--- title: HTTP OAuth2 OpenAM Authorization Mechanism (LEGACY) description: "LEGACY since 8.0.0: Deprecated because PingAM deprecated the endpoint /oauth2/tokeninfo. Alternative: Use HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism." component: pingds version: 8 page_id: pingds:configref:objects-http-oauth2-openam-authorization-mechanism canonical_url: https://docs.pingidentity.com/pingds/8/configref/objects-http-oauth2-openam-authorization-mechanism.html section_ids: parent: Parent dependencies: Dependencies http_oauth2_openam_authorization_mechanism_properties: HTTP OAuth2 OpenAM Authorization Mechanism properties basic_properties: Basic properties access-token-cache-enabled: access-token-cache-enabled access-token-cache-expiration: access-token-cache-expiration authzid-json-pointer: authzid-json-pointer enabled: enabled identity-mapper: identity-mapper key-manager-provider: key-manager-provider required-scope: required-scope ssl-cert-nickname: ssl-cert-nickname ssl-cipher-suite: ssl-cipher-suite ssl-protocol: ssl-protocol token-info-url: token-info-url trust-manager-provider: trust-manager-provider advanced_properties: Advanced properties java-class: java-class --- # HTTP OAuth2 OpenAM Authorization Mechanism (LEGACY) | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | LEGACY since 8.0.0: Deprecated because PingAM deprecated the endpoint /oauth2/tokeninfo. Alternative: Use HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism. | The HTTP OAuth2 OpenAM Authorization Mechanism is used to define OAuth2 authorization using an OpenAM server as authorization server . ## Parent The HTTP OAuth2 OpenAM Authorization Mechanism object inherits from [HTTP OAuth2 Authorization Mechanism](objects-http-oauth2-authorization-mechanism.html). ## Dependencies HTTP OAuth2 OpenAM Authorization Mechanisms depend on the following objects: * [Key Manager Provider](objects-key-manager-provider.html) * [Trust Manager Provider](objects-trust-manager-provider.html) ## HTTP OAuth2 OpenAM Authorization Mechanism properties You can use configuration expressions to set property values at startup time. For details, see [Property value substitution](expressions.html). | Basic Properties | Advanced Properties | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | [access-token-cache-enabled](#access-token-cache-enabled) [access-token-cache-expiration](#access-token-cache-expiration) [authzid-json-pointer](#authzid-json-pointer) [enabled](#enabled) [identity-mapper](#identity-mapper) [key-manager-provider](#key-manager-provider) [required-scope](#required-scope) [ssl-cert-nickname](#ssl-cert-nickname) [ssl-cipher-suite](#ssl-cipher-suite) [ssl-protocol](#ssl-protocol) [token-info-url](#token-info-url) [trust-manager-provider](#trust-manager-provider) | [java-class](#java-class) | ### Basic properties Use the `--advanced` option to access advanced properties. ### access-token-cache-enabled | | | | ----------------------- | ----------------------------------------------------------------------------- | | *Synopsis* | Indicates whether the HTTP OAuth2 Authorization Mechanism is enabled for use. | | *Default value* | false | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### access-token-cache-expiration | | | | ----------------------- | ---------------------------------------------------------------------------------------------------- | | *Synopsis* | Token cache expiration | | *Default value* | None | | *Allowed values* | Uses [duration syntax](duration-syntax.html).Lower limit: 0 seconds.Upper limit: 2147483647 seconds. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### authzid-json-pointer | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### enabled | | | | ----------------------- | -------------------------------------------------------------- | | *Synopsis* | Indicates whether the HTTP Authorization Mechanism is enabled. | | *Default value* | None | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### identity-mapper | | | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the name of the identity mapper(s) to use in conjunction with the authzid-json-pointer to get the user corresponding to the access-token. | | *Default value* | None | | *Allowed values* | The name of an existing [identity-mapper](objects-identity-mapper.html).The referenced identity mapper(s) must be enabled when the HTTP OAuth2 Authorization Mechanism is enabled. | | *Multi-valued* | Yes | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### key-manager-provider | | | | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the name of the key manager that should be used with this HTTP OAuth2 OpenAM Authorization Mechanism . | | *Default value* | By default the system key manager(s) will be used. | | *Allowed values* | The name of an existing [key-manager-provider](objects-key-manager-provider.html).The referenced key manager provider must be enabled. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately, but only for subsequent requests to the authorization server. | | *Advanced* | No | | *Read-only* | No | ### required-scope | | | | ----------------------- | ----------------------------------------------- | | *Synopsis* | Scopes required to grant access to the service. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | Yes | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### ssl-cert-nickname | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *Synopsis* | Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP OAuth2 OpenAM Authorization Mechanism should use when performing SSL communication. | | *Description* | The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP OAuth2 OpenAM Authorization Mechanism is configured to use SSL. | | *Default value* | Let the server decide. | | *Allowed values* | A string. | | *Multi-valued* | Yes | | *Required* | No | | *Admin action required* | The object must be disabled and re-enabled for changes to take effect. | | *Advanced* | No | | *Read-only* | No | ### ssl-cipher-suite | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the names of the SSL cipher suites that are allowed for use in SSL or TLS communication. | | *Default value* | Uses the default set of SSL cipher suites provided by the server's JVM. | | *Allowed values* | A string. | | *Multi-valued* | Yes | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change. | | *Advanced* | No | | *Read-only* | No | ### ssl-protocol | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the names of the SSL protocols that are allowed for use in SSL or TLS communication. | | *Default value* | Uses the default set of SSL protocols provided by the server's JVM. | | *Allowed values* | A string. | | *Multi-valued* | Yes | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change. | | *Advanced* | No | | *Read-only* | No | ### token-info-url | | | | ----------------------- | ----------------------------------------------------------------------------------------- | | *Synopsis* | Defines the OpenAM endpoint URL where the access-token resolution request should be sent. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### trust-manager-provider | | | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server. | | *Default value* | By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted. | | *Allowed values* | The name of an existing [trust-manager-provider](objects-trust-manager-provider.html).The referenced trust manager provider must be enabled when SSL is enabled. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately, but only impact subsequent SSL connection negotiations. | | *Advanced* | No | | *Read-only* | No | ## Advanced properties Use the `--advanced` option to access advanced properties. ### java-class | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the fully-qualified name of the Java class that provides the HTTP OAuth2 OpenAM Authorization Mechanism implementation. | | *Default value* | org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism | | *Allowed values* | A Java class that extends or implements:- org.opends.server.protocols.http.authz.HttpAuthorizationMechanism | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No |