UnboundID Identity Broker - LDAP Token Store

Identity Broker Documentation Index
Configuration Reference Home

LDAP Token Store

LDAP Token Stores uses a LDAP Directory Server to store authorization codes and tokens for the OAuth 2 services.

↓Parent Component
↓Relations To this Component
↓Properties
↓dsconfig Usage

Parent Component

The LDAP Token Store component inherits from the Token Store

Relations from This Component

The following components have a direct aggregation relation from LDAP Token Stores:

Load Balancing Algorithm

Username Mapper

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	None
↓ username-mapper
↓ load-balancing-algorithm
↓ active-encryption-key
↓ alternate-decryption-key
↓ app-tokens-entry-dn

Basic Properties

description

Description	A description for this Token Store
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

username-mapper

Description	Specifies the names of the username mapper that is to be used with this LDAP token store to match owner ID included in the OAuth 2 request to the corresponding user in the directory. When multiple mappers are used, they are evaluated in the order specified until a user is successfully mapped.
Default Value	None
Allowed Values	The DN of any Username Mapper. The referenced username mapper must be enabled when the LDAP Token Store is enabled.
Multi-Valued	Yes
Required	Yes
Admin Action Required	None. Modification requires no further action

load-balancing-algorithm

Description	Specifies the load-balancing algorithm that will be used to communicate with the set of servers available to access the token store.
Default Value	None
Allowed Values	The DN of any Load Balancing Algorithm. The associated load balancing algorithm must be enabled.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

active-encryption-key

Description	Specifies the active encryption key to use for encrypting authorization code, access token, and refresh token values that are granted to the client application. The encryption key is actually cryptographically derived from this value, so there are no minimum complexity requirements here. This key will also be used to decrypt incoming authorization code and token values. If the encryption key is compromised, the current value should be specified as an alternate-decryption-key before specifying a new encryption key. This will ensure that any client applications using the authorization code and token values encrypted with the previous key may still be decrypted.
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

alternate-decryption-key

Description	Specifies an alternate decryption key to use for decrypting incoming authorization codes, access token, and refresh token values from client applications. This is where previously used active-encryption-key values should be specified so that any client applications using the authorization code and token values encrypted with the previous key may still be decrypted. This is also useful in deployments where each Identity Broker instance uses a different encryption key. In this case, the active-encryption-key values from other Identity Broker instances should be specified here.
Default Value	The active-encryption-key will be the only key used for decryption
Allowed Values	A string
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

app-tokens-entry-dn

Description	Specifies the DN of the entry used to store application only tokens that are granted using the client_credentials grant type.
Default Value	None
Allowed Values	A valid DN.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Token Stores:

dsconfig list-token-stores
     [--property {propertyName}] ...

To view the configuration for an existing Token Store:

dsconfig get-token-store-prop
     --store-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Token Store:

dsconfig set-token-store-prop
     --store-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new LDAP Token Store:

dsconfig create-token-store
     --store-name {name}
     --type ldap
     --set username-mapper:{propertyValue}
     --set load-balancing-algorithm:{propertyValue}
     --set active-encryption-key:{propertyValue}
     --set app-tokens-entry-dn:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Token Store:

dsconfig delete-token-store
     --store-name {name}