OAuth Service contains the properties that affect the Identity Broker OAuth service.
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
↓ authorization-code-validity-duration | ↓ oauth-admin-client-id |
↓ access-token-validity-duration | ↓ oauth-admin-client-secret |
↓ refresh-token-validity-duration | |
↓ reuse-refresh-tokens | |
↓ user-approval-page-url | |
↓ error-page-url | |
↓ id-token-validity-duration | |
↓ id-token-issuer-name | |
↓ signing-algorithm |
authorization-code-validity-duration
Description | Specifies the default validity duration of an authorization code. Applications may also specify a different validity duration that is specific to authorization codes generated for that application and will override this property. |
Default Value | 1 m |
Allowed Values | A duration. Lower limit is 1 seconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
access-token-validity-duration
Description | Specifies the default validity duration of an access token. Applications may also specify a different validity duration that is specific to access tokens granted for that application and will override this property. |
Default Value | 12 h |
Allowed Values | A duration. Lower limit is 1 seconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
refresh-token-validity-duration
Description | Specifies the default validity duration of a refresh token. Applications may also specify a different validity duration that is specific to refresh tokens generated for that application and will override this property. A value of "0 s" will disable the generation of refresh tokens. |
Default Value | 30 d |
Allowed Values | A duration. Lower limit is 0 seconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies whether to reuse the refresh token until it is no longer valid or to generate a new refresh token when a new access token is issued. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | URL to which the OAuth Service will forward end-user approval requests. The OAuth Service authorization endpoint first processes a request by adding request attribute 'authorizationRequest' containing the request information including requested scopes and the application making the request. |
Default Value | /view/oauth/approve |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | URL to which the OAuth Service will forward an erroneous approval request. The OAuth Service authorization endpoint will forward a request to this URL when errors such as an invalid forwarding URL are present in the request. Before forwarding the request, the OAuth Service will add request attribute 'error' containing the exception that has information about the error. |
Default Value | /view/oauth/error |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the default validity duration of an OpenID Connect ID Token. Applications may also specify a different validity duration that is specific to id tokens granted for that application and will override this property. |
Default Value | 15 m |
Allowed Values | A duration. Lower limit is 1 seconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies a unique identifier for the Issuer (iss) claim of an ID Token. This value of this property is inserted into a URL of the form https://issuer_name when returned as the unique issuer identifier in an OpenID Connect ID Token. As an initial default, the create-initial-broker-config tool will populate this property with the host name of the Identity Broker installation, however it may be may be set to any value appropriate for the service provider. |
Default Value | replace_this_value |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The default signing algorithm to use when generating an OpenID Connect ID Token. Applications may also specify a different signing algorithm that is specific to responses generated for that application and will override this property. |
Default Value | hs256 |
Allowed Values | hs256 - HMAC using SHA-256 hash algorithm. hs384 - HMAC using SHA-384 hash algorithm. hs512 - HMAC using SHA-512 hash algorithm. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
oauth-admin-client-id (Advanced Property)
Description | Specifies the client_id to be used by REST clients which access the Identity Broker admin APIs using OAuth authentication. This property is a placeholder for the client ID, as the OAuth Service actually uses the value stored in the Application entry in the Broker Store. Having it here allows tools such as prepare-external-store to use a consistent value for the ID when run multiple times or against multiple external servers. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
oauth-admin-client-secret (Advanced Property)
Description | Specifies the client_secret to be used by REST clients which access the Identity Broker admin APIs using OAuth authentication. This property is a placeholder for the client secret, as the OAuth Service actually uses the value stored in the Application entry in the Broker Store. Having it here allows tools such as prepare-external-store to use a consistent value for the secret when run multiple times or against multiple external servers. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To view the Oauth Service configuration:
dsconfig get-oauth-service-prop [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the Oauth Service configuration:
dsconfig set-oauth-service-prop (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...