Client Credentials Bearer Token HTTP Authorization Method
Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Client Credentials Bearer Token HTTP Authorization Method may be used to authorize HTTP requests with an OAuth 2.0 bearer token obtained from an authorization server using the client credentials grant type.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
Parent Component
The Client Credentials Bearer Token HTTP Authorization Method component inherits from the HTTP Authorization Method
Relations from This Component
The following components have a direct aggregation relation from Client Credentials Bearer Token HTTP Authorization Methods:
Properties
The properties supported by this managed object are as follows:
Basic Properties
description
Description
| A description for this HTTP Authorization Method
|
Default Value
| None
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
enabled
Description
| Indicates whether this HTTP Authorization Method is enabled for use in the server.
|
Default Value
| None
|
Allowed Values
| true
false
|
Multi-Valued
| No
|
Required
| Yes
|
Admin Action Required
| None. Modification requires no further action
|
oauth-server-token-endpoint-url
Description
| The URL of the Oauth 2.0 authorization server's token endpoint.
|
Default Value
| None
|
Allowed Values
| An absolute URL, or a relative URL
|
Multi-Valued
| No
|
Required
| Yes
|
Admin Action Required
| None. Modification requires no further action
|
http-proxy-external-server
Description
| A reference to an HTTP proxy server that should be used for requests sent to the OAuth authorization server.
|
Default Value
| No HTTP proxy server will be used.
|
Allowed Values
| The DN of any HTTP Proxy External Server.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
key-manager-provider
Description
| The key manager provider to use if it is necessary to present a client certificate to the OAuth 2.0 authorization server.
|
Default Value
| No client certificate will be presented to the authorization server.
|
Allowed Values
| The DN of any Key Manager Provider. The key manager provider must be enabled.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
trust-manager-provider
Description
| The trust manager provider to use to determine whether to trust the certificate presented by the OAuth 2.0 authorization server during TLS negotiation.
|
Default Value
| A default set of trust managers will be used.
|
Allowed Values
| The DN of any Trust Manager Provider. The trust manager provider must be enabled.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
ssl-cert-nickname
Description
| The nickname (alias) of the entry in the associated key store that holds the client certificate chain to present to the authorization server during TLS negotiation. This may be left undefined if either no key manager provider is specified or if the JVM should automatically select an appropriate certificate from the associated key store.
|
Default Value
| None
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
hostname-verification-method
Description
| The method that should be used to validate the hostname in the server certificate presented during TLS negotiation.
|
Default Value
| strict
|
Allowed Values
| strict - Indicates that strict hostname validation should be used, which will require the server certificate to contain a subject alternative name extension with a value that matches the address used to connect to the authorization server. If the server certificate does not include a subject alternative name extension, then the CN value in the certificate subject DN will be used as a fallback.
allow-all - Indicates that no certificate hostname validation should be used.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
oauth-client-id
Description
| The client ID to use to authenticate to the authorization server when requesting an OAuth bearer token.
|
Default Value
| None
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| Yes
|
Admin Action Required
| None. Modification requires no further action
|
oauth-client-secret-passphrase-provider
Description
| A passphrase provider to use to obtain the client secret to use to authenticate to the authorization server when requesting the OAuth bearer token.
|
Default Value
| None
|
Allowed Values
| The DN of any Passphrase Provider. The OAuth client secret passphrase provider must be enabled.
|
Multi-Valued
| No
|
Required
| Yes
|
Admin Action Required
| None. Modification requires no further action
|
requested-scope
Description
| An optional set of scopes to request for the resulting OAuth bearer token.
|
Default Value
| None
|
Allowed Values
| A string
|
Multi-Valued
| Yes
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
request-method
Description
| The HTTP method that should be used when requesting the OAuth bearer token from the authorization server
|
Default Value
| post
|
Allowed Values
| get - Use the HTTP GET method when requesting the bearer token.
post - Use the HTTP POST method when requesting the bearer token.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
credentials-submission-method
Description
| Indicates how the client ID and secret should be provided to the OAuth authorization server when requesting the bearer token.
|
Default Value
| basic-authorization
|
Allowed Values
| basic-authorization - Submit the client ID and secret to the authorization server using basic authorization, with the client ID as the username and client secret as the password.
request-parameters - Submit the client ID and secret to the authorization server using request parameters. The client ID will be submitted using the parameter specified by the client-id-parameter-name property, and the client secret will be submitted using the parameter specified by the client-secret-parameter-name property. This method is only recommended when using the POST request method, as the credentials would be exposed in the URL when using a GET request.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
client-id-parameter-name
Description
| The name of the request parameter used to submit the OAuth client ID if the credentials-submission-method is set to 'request-parameters'.
|
Default Value
| client_id
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
client-secret-parameter-name
Description
| The name of the request parameter used to submit the OAuth client secret if the credentials-submission-method is set to 'request-parameters'.
|
Default Value
| client_secret
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
maximum-token-lifetime
Description
| The maximum length of time that the OAuth bearer token obtained from the authorization server should be considered valid. If a maximum token lifetime is specified and the authorization server returns an expires_in value along with the bearer token, then the shorter of the configured maximum lifetime and the expires_in value will be used. If no maximum token lifetime is specified, then the expires_in value from the authorization server response will be used if one was provided, If no expires_in value is returned and no maximum token lifetime is specified, then it will be assumed that the retrieved token may be used indefinitely.
|
Default Value
| If the authorization server returns an expires_in value, that will be used as the maximum lifetime. Otherwise, no maximum lifetime will be assumed
|
Allowed Values
| A duration. Lower limit is 0 milliseconds.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
response-timeout
Description
| The maximum length of time to wait for a response from the OAuth authorization server when requesting a bearer token.
|
Default Value
| 10 s
|
Allowed Values
| A duration. Lower limit is 0 milliseconds.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
dsconfig Usage
To list the configured HTTP Authorization Methods:
dsconfig list-http-authorization-methods
[--property {propertyName}] ...
To view the configuration for an existing HTTP Authorization Method:
dsconfig get-http-authorization-method-prop
--method-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing HTTP Authorization Method:
dsconfig set-http-authorization-method-prop
--method-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Client Credentials Bearer Token HTTP Authorization Method:
dsconfig create-http-authorization-method
--method-name {name}
--type client-credentials-bearer-token
--set enabled:{propertyValue}
--set oauth-server-token-endpoint-url:{propertyValue}
--set oauth-client-id:{propertyValue}
--set oauth-client-secret-passphrase-provider:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing HTTP Authorization Method:
dsconfig delete-http-authorization-method
--method-name {name}