OpenID Connect Client (openidConnectClient)

OpenID Connect client.

NameTypeDefaultDescription

accessTokenCacheEnabled

boolean

true

Specifies whether authenticated subjects that are created by using a propagated access tokens are cached.

accessTokenCacheTimeout

A period of time with millisecond precision

5m

Specifies how long an authenticated subject that is created by using a propagated access token is cached. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

accessTokenInLtpaCookie

boolean

false

Specifies whether the LTPA token includes the access token.

allowCustomCacheKey

boolean

true

Specifies whether a custom cache key is used to store users in an authentication cache. If this property is set to true and the cache key for a user is not found in the authentication cache, the user will be required to log in again. Set this property to false when you use the jwtSso feature to allow the security subject to be constructed directly from the jwtSso cookie. Set this property to false when you do not use the jwtSso feature to allow the security subject to be constructed directly from the user registry. If the security subject is reconstructed from the user registry, there will be no SSO components in the subject. If your LTPA cookie is used by more than one server, consider setting this property to false. If your application always requires the SSO components to be present in the subject, you must either set this property to true or use the jwtSso feature.

audiences

string

Specifies a comma-separated list of trusted audiences that is verified against the aud claim in the JSON Web Token.

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

authenticationTimeLimit

A period of time with millisecond precision

420s

Maximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authnSessionDisabled

boolean

true

An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.

authorizationEndpointUrl

string

Specifies an Authorization endpoint URL.

clientId

string

Identity of the client.

clientSecret

Reversably encoded password (string)

Secret key of the client.

clockSkew

A period of time with millisecond precision

300s

Specifies the allowed clock skew in seconds when you validate the JSON Web Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

createSession

boolean

true

Specifies whether to create an HttpSession if the current HttpSession does not exist.

disableIssChecking

boolean

false

Require the issuer claim to be absent when the OpenID Connect client validates a JWT access token for inbound propagation or when it performs token introspection for inbound propagation.

disableLtpaCookie

boolean

false

Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead.

discoveryEndpointUrl

string

Specifies a discovery endpoint URL for an OpenID Connect provider.

discoveryPollingRate

A period of time with millisecond precision

300s

Duration rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The checking is done only if there is an authentication failure. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

forwardLoginParameter

string

Specifies a comma-separated list of parameter names to forward to the OpenID Connect provider. If a protected resource request includes one or more of the specified parameters, the OpenID Connect client will include those parameters and their values in the authorization endpoint request to the OpenID Connect provider.

grantType

  • authorization_code

  • implicit

authorization_code

Specifies the grant type to use for this client. Use of the responseType attribute is preferred instead.
authorization_code
Authorization code grant type
implicit
Implicit grant type

groupIdentifier

string

groupIds

Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of.

headerName

string

The name of the header which carries the inbound token in the request.

hostNameVerificationEnabled

boolean

false

Specifies whether to enable host name verification.

httpsRequired

boolean

true

Require SSL communication between the OpenID relying party and provider service.

id

string

A unique configuration ID.

inboundPropagation

  • none

  • required

  • supported

none

Controls the operation of the token inbound propagation of the OpenID relying party.
none
Do not support inbound token propagation
required
Require inbound token propagation
supported
Support inbound token propagation

includeIdTokenInSubject

boolean

true

Specifies whether to include ID token in the client subject.

initialStateCacheCapacity

int
Min: 0

3000

Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself.

isClientSideRedirectSupported

boolean

true

Set this property to false if you do not want to use JavaScript to redirect to the OpenID Connect Provider for the initial authentication request. If JavaScript is not used, any URI fragments that are present in the original inbound request are lost.

issuerIdentifier

string

A case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. Specify multiple values as a comma separated list.

jwkClientId

string

Specifies the client identifier to include in the basic authentication scheme of the JWK request.

jwkClientSecret

Reversably encoded password (string)

Specifies the client password to include in the basic authentication scheme of the JWK request.

jwkEndpointUrl

string

Specifies a JWK endpoint URL.

jwtAccessTokenRemoteValidation

  • allow

  • none

  • require

none

Specifies whether a JWT access token that is received for inbound propagation is validated locally by the OpenID Connect client or by using the validation method that is configured by the OpenID Connect client.
allow
A JWT access token that is received for inbound propagation is parsed and validated locally by the OpenID Connect client. If validation fails, the access token is validated by using the validation method that is configured by the OpenID Connect client.
none
A JWT access token that is received for inbound propagation is parsed and validated locally by the OpenID Connect client. If validation fails, the access token is not validated by using the validation method that is configured by the OpenID Connect client.
require
A JWT access token that is received for inbound propagation is validated by using the validation method that is configured by the OpenID Connect client. The access token is not parsed or validated locally by the OpenID Connect client.

keyAliasName

string

The alias for the private key that is used for signing client authentication tokens. The public key that corresponds to the private key must also use this alias. The private key must be in the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute. The public key must be in one of the following locations: the truststore that is specified by the trustStoreRef attribute, the truststore that is specified by the SSL configuration that is referenced by the sslRef attribute, or the keystore that is specified by the SSL configuration that is referenced by the sslRef attribute.

keyManagementKeyAlias

string

Private key alias of the key management key that is used to decrypt the Content Encryption Key of a JSON Web Encryption (JWE) token.

mapIdentityToRegistryUser

boolean

false

Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.

nonceEnabled

boolean

false

Enable the nonce parameter in the authorization code flow.

pkceCodeChallengeMethod

  • S256

  • disabled

  • plain

disabled

Specifies the challenge method to use for Proof Key for Code Exchange (PKCE).

reAuthnCushion

A period of time with millisecond precision

0s

The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

reAuthnOnAccessTokenExpire

boolean

true

Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true.

realmIdentifier

string

realmName

Specifies a JSON attribute in the ID token that is used as the realm name.

realmName

string

Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false.

redirectJunctionPath

string

Specifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string.

redirectToRPHostAndPort

string

After authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request.

resource

string

Resource parameter is included in the request.

responseType

  • code

  • id_token

  • id_token token

  • token

Specifies the response requested from the provider, either an authorization code or implicit flow tokens.
code
Authorization code
id_token
ID token
id_token token
ID token and access token
token
Access token

scope

string (with whitespace trimmed off)

openid profile

OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider.

signatureAlgorithm

  • ES256

  • ES384

  • ES512

  • HS256

  • HS384

  • HS512

  • RS256

  • RS384

  • RS512

  • none

HS256

Specifies the signature algorithm that will be used to verify the signature of the ID token.
ES256
Use the ES256 signature algorithm to sign and verify tokens
ES384
Use the ES384 signature algorithm to sign and verify tokens
ES512
Use the ES512 signature algorithm to sign and verify tokens
HS256
Use the HS256 signature algorithm to sign and verify tokens
HS384
Use the HS384 signature algorithm to sign and verify tokens
HS512
Use the HS512 signature algorithm to sign and verify tokens
RS256
Use the RS256 signature algorithm to sign and verify tokens
RS384
Use the RS384 signature algorithm to sign and verify tokens
RS512
Use the RS512 signature algorithm to sign and verify tokens
none
Tokens are not required to be signed

sslRef

A reference to top level ssl element (string).

Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider.

tokenEndpointAuthMethod

  • basic

  • post

  • private_key_jwt

post

The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
private_key_jwt
Private key JWT client authentication.

tokenEndpointAuthSigningAlgorithm

  • ES256

  • ES384

  • ES512

  • RS256

  • RS384

  • RS512

RS256

The signature algorithm to use to sign tokens that are used for client authentication.
ES256
Use the ES256 signature algorithm to sign tokens that are used for client authentication
ES384
Use the ES384 signature algorithm to sign tokens that are used for client authentication
ES512
Use the ES512 signature algorithm to sign tokens that are used for client authentication
RS256
Use the RS256 signature algorithm to sign tokens that are used for client authentication
RS384
Use the RS384 signature algorithm to sign tokens that are used for client authentication
RS512
Use the RS512 signature algorithm to sign tokens that are used for client authentication

tokenEndpointUrl

string

Specifies a token endpoint URL.

tokenOrderToFetchCallerClaims

  • AccessToken IDToken UserInfo

  • IDToken

IDToken

Specifies token order to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client continues the search with other tokens in the list.
AccessToken IDToken UserInfo
Uses the AccessToken, IDToken, and Userinfo tokens in that order to determine the caller claims
IDToken
Uses only the IDToken to determine the caller claims

tokenRequestOriginHeader

string

Specifies the value to use in the Origin HTTP header that is included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request.

tokenReuse

boolean

false

Specifies whether JSON Web Tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier that is used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token.

trustAliasName

string

Key alias name to locate public key for signature validation with asymmetric algorithm.

trustStoreRef

A reference to top level keyStore element (string).

A keystore containing the public key necessary for verifying the signature of the ID token.

uniqueUserIdentifier

string

uniqueSecurityName

Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject.

useSystemPropertiesForHttpClientConnections

boolean

false

Specifies whether to use Java system properties when the OpenID Connect client creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties.

userIdentifier

string

Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used.

userIdentityToCreateSubject

string

sub

Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. The value for this property is overridden by the value for userIdentifier, if specified.

userInfoEndpointEnabled

boolean

false

Specifies whether the User info endpoint is contacted.

userInfoEndpointUrl

string

Specifies a User Info endpoint URL

validationEndpointUrl

string

The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod.

validationMethod

  • introspect

  • userinfo

introspect

The method of validation on the token inbound propagation.
introspect
Validate inbound tokens using token introspection
userinfo
Validate inbound tokens using the userinfo endpoint

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

ip

string

Specifies the remote host TCP/IP address.

matchType

  • contains

  • equals

  • greaterThan

  • lessThan

  • notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

NameTypeDefaultDescription

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authzParameter

Specifies custom parameters to send to authorization endpoint of the OpenID Connect provider.

NameTypeDefaultDescription

id

string

A unique configuration ID.

name

string

Specifies name of the additional parameter.

value

string

Specifies value of the additional parameter.

tokenParameter

Specifies custom parameters to send to token endpoint of the OpenID Connect provider.

NameTypeDefaultDescription

id

string

A unique configuration ID.

name

string

Specifies name of the additional parameter.

value

string

Specifies value of the additional parameter.