" : "Macaroon Token Format", "description" : "The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.", "propertyOrder" : 620, "required" : true, "type" : "string", "exampleValue" : "" }, "tlsCertificateBoundAccessTokensEnabled" : { "title" : "Support TLS Certificate-Bound Access Tokens", "description" : "Whether to bind access tokens to the client certificate when using TLS client certificate authentication.", "propertyOrder" : 610, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestObjectProcessing" : { "title" : "Request Object Processing Specification", "description" : "The specification used to validate request objects: <p><p><strong>OIDC</strong><ul><li>Request objects MAY be unsigned.</li><li>Authorization request parameters are assembled from the request object and form/query parameters. If the same parameter exists in the request object and in the authorization request, AM uses the parameter in the request object.</li><li>The <code>response_type</code> and the <code>scope</code> parameter (including <code>openid</code>) should be specified outside the request object.</li></ul><p><strong>JAR</strong><ul><li>Request objects MUST be signed or signed and encrypted.</li><li>Authorization request parameters are assembled only from the request object, even if the same parameter is provided as a query/form parameter.</li></ul><p><p>AM only uses this field if it can't determine the rules to apply based on the incoming request. If <strong>OIDC</strong> is selected and the OAuth 2.0 request supplies a request object but is not OIDC (no <code>openid</code> <code>scope</code> or <code>id_token</code> <code>response_type</code> in the request syntax), the request object is processed according to <strong>JAR</strong>. <p><strong>TIP</strong> To override the dynamic determination based on the incoming request, and enforce the provider's configuration for request object processing, set the system property <code>am.oauth2.provider.request.object.processing.enforced</code> to <code>true</code>. <p>JAR rules are always applied to PAR endpoint requests.", "propertyOrder" : 1050, "required" : true, "type" : "string", "exampleValue" : "" }, "includeClientIdClaimInStatelessTokens" : { "title" : "Include Client ID Claim In Stateless Access & Refresh Tokens", "description" : "With this setting enabled, the client_id claim is included in new stateless access & refresh tokens, and read if available from existing tokens.", "propertyOrder" : 1450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "modifiedTimestampAttribute" : { "title" : "Modified Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return modified timestamp values.<p>This attribute is paired together with the <em>Created Timestamp Attribute Name</em> attribute (<code>createdTimestampAttribute</code>). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.<p>For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the <code>userinfo</code> endpoint to obtain the <code>updated_at</code> claim value in the ID token. The <code>updated_at</code> claim obtains its value from the <code>modifiedTimestampAttribute</code> attribute in the user profile. If the profile has never been modified the <code>updated_at</code> claim uses the <code>createdTimestampAttribute</code> attribute. ", "propertyOrder" : 340, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenValidatorClasses" : { "title" : "Token Validator Plugins", "description" : "List of plugins that validate <code>subject_token</code> and <code>actor_token</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the validate <code>subject_token</code> and <code>actor_token</code> values to ensure they meet the required criteria to be exchanged.", "propertyOrder" : 96, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsClientCertificateHeaderFormat" : { "title" : "TLS Client Certificate Header Format", "description" : "Format of the HTTP header used to communicate a client certificate from a reverse proxy.<br><br>The following formats are supported:<ul><li><code>BASE64_ENCODED_CERT</code> - A PEM or DER formatted certificate that has been URL-encoded.</li> <li><code>X_FORWARDED_CLIENT_CERT</code> - The proxy provides the certificate in the <a target=\"_blank\" href=\"https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-client-cert\">X-Forwarded-Client-Cert</a> header. </li></ul>", "propertyOrder" : 605, "required" : true, "type" : "string", "exampleValue" : "" }, "requirePushedAuthorizationRequests" : { "title" : "Require Pushed Authorization Requests", "description" : "If enabled, clients must use the PAR endpoint to initiate authorization requests. This applies to all clients, including clients where require_pushed_authorization_requests is false.", "propertyOrder" : 1410, "required" : true, "type" : "boolean", "exampleValue" : "" }, "createdTimestampAttribute" : { "title" : "Created Timestamp Attribute Name", "description" : "The identity Data Store attribute used to return created timestamp values.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "customLoginUrlTemplate" : { "title" : "Custom Login URL Template", "description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.", "propertyOrder" : 60, "required" : false, "type" : "string", "exampleValue" : "" }, "passwordGrantAuthService" : { "title" : "Password Grant Authentication Service", "description" : "The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.", "propertyOrder" : 430, "required" : true, "type" : "string", "exampleValue" : "" }, "refreshTokenGracePeriod" : { "title" : "Refresh Token Grace Period (seconds)", "description" : "The period, in seconds, that a refresh token can be replayed. This allows a client to recover if the response from the original refresh request is not received due to a network problem or other transient issue. <br> Applies only to tokens in a one-to-one storage scheme. Keep this value as short as possible â it must not exceed 120 seconds. To deactivate the grace period set the value to 0.", "propertyOrder" : 1420, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationAttributes" : { "title" : "User Profile Attribute(s) the Resource Owner is Authenticated On", "description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultScopes" : { "title" : "Default Client Scopes", "description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "maxAgeOfRequestObjectNbfClaim" : { "title" : "Max nbf age", "description" : "The maximum permitted age (in minutes) of Request Object nbf claim. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1040, "required" : true, "type" : "integer", "exampleValue" : "" }, "expClaimRequiredInRequestObject" : { "title" : "Require exp claim in Request Object", "description" : "Enforce presence of exp claim in Request Object.", "propertyOrder" : 1010, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tlsCertificateRevocationCheckingEnabled" : { "title" : "Check TLS Certificate Revocation Status", "description" : "Whether to check if TLS client certificates have been revoked.<br><br>If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements \"soft fail\" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.", "propertyOrder" : 615, "required" : true, "type" : "boolean", "exampleValue" : "" }, "displayNameAttribute" : { "title" : "User Display Name attribute", "description" : "The profile attribute that contains the name to be displayed for the user on the consent page.", "propertyOrder" : 120, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEncryptionEnabled" : { "title" : "Encrypt Client-Side Tokens", "description" : "Whether client-side access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.", "propertyOrder" : 242, "required" : true, "type" : "boolean", "exampleValue" : "" }, "grantTypes" : { "title" : "Grant Types", "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.", "propertyOrder" : 560, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowedAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying Client Authentication JWTs.<br><br>These audience values will be in addition to the AS base, issuer and endpoint URIs.", "propertyOrder" : 91, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tokenSigningAlgorithm" : { "title" : "OAuth2 Token Signing Algorithm", "description" : "Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>", "propertyOrder" : 220, "required" : true, "type" : "string", "exampleValue" : "" }, "hashSalt" : { "title" : "Subject Identifier Hash Salt", "description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.oauth2.provider.hash.salt.secret</code> to a secret in a secret store.", "propertyOrder" : 260, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenExchangeClasses" : { "title" : "Token Exchanger Plugins", "description" : "List of plugins that handle the valid <code>requested_token_type</code> values.<br><br>When using the Token Exchange grant type, these handlers will be used to convert the provided <code>subject_token</code> and <code>actor_token</code> into the appropriate impersonation or delegation tokens for use with downstream services.", "propertyOrder" : 95, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "codeVerifierEnforced" : { "title" : "Code Verifier Parameter Required", "description" : "If enabled, requests using the authorization code grant and device code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/rfc7636\">specification for this feature</a>.", "propertyOrder" : 270, "required" : true, "type" : "string", "exampleValue" : "" }, "supportedSubjectTypes" : { "title" : "Subject Types supported", "description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>", "propertyOrder" : 150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "persistentClaims" : { "title" : "Persistent Claims", "description" : "Set of custom claims which can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.", "propertyOrder" : 85, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "parRequestUriLifetime" : { "title" : "PAR Request URI Lifetime (seconds)", "description" : "The amount of time the PAR Request URI is valid for.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "responseTypeClasses" : { "title" : "Response Type Plugins", "description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.", "propertyOrder" : 90, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "tlsOcspResponderUri" : { "title" : "OCSP Responder URI", "description" : "URI of the OCSP responder service to use for checking certificate revocation status.<br><br>If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.", "propertyOrder" : 616, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsOcspResponderCert" : { "title" : "OCSP Responder Certificate", "description" : "Base64-encoded X.509 certificate, in PEM or DER format, used to verify OCSP responses.<br><br>If specified, AM uses this certificate to verify the signature on all OCSP responses. If this field is empty, the appropriate certificate is determined from the trusted CA certificates.", "propertyOrder" : 617, "required" : false, "type" : "string", "exampleValue" : "" }, "tlsClientCertificateTrustedHeader" : { "title" : "Trusted TLS Client Certificate Header", "description" : "HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.<br><br>Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.", "propertyOrder" : 600, "required" : false, "type" : "string", "exampleValue" : "" }, "includeSubnameInTokenClaims" : { "title" : "Include subname claim in tokens issued by the OAuth2 Provider", "description" : "When this setting is true, Access and ID Tokens issued will contain a claim \"subname\" with a value equal to the name of the token's subject.", "propertyOrder" : 1440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "nbfClaimRequiredInRequestObject" : { "title" : "Require nbf claim in Request Object", "description" : "Enforce presence of nbf claim in Request Object.", "propertyOrder" : 1020, "required" : true, "type" : "boolean", "exampleValue" : "" }, "maxDifferenceBetweenRequestObjectNbfAndExp" : { "title" : "Max nbf and exp difference", "description" : "The maximum permitted difference (in minutes) between Request Object nbf and exp claims. <p> A value of 0 indicates that there is no maximum time requirement.", "propertyOrder" : 1030, "required" : true, "type" : "integer", "exampleValue" : "" }, "moduleMessageEnabledInPasswordGrant" : { "title" : "Enable Auth Module Messages for Password Credentials Grant", "description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.", "propertyOrder" : 440, "required" : true, "type" : "boolean", "exampleValue" : "" }, "allowClientCredentialsInTokenRequestQueryParameters" : { "title" : "Allow Client Credentials in Token Endpoint Query Parameters", "description" : "When this setting is true, client credentials may be included in token endpoint requests as query parameters.The recommended and default value for this setting is to disallow this behaviour.", "propertyOrder" : 1430, "required" : true, "type" : "boolean", "exampleValue" : "" }, "tokenCompressionEnabled" : { "title" : "Client-Side Token Compression", "description" : "Whether client-side access and refresh tokens should be compressed.", "propertyOrder" : 223, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "coreOIDCConfig" : { "type" : "object", "title" : "OpenID Connect", "propertyOrder" : 3, "properties" : { "jwtTokenLifetime" : { "title" : "OpenID Connect JWT Token Lifetime (seconds)", "description" : "The amount of time the JWT will be valid for, in seconds.", "propertyOrder" : 210, "required" : true, "type" : "integer", "exampleValue" : "" }, "supportedClaims" : { "title" : "Supported Claims", "description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.", "propertyOrder" : 190, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "overrideableOIDCClaims" : { "title" : "Overrideable Id_Token Claims", "description" : "List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect Claims like aud or azp.", "propertyOrder" : 155, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionAlgorithms" : { "title" : "ID Token Encryption Algorithms supported", "description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>", "propertyOrder" : 170, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidcDiscoveryEndpointEnabled" : { "title" : "OIDC Provider Discovery", "description" : "Turns on and off OIDC Discovery endpoint.", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "supportedIDTokenSigningAlgorithms" : { "title" : "ID Token Signing Algorithms supported", "description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li><li><code>RS384</code> - RSASSA-PKCS-v1_5 using SHA-384.</li><li><code>RS512</code> - RSASSA-PKCS-v1_5 using SHA-512.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li><li><code>PS384</code> - RSASSA-PSS using SHA-384.</li><li><code>PS512</code> - RSASSA-PSS using SHA-512.</li></ul>", "propertyOrder" : 160, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "supportedIDTokenEncryptionMethods" : { "title" : "ID Token Encryption Methods supported", "description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>", "propertyOrder" : 180, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "cibaConfig" : { "type" : "object", "title" : "CIBA", "propertyOrder" : 7, "properties" : { "supportedCibaSigningAlgorithms" : { "title" : "Signing Algorithms Supported", "description" : "Algorithms supported to sign the CIBA request parameter.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"https://tools.ietf.org/html/rfc7518#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>PS256</code> - RSASSA-PSS using SHA-256.</li></ul>", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cibaMinimumPollingInterval" : { "title" : "Polling Wait Interval (seconds)", "description" : "The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "cibaAuthReqIdLifetime" : { "title" : "Back Channel Authentication ID Lifetime (seconds)", "description" : "The time back channel authentication request id is valid for, in seconds.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "pluginsConfig" : { "type" : "object", "title" : "Plugins", "propertyOrder" : 8, "properties" : { "validateScopePluginType" : { "title" : "Scope Validation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Validation Script will be executed and when plugin type is JAVA then the Scope Validation Plugin Implementation Class will be executed.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "userCodeGeneratorClass" : { "title" : "Device Code Flow User Code Generator Implementation Class", "description" : "The class that provides the custom implementation for the device code flow user code generator plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator</code>", "propertyOrder" : 1310, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenEnricherClass" : { "title" : "Access Token Enricher Plugin Implementation Class", "description" : "The class that provides the custom implementation for the access token enricher plugin interface: <code>org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher</code>", "propertyOrder" : 1303, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModifierClass" : { "title" : "Access Token Modifier Plugin Implementation Class", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields. <p>This plugin provides the custom implementation for the access token modifier plugin interface: <code>org.forgerock.oauth2.core.plugins.AccessTokenModifier</code>", "propertyOrder" : 77, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeScript" : { "title" : "Scope Evaluation Script", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned.", "propertyOrder" : 1101, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationPluginType" : { "title" : "Access Token Modification Plugin Type", "description" : "When the plugin type is SCRIPTED then the Access Token Modification Script will be executed and when plugin type is JAVA then the Access Token Modifier Plugin Implementation Class will be executed.", "propertyOrder" : 75, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsClass" : { "title" : "OIDC Claims Plugin Implementation Class", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session. <p>This plugin provides the custom implementation for the OIDC claims plugin interface: <code>org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin</code>", "propertyOrder" : 82, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsPluginType" : { "title" : "OIDC Claims Plugin Type", "description" : "When the plugin type is SCRIPTED then the OIDC Claims Script will be executed and when plugin type is JAVA then the OIDC Claims Plugin Implementation Class will be executed.", "propertyOrder" : 80, "required" : true, "type" : "string", "exampleValue" : "" }, "accessTokenModificationScript" : { "title" : "Access Token Modification Script", "description" : "The plugin that is executed when issuing an access token. <p>The plugin can change the access token's internal data structure to include or exclude particular fields.", "propertyOrder" : 76, "required" : true, "type" : "string", "exampleValue" : "" }, "oidcClaimsScript" : { "title" : "OIDC Claims Script", "description" : "The plugin that is executed when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p>The plugin gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.", "propertyOrder" : 81, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderScript" : { "title" : "Authorize Endpoint Data Provider Script", "description" : "The plugin that is executed to return additional data from the authorization request.", "propertyOrder" : 1301, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderPluginType" : { "title" : "Authorize Endpoint Data Provider Plugin Type", "description" : "When the plugin type is SCRIPTED then the Authorize Endpoint Data Provider Script will be executed and when plugin type is JAVA then the Authorize Endpoint Data Provider Plugin Implementation Class will be executed.", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeScript" : { "title" : "Scope Validation Script", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.", "propertyOrder" : 1201, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizeEndpointDataProviderClass" : { "title" : "Authorize Endpoint Data Provider Plugin Implementation Class", "description" : "The plugin that is executed to return additional data from the authorization request. <p>This plugin provides the custom implementation for the authorize endpoint data provider plugin interface: <code>org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider</code>", "propertyOrder" : 1302, "required" : true, "type" : "string", "exampleValue" : "" }, "validateScopeClass" : { "title" : "Scope Validation Plugin Implementation Class", "description" : "The plugin that is executed when validating or customising the set of requested scopes for authorize, access token, refresh token and back channel authorize requests. <p>This plugin provides the custom implementation for the scope validation plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeValidator</code>", "propertyOrder" : 1202, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopeClass" : { "title" : "Scope Evaluation Plugin Implementation Class", "description" : "The plugin that is executed when retrieving access token's information. <p>The plugin can provide a mechanism to associate scopes with profile attribute values, such as if one of the scopes is mail, the resource owner's email address is provided in the information returned. <p>This plugin provides the custom implementation for the evaluate scope plugin interface: <code>org.forgerock.oauth2.core.plugins.ScopeEvaluator</code>", "propertyOrder" : 1102, "required" : true, "type" : "string", "exampleValue" : "" }, "evaluateScopePluginType" : { "title" : "Scope Evaluation Plugin Type", "description" : "When the plugin type is SCRIPTED then the Scope Evaluation Script will be executed and when plugin type is JAVA then the Scope Evaluation Plugin Implementation Class will be executed.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" } } }, "clientDynamicRegistrationConfig" : { "type" : "object", "title" : "Client Dynamic Registration", "propertyOrder" : 2, "properties" : { "requiredSoftwareStatementAttestedAttributes" : { "title" : "Required Software Statement Attested Attributes", "description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.", "propertyOrder" : 272, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "allowDynamicRegistration" : { "title" : "Allow Open Dynamic Client Registration", "description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.", "propertyOrder" : 280, "required" : true, "type" : "boolean", "exampleValue" : "" }, "dynamicClientRegistrationScope" : { "title" : "Scope to give access to dynamic client registration", "description" : "Mandatory scope required when registering a new OAuth2 client.", "propertyOrder" : 455, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationScript" : { "title" : "Dynamic Client Registration Script", "description" : "The script that is executed after registering, updating, or deleting a client via Dynamic Client Registration.", "propertyOrder" : 465, "required" : true, "type" : "string", "exampleValue" : "" }, "dynamicClientRegistrationSoftwareStatementRequired" : { "title" : "Require Software Statement for Dynamic Client Registration", "description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.", "propertyOrder" : 271, "required" : true, "type" : "boolean", "exampleValue" : "" }, "generateRegistrationAccessTokens" : { "title" : "Generate Registration Access Tokens", "description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.", "propertyOrder" : 290, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "deviceCodeConfig" : { "type" : "object", "title" : "Device Flow", "propertyOrder" : 5, "properties" : { "devicePollInterval" : { "title" : "Device Polling Interval", "description" : "The polling frequency for devices waiting for tokens when using the device code flow.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCodeLifetime" : { "title" : "Device Code Lifetime (seconds)", "description" : "The lifetime of the device code, in seconds.", "propertyOrder" : 390, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceUserCodeCharacterSet" : { "title" : "User Code Character Set", "description" : "The set of characters that will be used to generate the user code. The common sets are:<ul> <li>A subset of base58 with potentially ambiguous characters 0, 1, U, u, 8, 9 l, O, I, V, v, B, g and I removed: <pre>234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz</pre></li> <li>A-Z characters, with no digits and removing vowels: <pre>BCDFGHJKLMNPQRSTVWXZ</pre></li> <li>Numerical characters: <pre>0123456789</pre></li> </ul>", "propertyOrder" : 407, "required" : true, "minLength" : 10, "type" : "string", "exampleValue" : "" }, "completionUrl" : { "title" : "Device Completion URL", "description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 380, "required" : false, "type" : "string", "exampleValue" : "" }, "deviceUserCodeLength" : { "title" : "User Code Character Length", "description" : "The character length of the generated User Code.", "propertyOrder" : 405, "required" : true, "type" : "integer", "exampleValue" : "" }, "verificationUrl" : { "title" : "Verification URL", "description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.", "propertyOrder" : 370, "required" : false, "type" : "string", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }