Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Specifies OAuth2 client applications that can request access to resources based on policy, and other privacy restrictions.
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from OAuth2 Client:
The properties supported by this managed object are as follows:
| General Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ trusted-cors-origin |
| ↓ email-address | |
| ↓ url | |
| ↓ icon-uri | |
| ↓ tag | |
| OAuth2 Basic Properties: | Advanced Properties: |
| ↓ client-id | ↓ authorization-code-validity-duration |
| ↓ client-secret | ↓ access-token-validity-duration |
| ↓ grant-type | ↓ refresh-token-validity-duration |
| ↓ scope | ↓ id-token-validity-duration |
| ↓ redirect-url | ↓ signing-algorithm |
| External Identity Provider Basic Properties: | Advanced Properties: |
| None | ↓ external-identity-provider |
| ↓ restrict-external-identity-providers |
| Property Group | General |
| Description | A description for this OAuth2 Client |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | The contact email address for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | The URL for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | The icon URI for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | Tags associated with this OAuth2 Client. Tags are arbitrary additional properties that may be examined by XACML policies. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The OAuth 2 client ID of this OAuth2 Client. |
| Default Value | A unique client ID will be generated if this application has at least one OAuth 2 grant type specified. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The OAuth 2 client secret for this OAuth2 Client. |
| Default Value | A new random value will be generated if this application has at least one OAuth 2 grant type specified. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The set of OAuth 2 grant types this OAuth2 Client is authorized to use. |
| Default Value | The OAuth2 Client is not enabled for OAuth 2. |
| Allowed Values | authorization-code - The authorization code grant, which is used to request an access token from an authorization code. client-credentials - The client credentials grant, which can be used by a client application to request an access token using only its client credentials. implicit - The implicit grant, where an access token can be requested without obtaining intermediate credentials (such as an authorization code). password - The password grant, where an access token can be requested directly from the resource owner credentials. Using this grant type requires exposing the resource owner's clear-text password along with potential account usability notices, warnings, and errors to the OAuth2 Client. Only highly trusted OAuth2 Client should be authorized to use this grant type to prevent malicious use of any exposed information. refresh-token - The refresh token grant, where a new access token can be requested from a refresh token. unboundid-id-token - ID Token grant, where an access token can be requested using an ID Token assertion as authentication. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | Specifies the scopes associated with this OAuth2 Client. |
| Default Value | None |
| Allowed Values | The DN of any OAuth2 Scope. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | Specifies the redirect URLs for use with OAuth 2's authorization code and implicit flow for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
trusted-cors-origin (Advanced Property)
| Property Group | General |
| Description | The set of trusted CORS origins for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
authorization-code-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of an authorization code. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
access-token-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of an access token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
refresh-token-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of a refresh token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
id-token-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of an OpenID Connect ID Token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
signing-algorithm (Advanced Property)
| Property Group | OAuth2 |
| Description | The signing algorithm to use when generating an OpenID Connect ID Token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | hs256 - HMAC using SHA-256 hash algorithm. hs384 - HMAC using SHA-384 hash algorithm. hs512 - HMAC using SHA-512 hash algorithm. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
external-identity-provider (Advanced Property)
| Property Group | External Identity Provider |
| Description | Specifies the external identity providers accessible to this OAuth2 Client. |
| Default Value | None |
| Allowed Values | The DN of any External Identity Provider. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
restrict-external-identity-providers (Advanced Property)
| Property Group | External Identity Provider |
| Description | Specifies whether to restrict this OAuth2 Client to only use the specified external identity providers. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured OAuth2 Client:
dsconfig list-oauth2-clients
[--property {propertyName}] ...
To view the configuration for an existing OAuth2 Client:
dsconfig get-oauth2-client-prop
--client-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing OAuth2 Client:
dsconfig set-oauth2-client-prop
--client-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new OAuth2 Client:
dsconfig create-oauth2-client
--client-name {name}
[--set {propertyName}:{propertyValue}] ...
To delete an existing OAuth2 Client:
dsconfig delete-oauth2-client
--client-name {name}