This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

OpenID Connect Client (openidConnectClient)

OpenID Connect client.

Attribute name Data type Default value Description
authFilterRef A reference to top level authFilter element (string).   Specifies the authentication filter reference.
authnSessionDisabled boolean true An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.
authorizationEndpointUrl string   Specifies an Authorization end point URL.
clientId string   Identity of the client.
clientSecret Reversably encoded password (string)   Secret key of the client.
createSession boolean true Specifies whether to create an HttpSession if the current HttpSession does not exist.
disableIssChecking boolean false Do not check for the issuer while validating the json response for inbound token propagation.
disableLtpaCookie boolean false Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead.
grantType
  • implicit
  • authorization_code
authorization_code Specifies the grant type to use for this client.
implicit
Implicit grant type
authorization_code
Authorization code grant type
groupIdentifier string groupIds Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of.
headerName string   The name of the header which carries the inbound token in the request.
hostNameVerificationEnabled boolean false Specifies whether to enable host name verification.
httpsRequired boolean true Require SSL communication between the OpenID relying party and provider service.
id string   A unique configuration ID.
inboundPropagation
  • supported
  • none
  • required
none Controls the operation of the token inbound propagation of the OpenID relying party.
supported
Support inbound token propagation
none
Do not support inbound token propagation
required
Require inbound token propagation
includeIdTokenInSubject boolean true Specifies whether to include ID token in the client subject.
initialStateCacheCapacity int

Minimum: 0

3000 Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself.
isClientSideRedirectSupported boolean true Specifies whether the client supports redirect at client side.
issuerIdentifier string   An Issuer Identifier is a case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components.
jwkEndpointUrl string   Specifies a JWK end point URL.
mapIdentityToRegistryUser boolean false Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.
nonceEnabled boolean false Enable the nonce parameter in the authorization code flow.
reAuthnCushion A period of time with millisecond precision 0s The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
reAuthnOnAccessTokenExpire boolean true Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true.
realmIdentifier string realmName Specifies a JSON attribute in the ID token that is used as the realm name.
realmName string   Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false.
redirectToRPHostAndPort string   Specifies a redirect OpenID relying party host and port number.
scope tokenType openid profile OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider.
signatureAlgorithm
  • HS256
  • none
  • RS256
HS256 Specifies the signature algorithm that will be used to verify the signature of the ID token.
HS256
Use the HS256 signature algorithm to sign and verify tokens
none
Tokens are not required to be signed
RS256
Use the RS256 signature algorithm to sign and verify tokens
sslRef A reference to top level ssl element (string).   Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider.
tokenEndpointAuthMethod
  • post
  • basic
post The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
post
post
basic
basic
tokenEndpointUrl string   Specifies a token end point URL.
trustAliasName string   Key alias name to locate public key for signature validation with asymmetric algorithm.
trustStoreRef A reference to top level keyStore element (string).   A keystore containing the public key necessary for verifying the signature of the ID token.
uniqueUserIdentifier string uniqueSecurityName Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject.
userIdentifier string   Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used.
userIdentityToCreateSubject string sub Specifies a user identity in the ID token used to create the user subject.
validationEndpointUrl string   The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod.
validationMethod
  • introspect
  • userinfo
introspect The method of validation on the token inbound propagation.
introspect
Validate inbound tokens using token introspection
userinfo
Validate inbound tokens using the userinfo end point
audiences
Description: The trusted audience list that is verified against the aud claim in the JSON web token.
Required: false
Data type: string
authFilter
Description: Specifies the authentication filter reference.
Required: false
Data type:
authFilter > host
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
name string   Specifies the name.
authFilter > remoteAddress
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
ip string   Specifies the IP address.
matchType
  • lessThan
  • equals
  • greaterThan
  • contains
  • notContain
contains Specifies the match type.
lessThan
Less than
equals
Equals
greaterThan
Greater than
contains
Contains
notContain
Not contain
authFilter > requestUrl
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
urlPattern string   Specifies the URL pattern.
authFilter > userAgent
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
agent string   Specifies the user agent
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
authFilter > webApp
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
name string   Specifies the name.

Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=rwlp_config_openidConnectClient
File name: rwlp_config_openidConnectClient.html