Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Specifies OAuth2 client applications that can request access to resources based on policy, and other privacy restrictions.
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following components have a direct composition relation from OAuth2 Clients:
The following components have a direct aggregation relation from OAuth2 Clients:
The properties supported by this managed object are as follows:
| General Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ trusted-cors-origin |
| ↓ email-address | |
| ↓ url | |
| ↓ icon-uri | |
| ↓ tag | |
| OAuth2 Basic Properties: | Advanced Properties: |
| ↓ client-id | ↓ authorization-code-validity-duration |
| ↓ client-secret | ↓ access-token-validity-duration |
| ↓ grant-type | ↓ refresh-token-validity-duration |
| ↓ redirect-url | ↓ id-token-validity-duration |
| ↓ id-token-encryption-algorithm | ↓ id-token-signing-algorithm |
| ↓ id-token-encryption-encoding | ↓ id-token-signing-key-pair |
| ↓ id-token-encryption-public-key-certificate | |
| ↓ permitted-acr | |
| External Identity Provider Basic Properties: | Advanced Properties: |
| None | ↓ external-identity-provider |
| ↓ restrict-external-identity-providers |
| Property Group | General |
| Description | A description for this OAuth2 Client |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | The contact email address for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | The URL for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | The icon URI for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General |
| Description | Tags associated with this OAuth2 Client. Tags are arbitrary additional properties that may be examined by XACML policies. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The OAuth 2 client ID of this OAuth2 Client. |
| Default Value | A unique client ID will be generated if this application has at least one OAuth 2 grant type specified. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The OAuth 2 client secret for this OAuth2 Client. |
| Default Value | A new random value will be generated if this application has at least one OAuth 2 grant type specified. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The set of OAuth 2 grant types this OAuth2 Client is authorized to use. |
| Default Value | The OAuth2 Client is not enabled for OAuth 2. |
| Allowed Values | authorization-code - The authorization code grant, which is used to request an access token from an authorization code. client-credentials - The client credentials grant, which can be used by a client application to request an access token using only its client credentials. implicit - The implicit grant, where an access token can be requested without obtaining intermediate credentials (such as an authorization code). password - The password grant, where an access token can be requested directly from the resource owner credentials. Using this grant type requires exposing the resource owner's clear-text password along with potential account usability notices, warnings, and errors to the OAuth2 Client. Only highly trusted OAuth2 Clients should be authorized to use this grant type to prevent malicious use of any exposed information. refresh-token - The refresh token grant, where a new access token can be requested from a refresh token. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | Specifies the redirect URLs for use with OAuth 2's authorization code and implicit flow for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | An absolute URL, or a relative URL |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | Specifies the Algorithm to use for JWE encryption of JWT tokens. |
| Default Value | RSA-OAEP-256 |
| Allowed Values | RSA1_5 - RSA version 1.5. RSA-OAEP - RSA using Optimal Assymetric Encryption Padding (OAEP). RSA-OAEP-256 - RSA using Optimal Asymmetric Encryption Padding (OAEP) with SHA-256 hash. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | The encryption method used for JWE encryption of JWT tokens. |
| Default Value | A128CBC-HS256 |
| Allowed Values | A128CBC-HS256 - AES-CBC encryption using a 128-bit key combined with HMAC SHA-256. A192CBC-HS384 - AES-CBC encryption using a 192-bit key combined with HMAC SHA-384. This method requires the JCE Unlimited Strength Jurisdiction Policy files. A256CBC-HS512 - AES-CBC encryption using a 256-bit key combined with HMAC SHA-512. This method requires the JCE Unlimited Strength Jurisdiction Policy files. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
id-token-encryption-public-key-certificate
| Property Group | OAuth2 |
| Description | The RSA public key used to encrypt ID tokens. The value of this property should be the PEM-encoded representation of the certificate used to encrypt id tokens, including the "-----BEGIN CERTIFICATE-----" header and the "-----END CERTIFICATE" footer. Blank lines, and lines that start with the octothorpe character (#) will be ignored. |
| Default Value | If no public key is provided, then id tokens will not be encrypted. |
| Allowed Values | application/x-x509-server-cert |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | OAuth2 |
| Description | Specifies the set of ACRs that may be used when authenticating users of this OAuth2 Client. Is also used as the default ACR set if the client application does not specify the OpenID Connect "acr_values" parameter in an OAuth2 request. |
| Default Value | If not specified, there is no restriction on ACRs that may be specified by the client application. The OpenID Connect Service configuration supplies the default ACR set if the client does not specify the OpenID Connect "acr_values" parameter in an OAuth2 authorization request. |
| Allowed Values | The DN of any Authentication Context Class. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
trusted-cors-origin (Advanced Property)
| Property Group | General |
| Description | The set of trusted CORS origins for this OAuth2 Client. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
authorization-code-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of an authorization code. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
access-token-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of an access token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
refresh-token-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of a refresh token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
id-token-validity-duration (Advanced Property)
| Property Group | OAuth2 |
| Description | The validity duration of an OpenID Connect ID Token. |
| Default Value | The Identity Provider Service configuration specifies the default value. |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
id-token-signing-algorithm (Advanced Property)
| Property Group | OAuth2 |
| Description | The signing algorithm to use when generating an OpenID Connect ID Token. |
| Default Value | hs256 |
| Allowed Values | hs256 - HMAC using SHA-256 hash algorithm. hs384 - HMAC using SHA-384 hash algorithm. hs512 - HMAC using SHA-512 hash algorithm. rs256 - RSA PKCS#1 signature with SHA-256 rs384 - RSA PKCS#1 signature with SHA-384 rs512 - RSA PKCS#1 signature with SHA-512 |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
id-token-signing-key-pair (Advanced Property)
| Property Group | OAuth2 |
| Description | The key pair to use to sign OpenID Connect ID tokens. The private key will be used for the signature. |
| Default Value | None |
| Allowed Values | The DN of any Key Pair. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
external-identity-provider (Advanced Property)
| Property Group | External Identity Provider |
| Description | Specifies the external identity providers accessible to this OAuth2 Client. |
| Default Value | None |
| Allowed Values | The DN of any External Identity Provider. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
restrict-external-identity-providers (Advanced Property)
| Property Group | External Identity Provider |
| Description | Specifies whether to restrict this OAuth2 Client to only use the specified external identity providers. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured OAuth2 Clients:
dsconfig list-oauth2-clients
[--property {propertyName}] ...
To view the configuration for an existing OAuth2 Client:
dsconfig get-oauth2-client-prop
--client-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing OAuth2 Client:
dsconfig set-oauth2-client-prop
--client-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new OAuth2 Client:
dsconfig create-oauth2-client
--client-name {name}
[--set {propertyName}:{propertyValue}] ...
To delete an existing OAuth2 Client:
dsconfig delete-oauth2-client
--client-name {name}