The Bind Access Token Validator may be used to validate access tokens that were generated in response to LDAP bind operations that included the generate access log tokens request control, or in response to Directory REST API authenticate requests. This configuration can also be used to manage the server's ability to generate those tokens.
The Bind Access Token Validator component inherits from the Access Token Validator
The following components have a direct aggregation relation from Bind Access Token Validators:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| identity-mapper | subject-claim-name |
| description | |
| enabled | |
| evaluation-order-index | |
| persist-access-tokens | |
| maximum-token-lifetime | |
| allowed-authentication-type | |
| allowed-sasl-mechanism | |
| generate-token-result-criteria | |
| included-scope |
| Property Group | General Configuration |
| Description | Specifies the name of the Identity Mapper that should be used for associating user entries with Bearer token subject names. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property. |
| Default Value | Requests must specify a fully qualified DN. No attempt will be made to map a user name to a DN. |
| Allowed Values | The DN of any Identity Mapper. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | A description for this Access Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Indicates whether this Bind Access Token Validator is enabled for use in Directory Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | If you enable the bind access token validator, you should also ensure that the server is configured with an OAUTHBEARER SASL mechanism handler to allow the server to authenticate clients using the generated tokens. |
| Property Group | General Configuration |
| Description | When multiple Access Token Validators are defined for a single Directory Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Directory Server. Values of this property must be unique among all Access Token Validators defined within Directory Server but not necessarily contiguous. Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Indicates whether access tokens should be persisted in user entries. If access tokens should be persisted, then they will only be accepted if the token is found in the user's entry, and a token may be revoked by removing it from the user's entry. If access tokens should not be persisted, then the token will be accepted as long as it appears valid and is not expired. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the maximum length of time that a generated token should be considered valid. If this is not specified, then generated access tokens will not expire. |
| Default Value | None |
| Allowed Values | A duration. Lower limit is 1 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the authentication types for bind operations that may be used to generate access tokens, and for which generated access tokens will be accepted. |
| Default Value | simple sasl |
| Allowed Values | simple - Indicates that access tokens may be generated in response to simple bind operations, and that those access tokens may be considered valid when presented for authentication. sasl - Indicates that access tokens may be generated in response to SASL bind operations, and that those access tokens may be considered valid when presented for authentication. The allowed-sasl-mechanism property may optionally be used to restrict the set of SASL mechanisms for which tokens may be generated. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the names of the SASL mechanisms for which access tokens may be generated, and for which generated access tokens will be accepted. This property will only be used if the allowed-authentication-type property includes a value of sasl. If this property has one or more values, then only the specified SASL mechanisms will be allowed. If no values are specified, then any SASL mechanism will be allowed. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
generate-token-result-criteria
| Property Group | General Configuration |
| Description | A reference to a request criteria object that may be used to identify the types of bind operations for which access tokens may be generated. If no criteria is specified, then access tokens may be generated for any bind operations that satisfy the other requirements configured in this validator. |
| Default Value | None |
| Allowed Values | The DN of any Result Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the names of any scopes that should be granted to a client that authenticates with a bind access token. By default, no scopes will be granted. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
subject-claim-name (Advanced Property)
| Property Group | General Configuration |
| Description | The name of the token claim that contains the subject, i.e. the logged-in user in an access token. This property goes hand-in-hand with the identity-mapper property and tells the Identity Mapper which field to use to look up the user entry on the server. |
| Default Value | sub |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Access Token Validators:
dsconfig list-access-token-validators
[--property {propertyName}] ...
To view the configuration for an existing Access Token Validator:
dsconfig get-access-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Access Token Validator:
dsconfig set-access-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...