OAuth Service contains the properties that affect the Identity Broker OAuth service.
↓Relations To this Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from OAuth Services:
The properties supported by this managed object are as follows:
| Description | Specifies the active encryption key to use for encrypting authorization code, access token, and refresh token values that are granted to the client application. The encryption key is actually cryptographically derived from this value, so there are no minimum complexity requirements here. This key will also be used to decrypt incoming authorization code and token values. If the encryption key is compromised, the current value should be specified as an alternate-decryption-key before specifying a new encryption key. This will ensure that any client applications using the authorization code and token values encrypted with the previous key may still be decrypted. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies an alternate decryption key to use for decrypting incoming authorization codes, access token, and refresh token values from client applications. This is where previously used active-encryption-key values should be specified so that any client applications using the authorization code and token values encrypted with the previous key may still be decrypted. This is also useful in deployments where each Identity Broker instance uses a different encryption key. In this case, the active-encryption-key values from other Identity Broker instances should be specified here. |
| Default Value | The active-encryption-key will be the only key used for decryption |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
authorization-code-validity-duration
| Description | Specifies the default validity duration of an authorization code. Applications may also specify a different validity duration that is specific to authorization codes generated for that application and will override this property. |
| Default Value | 1 m |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
access-token-validity-duration
| Description | Specifies the default validity duration of an access token. Applications may also specify a different validity duration that is specific to access tokens granted for that application and will override this property. |
| Default Value | 12 h |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
refresh-token-validity-duration
| Description | Specifies the default validity duration of a refresh token. Applications may also specify a different validity duration that is specific to refresh tokens generated for that application and will override this property. A value of "0 s" will disable the generation of refresh tokens. |
| Default Value | 30 d |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies whether to reuse the refresh token until it is no longer valid or to generate a new refresh token when a new access token is issued. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | URL to which the OAuth Service will forward end-user approval requests. The OAuth Service authorization endpoint first processes a request by adding request attribute 'authorizationRequest' containing the request information including requested scopes and the application making the request. |
| Default Value | /view/oauth/approve |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | URL to which the OAuth Service will forward an erroneous approval request. The OAuth Service authorization endpoint will forward a request to this URL when errors such as an invalid forwarding URL are present in the request. Before forwarding the request, the OAuth Service will add request attribute 'error' containing the exception that has information about the error. |
| Default Value | /view/oauth/error |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the default validity duration of an OpenID Connect ID Token. Applications may also specify a different validity duration that is specific to id tokens granted for that application and will override this property. |
| Default Value | 15 m |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies a unique identifier for the Issuer (iss) claim of an ID Token. This value of this property is inserted into a URL of the form https://issuer_name when returned as the unique issuer identifier in an OpenID Connect ID Token. As an initial default, the create-initial-broker-config tool will populate this property with the host name of the Identity Broker installation, however it may be may be set to any value appropriate for the service provider. |
| Default Value | replace_this_value |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The default signing algorithm to use when generating an OpenID Connect ID Token. Applications may also specify a different signing algorithm that is specific to responses generated for that application and will override this property. |
| Default Value | hs256 |
| Allowed Values | hs256 - HMAC using SHA-256 hash algorithm. hs384 - HMAC using SHA-384 hash algorithm. hs512 - HMAC using SHA-512 hash algorithm. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
redirect-resolver (Advanced Property)
| Description | Specifies the redirect resolver that will be used to resolve redirect URIs for OAuth client authorization requests. |
| Default Value | Exact Match Redirect Resolver |
| Allowed Values | The DN of any Redirect Resolver. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The Identity Broker must be restarted for changes to this setting to take effect. This modification requires that you manually restart the server for the change to take effect |
oauth-admin-client-id (Advanced Property)
| Description | Specifies the client_id to be used by REST clients which access the Identity Broker admin APIs using OAuth authentication. This property is a placeholder for the client ID, as the OAuth Service actually uses the value stored in the Application entry in the Broker Store. Having it here allows tools such as prepare-external-store to use a consistent value for the ID when run multiple times or against multiple external servers. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
oauth-admin-client-secret (Advanced Property)
| Description | Specifies the client_secret to be used by REST clients which access the Identity Broker admin APIs using OAuth authentication. This property is a placeholder for the client secret, as the OAuth Service actually uses the value stored in the Application entry in the Broker Store. Having it here allows tools such as prepare-external-store to use a consistent value for the secret when run multiple times or against multiple external servers. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To view the Oauth Service configuration:
dsconfig get-oauth-service-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Oauth Service configuration:
dsconfig set-oauth-service-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...