This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
OpenID Connect Client (openidConnectClient)
OpenID Connect client.
Attribute name | Data type | Default value | Description |
---|---|---|---|
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
authnSessionDisabled | boolean | true | An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. |
authorizationEndpointUrl | string | Specifies an Authorization end point URL. | |
clientId | string | Identity of the client. | |
clientSecret | Reversably encoded password (string) | Secret key of the client. | |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
disableIssChecking | boolean | false | Do not check for the issuer while validating the json response for inbound token propagation. |
disableLtpaCookie | boolean | false | Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. |
grantType |
|
authorization_code | Specifies the grant type to use for this client.
|
groupIdentifier | string | groupIds | Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of. |
headerName | string | The name of the header which carries the inbound token in the request. | |
hostNameVerificationEnabled | boolean | false | Specifies whether to enable host name verification. |
httpsRequired | boolean | true | Require SSL communication between the OpenID relying party and provider service. |
id | string | A unique configuration ID. | |
inboundPropagation |
|
none | Controls the operation of the token inbound propagation of the OpenID relying party.
|
includeIdTokenInSubject | boolean | true | Specifies whether to include ID token in the client subject. |
initialStateCacheCapacity | int
Minimum: 0 |
3000 | Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself. |
isClientSideRedirectSupported | boolean | true | Specifies whether the client supports redirect at client side. |
issuerIdentifier | string | An Issuer Identifier is a case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. | |
jwkEndpointUrl | string | Specifies a JWK end point URL. | |
mapIdentityToRegistryUser | boolean | false | Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. |
nonceEnabled | boolean | false | Enable the nonce parameter in the authorization code flow. |
reAuthnCushion | A period of time with millisecond precision | 0s | The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
reAuthnOnAccessTokenExpire | boolean | true | Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true. |
realmIdentifier | string | realmName | Specifies a JSON attribute in the ID token that is used as the realm name. |
realmName | string | Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false. | |
redirectToRPHostAndPort | string | Specifies a redirect OpenID relying party host and port number. | |
scope | tokenType | openid profile | OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. |
signatureAlgorithm |
|
HS256 | Specifies the signature algorithm that will be used to verify the signature of the ID token.
|
sslRef | A reference to top level ssl element (string). | Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider. | |
tokenEndpointAuthMethod |
|
post | The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
|
tokenEndpointUrl | string | Specifies a token end point URL. | |
trustAliasName | string | Key alias name to locate public key for signature validation with asymmetric algorithm. | |
trustStoreRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the ID token. | |
uniqueUserIdentifier | string | uniqueSecurityName | Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. |
userIdentifier | string | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. | |
userIdentityToCreateSubject | string | sub | Specifies a user identity in the ID token used to create the user subject. |
validationEndpointUrl | string | The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. | |
validationMethod |
|
introspect | The method of validation on the token inbound propagation.
|
- audiences
Description: The trusted audience list that is verified against the aud claim in the JSON web token.Required: falseData type: string
- authFilter
Description: Specifies the authentication filter reference.Required: falseData type: - authFilter > host
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
name string Specifies the name.
- authFilter > remoteAddress
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. ip string Specifies the IP address. matchType - lessThan
- equals
- greaterThan
- contains
- notContain
contains Specifies the match type. - lessThan
- Less than
- equals
- Equals
- greaterThan
- Greater than
- contains
- Contains
- notContain
- Not contain
- authFilter > requestUrl
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
urlPattern string Specifies the URL pattern.
- authFilter > userAgent
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description agent string Specifies the user agent id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
- authFilter > webApp
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
name string Specifies the name.