YAML Configuration Guide
Schema Docs
| Type | object |
| Additional properties |  |
| Defined in | #/definitions/config_root |
Description: Yaml Configuration Guide.
To get started with authoring ISVAOP configuration YAML, refer to the Configuration.
Example:
# Full YAML based configuration example
version: 24.06
server:
ssl:
key: 'secret:keystore/httpserverkey.pem'
certificate: 'secret:keystore/httpservercert.pem'
require_mtls : true
client_auth_trust_store : ks:truststore
pages:
type: zip
content: "configmap:provider/pages.zip"
logging:
level: debug
secrets:
obf_key: 'secret:keystore/obf_key'
template_macros:
user_macros:
- name
- family_name
- given_name
- display_name
request_macros:
- authorization_details
- claims
- user_code
- state
ssl:
certificate:
- ks:rt_profile_keys
disable_hostname_verification: true
definition:
id: 1
name: OIDC Definition
grant_types:
- authorization_code
- implicit
- password
- client_credentials
- refresh_token
- 'urn:openid:params:grant-type:ciba'
access_policy_id: 1
pre_mappingrule_id: 100
post_mappingrule_id: 101
base_url: 'https://localhost:445'
mtls_base_url: 'https://localhost:445'
mtls_certificate_header_name: X-Client-Certificate
features:
enable_fault_tolerance: false
enable_dynamic_registration: true
consent_prompt: NEVER_PROMPT
fapi_compliant: false
enforce_par: false
token_settings:
issuer: 'https://www.ibm.com'
signing_alg: RS256
signing_keystore: rt_profile
signing_keylabel: rsa256
authorization_code_lifetime: 300
access_token_lifetime: 7200
id_token_lifetime: 3600
refresh_token_lifetime: 64800
request_object:
lifetime: 3600
require_expiry: true
only_request_object_params: false
enforce_single_usage: false
backchannel_settings:
default_expiry: 900
maximum_expiry: 1800
polling_interval: 5
notifyuser_mappingrule_id: notifyuser
checkstatus_mappingrule_id: checkstatus
attribute_map:
name: display_name # 1
age: age # 2
metadata:
claims_supported:
- iss
- name
- displayName
janitor:
batch_size: 1000
max_duration: 0
check_frequency: 10
jwks:
signing_keystore: rt_profile
encryption_keystore: rt_profile
authentication:
endpoint: >-
https://auth-machine/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:password
callback_param_name: Target
javascript:
timeout: 0
max_load: 16
max_idle_time: 600
max_ctx_in_isolate: 0
cleanup_frequency: 0
use_pool: false
dynamic_registration:
recipe: Default
mappingrule_id: dcr
software_statement_validation:
jwks_uri: >-
https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
signing_algs:
- PS256
- ES256
registration_endpoint_authentication:
require_mtls: false
require_bearer_token: false
require_software_statement: false
allow_custom_client_creds: true
management_endpoint_authentication:
require_mtls: false
require_bearer_token: true
require_software_statement: false
registration_access_token:
generate: true
lifetime: 86400
scopes:
- 'cdr:registration'
runtime_db: mydb2
session_cache:
type: redis
cfg: myredis
server_connections:
- name: mydb2
type: db2
database_name: secret:storage/mydb2_dbname
hosts:
- hostname: secret:storage/mydb2_hostname1
hostport: secret:storage/mydb2_hostport1
credential:
username: secret:storage/mydb2_username
password: secret:storage/mydb2_password
conn_settings:
max_pool_size: 50
max_idle_size: 5
max_idle_time: 10
aged_timeout: 30
connect_timeout: 5
ssl:
certificate:
- ks:rt_profile
- 'b64:LS0tLS1CRUdJTiBDR...LQo='
disable_hostname_verification: true
- "configmap:storage/myredis.yml"
- name: ldap_test
type: ldap
hosts:
- hostname: pentest-isva-openldap
hostport: 636
credential:
bind_dn: 'cn=root,secAuthority=default'
bind_password: passw0rd
ssl:
certificate:
- ks:rt_profile
disable_hostname_verification: true
conn_settings:
max_pool_size: 50
connect_timeout: 3
attribute_sources:
- id: 1
name: display_name
type: value
value: anonymous
- id: 2
name: age
type: credential
value: AZN_CRED_AGE
- id: 3
name: website
type: ldap
value: website
scope: subtree
filter: (objectclass=*)
selector: nickname,gender,sn
srv_conn: ldap
baseDN: dc=iswga
- "configmap:attrsrc/attr_src_3_dup1.yml"
ldapcfg:
- name: ldap_test_cfg_01
scope: subtree
user_object_classes: top,Person,organizationalPerson,inetOrgPerson
filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
selector: objectClass,cn,sn,givenName,userPassword
srv_conn: ldap_test
attribute: uid
baseDN: dc=ibm,dc=com
rules:
access_policy:
- name: default_policy
type: javascript
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
mapping:
- name: isvaop_pretoken
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: isvaop_posttoken
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: attrUtil
content: "B64:aW1wb3J0Q2xhc3MoUGFj...Cg=="
- name: checkstatus
content: "configmap:rules/mapping_checkstatus.js"
- name : dcr
content: "B64:aW1wb...pCn0K"
- name: extCache
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: httpClient
content: "configmap:rules/mapping_httpClient.js"
- name: jwt
content: "B64:aW1wb...T047"
- name: ldapClient
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: library
content: "configmap:rules/mapping_library.js"
- name: notifyuser
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: oauthUtil
content: "B64:aW1w...Cgo="
- name: ropc
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
clients:
- client_id: client01
client_id_issued_at: 1642399207
client_secret: secret
client_secret_expires_at: 0
client_name: Client Test
enabled: true
redirect_uris:
- https://www.google.com
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
response_types:
- code id_token
- code token id_token
- code
- code token
- none
- code token id_token
scopes:
- openid
- profile
- test
token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
token_endpoint_auth_signing_alg: RS384
token_endpoint_auth_single_use_jti: false
tls_client_auth_subject_dn: CN=oidc-dev-test.ite1.idng.ibmcloudsecurity.com,OU=,O=,L=,ST=,C=
tls_client_certificate_bound_access_tokens: false
id_token_signed_response_alg: PS512
jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
request_object_signing_alg: ES256
require_pushed_authorization_requests: false
require_pkce: false
backchannel_token_delivery_mode: poll
backchannel_client_notification_endpoint: https://notifyme.com
backchannel_user_code_parameter: false
extension:
contact_type: "ADMINISTRATIVE"
encryptDB: "rt_profile_keys"
phone: "12345678"
contact_person: "TESTUSER"
company_name: "IBM"
company_url: "https://ibm.com"
encryptKey: "server"
email: "[email protected]"
- client_id: client01dpop
client_id_issued_at: 1642399207
client_secret: secret
client_secret_expires_at: 0
client_name: Client Test
enabled: true
redirect_uris:
- https://www.google.com
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
response_types:
- code id_token
- code token id_token
- code
- code token
- none
- code token id_token
scopes:
- openid
- profile
- test
token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
id_token_signed_response_alg: PS512
jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
dpop_bound_access_tokens: true
dpop_signing_alg: PS256
dpop_single_use_jti: false
- "configmap:clients/client01jarm.yml"
- "configmap:clients/client01mtls.yml"
- "configmap:clients/client01ping.yml"
- "configmap:clients/client01pingmisconfig.yml"
- "configmap:clients/client01pingmtls.yml"
- "configmap:clients/client01pingmtlsmisconfig.yml"
- "configmap:clients/client01pwt.yml"
- client_id: client02
client_id_issued_at: 1642399207
client_secret: secret
client_secret_expires_at: 0
client_name: Client Test
enabled: true
redirect_uris:
- https://www.google.com
- https://www.mysp.ibm.com/isam/sps/oidc/rp/oidcrp/redirect/partner2
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
response_types:
- code id_token
- code id_token token
- code
- code token
scopes:
- openid
- profile
token_endpoint_auth_method: tls_client_auth
token_endpoint_auth_signing_alg: RS384
token_endpoint_auth_single_use_jti: false
tls_client_auth_subject_dn: CN=clientID01,OU=security,O=IBM,L=singapore,ST=singapore,C=SG
tls_client_certificate_bound_access_tokens: true
id_token_signed_response_alg: PS512
jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
request_object_signing_alg: PS256
require_pushed_authorization_requests: false
require_pkce: false
extension:
email: [email protected]
contactType: ADMINISTRATOR
companyName: IBM
encryptDB: rt_encrypt
encryptKey: rsa
keystore:
- name: db2client
type: p12
content: "secret:keystore/db2client.p12"
password: "secret:keystore/db2client.obf"
- name: test
type: p12
content: "secret:keystore/test.p12"
password: "secret:keystore/test.obf"
- name: postgres
type: p12
content: "secret:keystore/postgres.p12"
password: "secret:keystore/postgres.obf"
- name: redis
type: p12
content: "B64:MIIWX...AA=="
password: "p@ssw0rd"
- name: rt_profile
type: zip
content: "secret:keystore/rt_profile.zip"
- name: rt_profile_dup01
type: zip
content: "B64:UEsDBBQAA.....A"
- name: rt_profile_keys
type: pem
certificate:
- label: httpservercert
content: "B64:LS0tL...g=="
- label: ldap
content: "secret:keystore/rt_profile_keys_signer_ldap.pem"
- label: ldap_gh
content: |
-----BEGIN CERTIFICATE-----
MIIDBzCCAo2gAwIBAgIUbfkAdyPC1l5aUiTt6OUbS9Q+MbkwCgYIKoZIzj0EAwMw
g...
p8HLCUpB/3KPtmg=
-----END CERTIFICATE-----
- label: localLDAP
content: "secret:keystore/rt_profile_keys_signer_localLDAP.pem"
- label: rel-verify-ibmcloudsecurity-com-chain
content: "B64:LS0tLS1CR...Q0K"
key:
- label: httpserverkey
content: |
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDcfy4ptpTSA2DE
...
tf5q/y+aDIXOsF03swP+J60GPQ==
-----END PRIVATE KEY-----
- name: truststore
type: pem
certificate:
- label: mtlsclientcert
content: |
-----BEGIN CERTIFICATE-----
MIIE5jCCAs6gAwIBAgIII7QhYxUdmcswDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
AxMGaXN2YW9wMB4XDTI0MDQwNzA0MTMwNFoXDTM0MDQwNjA0MTMwNFowETEPMA0G
A1UEAxMGaXN2YW9wMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmukm
abTj0CHVrG/nTDAMm+jEQ7YJURg/XfQpIlrELLMEubXHDzn3Rk4jYkwaJHnKd2Jz
nWVluSyngF/TgWqhRALdKn4zel1djia8pB6fkoOkjHqlNlX86O7PDvgVko2HBXBL
2CJsOa787pw8kl4Odw9W6WeRmHz6VybTw91z0xfjfk3MCgCKUXg61RFlYtOIHU8B
jeUxitwWBcF93Qa/AB7MXINKHSmxfqNqfMJMH26Dfu6N0DWQEttEmUphNo1NJynC
ofZUUImGJcDKmr8m8JeSwLBXha0dvOmNnFVQ4GkUwsOk3zjP21JwB6Gy4TqvcYSU
tt7jrJSqTeJFKIH2FMHbegpxwCDVlVz3cmilsIv1n9I4glkZCNLn2xNnYGyMW+tH
/K628zKeB1KfZIcubgp1iMzmMhcSkiQ3Fpg7gSNRSDSMp8qPbK4b1qEqTux5KO5d
HHUy3+MJHZX/0S7EYMmSbMC9sdFs75i3/eHEWtkcX8X2pS0CS+JzVG/Of3Ua1wwg
qx8HxOMEDkxqzwQGA4/pzHh8CwXZ4bPKEIhMGW9z0Q2FE2LNeAu7t5ZurDecgkOP
4nelnABqMTfdJQ38+0H5BkUEXdLxXzFQpKpFsZQpOfw9mu6JCgbElfbmltPDhGEw
0+WqjaPLg+dxXjPAPVQn55fnd7W1CpCxy66xnvMCAwEAAaNCMEAwHQYDVR0OBBYE
FA13+nOk4op66sDx6loy2OoTaHJFMB8GA1UdIwQYMBaAFA13+nOk4op66sDx6loy
2OoTaHJFMA0GCSqGSIb3DQEBCwUAA4ICAQBwM7lTvU7ChadVtKfdMceQleVWDcJu
5hBKhwGfk+2udW4naJrKWfCO88zsm1D62b+bYb4myAJiUxxqA2pIioI9Veaor/U8
iQXZXC9NxA8gmyFr2KO47siIbbIK2QNeAePMh7FVOkzRq21FWgIJI+D7QXiMy3YZ
PORq2qZJfyLmKoMEfnH4sdTu61BRzKuiL6crThTuB4agXAv1YeevKr2DX3tQ9etW
WUQFF9ZiGWazUY6OoHyWxlQX5edShZbmwAJ/6A+DZ1Tywh5j4xVOWZzqDoAIqiIW
xytHUnVwthGYNQV6q52E39xGHVn5pu0Co/3cmvnguc9IRbLcmBakM7llC07YWvWV
2UGLqggRMR1B11FJZ5lubOL2hyqswGTz7AP4vrS/VLVmO7pcIZoz4pLMH6FBC+6/
sI8c59jmFNmY4Ue0peLfnx+bWI9pEebh56hSTeNCvWdiJgRcE4Avf9iIG0q75nJ1
n5+hGN9kBmT68uumA2waCkNtOX+75GD/m45d7slH3IHTg7YhtwnuepZe0cL/7Ksf
CuIhUVZK9BYqKKE2CsaTGM7XquFg1jjPHBCQ3zCMHd+JlKzpGKay3Jm9gi2lMZeF
wx7TNlZtKhNpxV0bO3x5aF+fjEWTBuqXooMAfNai7iANaNlLbWgvtbSo0xRFrI2j
TV+GFMVLwuHGPg==
-----END CERTIFICATE-----
1. [Optional] Property root > version
Type stringDefault 22.12Defined in yaml_provider.yml#/definitions/version Description: The IBM Security Verify Access OIDC Provider (ISVAOP) configuration version. If
versionis not specified, the default value22.12will be used.
2. [Required] Property root > definition
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/definition Description: Definition
Read more about Definition.
Example:
definition: id: 1 # Definition ID name: OIDC Definition # Definition Name grant_types: # Supported grant types. - authorization_code - implicit - password - client_credentials - refresh_token - urn:openid:params:grant-type:ciba - urn:ietf:params:oauth:grant-type:token-exchange access_policy_id: 1 # Access Policy Rule ID. pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID. post_mappingrule_id: isvaop_posttoken # Post-Token mapping rule ID. ropc_mappingrule_id: ropc # ROPC mapping rule ID. base_url: https://isvaop.ibm.com:445 # Base url of the endpoints. mtls_base_url: https://isvaop.ibm.com:445 # Base url of the MTLS endpoints. mtls_certificate_header_name: x-client-certificate # HTTP header name that contains MTLS certificate. features: # Features Flags enable_fault_tolerance: false # Enable multiple refresh token for fault tolerance. consent_prompt: ALWAYS_PROMPT # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER fapi_compliant: false # Whether to enforce all the FAPI checks. enforce_par: false # Only accept authorize request using push authorize. prefer_claims_at_userinfo: true # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token. token_settings: # Token Settings issuer: https://isvaop.ibm.com # OP's issuer URI. signing_alg: PS512 # Signing algorithm for ID token generated. signing_keystore: rt_profile_keys # Signing keystore name. signing_keylabel: rsa256 # Signing key label. encryption_alg: none # Key encryption algorithm for ID token generated. encryption_enc: none # Content encryption algorithm for ID token generated. authorization_code_lifetime: 300 # Lifetime of authorization code. access_token_lifetime: 7200 # Lifetime of access token. id_token_lifetime: 3600 # Lifetime of id_token. refresh_token_lifetime: 64800 # Lifetime of refresh token. backchannel_settings: # Backchannel Settings default_expiry: 900 # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds. maximum_expiry: 1800 # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds. polling_interval: 5 # Polling interval value that will be communicated to the relying party. Default is 5 seconds. notifyuser_mappingrule_id: notifyuser # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`. checkstatus_mappingrule_id: checkstatus # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`. user_code_support: false # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint. attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml name: display_name age: age metadata: # name-value pair to override metadata information claims_supported: - iss - name - displayName dpop_max_lifetime: 3600 # Lifetime of DPoP proof JWT. request_object: lifetime: 3600 # Lifetime of the incoming JWT-Secured Authorization Request. require_expiry: true # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim. only_request_object_params: false # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters. enforce_single_usage: false # Boolean flag to enforce single use of a JWT-Secured Authorization Request.2.1. [Optional] Property root > definition > id
Type stringDescription: Definition ID.Required for DCR flows.
2.2. [Optional] Property root > definition > name
Type stringDescription: Definition Name. Required for DCR flows.
2.3. [Required] Property root > definition > grant_types
Type array of stringDescription: Supported grant types.
Each item of this array must be Description grant_types items -
Type string2.4. [Optional] Property root > definition > access_policy_id
Type stringDescription: Access Policy Rule ID.
2.5. [Optional] Property root > definition > pre_mappingrule_id
Type stringDescription: Pre-Token mapping rule ID.
2.6. [Optional] Property root > definition > post_mappingrule_id
Type stringDescription: Post-Token mapping rule ID.
2.7. [Optional] Property root > definition > ropc_mappingrule_id
Type stringDescription: ROPC-mapping rule ID.
2.8. [Required] Property root > definition > base_url
Type stringDescription: Base url of the endpoints. Example:
https://www.idp.com/isvaop2.9. [Optional] Property root > definition > mtls_base_url
Type stringDescription: Base url of the MTLS endpoints. Example:
https://www.idp-mtls.com/isvaop2.10. [Optional] Property root > definition > mtls_certificate_header_name
Type stringDefault "X-Client-Certificate"Description: JWT header name that contains MTLS certificate. Example:
X-Client-Certificate2.11. [Required] Property root > definition > token_settings
Type objectAdditional properties Description: Token Settings
Read more about Token Settings.
2.11.1. [Required] Property root > definition > token_settings > issuer
Type stringDescription: OP's issuer URI.
2.11.2. [Required] Property root > definition > token_settings > signing_alg
Type stringDescription: Signing algorithm for ID token generated.
2.11.3. [Required] Property root > definition > token_settings > signing_keystore
Type stringDescription: Signing keystore name.
NOTE:
signing_keystoreis the keystore name WITHOUTks:annotation.2.11.4. [Required] Property root > definition > token_settings > signing_keylabel
Type stringDescription: Signing key label.
NOTE:
signing_keylabelisthe key label name WITHOUTks:annotation.2.11.5. [Required] Property root > definition > token_settings > encryption_alg
Type stringDescription: Key encryption algorithm for ID token generated.
2.11.6. [Required] Property root > definition > token_settings > encryption_enc
Type stringDescription: Content encryption algorithm for ID token generated.
2.11.7. [Optional] Property root > definition > token_settings > authorization_code_lifetime
Type numberDefault 300Description: Lifetime of authorization code in seconds.
2.11.8. [Optional] Property root > definition > token_settings > access_token_lifetime
Type numberDefault 7200Description: Lifetime of access token in seconds.
2.12. [Optional] Property root > definition > features
Type objectAdditional properties Description: Feature Flags
Read more about Features Flags.
2.12.1. [Optional] Property root > definition > features > consent_prompt
Type enum (of string)Default "ALWAYS_PROMPT"Description: Prompt for consent vs auto-consent.
Must be one of:
- "ALWAYS_PROMPT"
- "NEVER_PROMPT"
- "PROMPT_ONCE_AND_REMEMBER"
2.12.2. [Optional] Property root > definition > features > enforce_par
Type booleanDefault falseDescription: Accept only authorized request using push authorize.
2.12.3. [Optional] Property root > definition > features > prefer_claims_at_userinfo
Type booleanDefault falseDescription: This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
2.13. [Optional] Property root > definition > backchannel_settings
Type objectAdditional properties Description: These settings are related to Client-Initiated Backchannel Authentication (CIBA).
Read more about Backchannel Settings.
2.13.1. [Optional] Property root > definition > backchannel_settings > default_expiry
Type numberDefault 900Description: The default CIBA session lifetime in seconds.
2.13.2. [Optional] Property root > definition > backchannel_settings > maximum_expiry
Type numberDefault 1800Description: Maximum CIBA session lifetime in seconds.
2.13.3. [Optional] Property root > definition > backchannel_settings > polling_interval
Type numberDefault 5Description: Polling interval value that is communicated to the relying party in seconds.
2.13.4. [Optional] Property root > definition > backchannel_settings > notifyuser_mappingrule_id
Type stringDefault "notifyuser"Description: Mapping rule ID that is run when the user is notified.
2.14. [Optional] Property root > definition > attribute_map
Type map of string -> stringDescription: Attribute mapping to resolve claims.
2.15. [Optional] Property root > definition > metadata
Type map of string -> anyDescription: name-value pair to override metadata information
2.16. [Optional] Property root > definition > request_object
Type objectAdditional properties Description: These settings are related to JWT-Secured Authorization Request(JAR).
Read more about JWT Secured Authorization Request Settings.
2.16.1. [Optional] Property root > definition > request_object > lifetime
Type numberDescription: The maximum lifetime of the incoming request-JWT in seconds.
2.16.2. [Optional] Property root > definition > request_object > require_expiry
Type booleanDefault falseDescription: Boolean flag to check if the request-JWT contains a exp claim
3. [Required] Property root > jwks
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/jwks Description: JSON Web Key Set (JWKS) Settings
Read more about JSON Web Key Set (JWKS) Settings.
Example:
jwks: # JSON Web Key Set (JWKS) Settings signing_keystore: signing_keystore # Keystore name containing keys related to JWT signing/signature validation. encryption_keystore: encryption_keystore # Keystore name containing keys related to JWT encryption/decryption.
4. [Optional] Property root > authentication
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/authentication Description: Authentication Settings
Read more about Authentication Settings.
Example:
authentication: # Authentication Settings endpoint: https://isvaop.ibm.com:445/isvaop/oauth2/auth # Endpoint to redirect when authentication is required. This is mandatory when `grant_types` contains `authorization_code` or `implicit` callback_param_name: Target # Parameter name to specify the callback target URI. If it is not specified, the default callback param name is `Target`. subject_attribute_name: uid # Name of the user or credential attribute that will be used to populate the `sub`. If it is not specified, the default attribute is `uid`.4.1. [Optional] Property root > authentication > endpoint
Type stringDefault "https://isvaop.ibm.com:445/isvaop/oauth2/auth"Description: Endpoint to redirect to when authentication is needed. This setting is mandatory when
grant_typescontainsauthorization_codeorimplicit(refer to Definition).
5. [Optional] Property root > template_macros
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/template_macros Description: Template Macros
Read more about template_macros.
Example:
template_macros: user_macros: - name - family_name - given_name - display_name request_macros: - authorization_details - claims - user_code - state5.1. [Optional] Property root > template_macros > user_macros
Type array of stringDescription: List of authenticated user claims to be made available.
Each item of this array must be Description user_macros items -
Type string5.2. [Optional] Property root > template_macros > request_macros
Type array of stringDescription: List of request parameters to be made available.
Each item of this array must be Description request_macros items -
Type string
6. [Optional] Property root > ssl
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/ssl Description: SSL Setting
Read more about SSL Settings.
Example:
ssl: certificate: - ks:https_keys # The default SSL keystore to be used for SSL connections. It is used when SSL keystore is not specified in server connection SSL settings. disable_hostname_verification: true # The default flag to enable or disable hostname verification for SSL connections. It is used when SSL disable_hostname_verification is not specified in server connection SSL settings.6.1. [Optional] Property root > ssl > certificate
Type array of stringDescription: The list of default SSL keystore to be used for all SSL connections. It is used when SSL keystore is not specified in server connection SSL settings.
Each item of this array must be Description certificate items -
Type string
7. [Required] Property root > server
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/server Description: Server Settings
Read more about Server Settings.
Example:
server: ssl: key: ks:https_keys/httpserverkey # Name of the keystore/key for the ISVAOP HTTPS server. certificate: ks:https_keys/httpservercert # Name of the keystore/certificate for the ISVAOP HTTPS server. ca: - ks:https_keys/httpserverca # Name of the keystore/CA for the ISVAOP HTTPS server. pages: type: zip # path is also supported, which indicates it is unpacked content: "B64:<encoded_binary>"7.1. [Required] Property root > server > ssl
Type objectAdditional properties Description: HTTPS server SSL settings
Read more about key management here.
7.1.1. [Required] Property root > server > ssl > key
Type stringDescription: Name of the keystore/key for the ISVAOP HTTPS server.
7.1.2. [Required] Property root > server > ssl > certificate
Type stringDescription: Name of the keystore/certificate for the ISVAOP HTTPS server.
7.1.3. [Optional] Property root > server > ssl > ca
Type array of stringDescription: Array of CA certificates
Each item of this array must be Description ca items -
Type string7.2. [Optional] Property root > server > pages
Type objectAdditional properties Description: Customized template pages settings
7.2.1. [Required] Property root > server > pages > type
Type enum (of string)Description: When customized template pages is provided, it is the type of content that is being supplied. Either a zip file or a directory name.
Must be one of:
- "path"
- "zip"
7.2.2. [Required] Property root > server > pages > content
Type stringDescription: The content that is used for the customized template pages.
- When the
typeispath, specify the path of the customized template pages directory, which is relative to the/var/isvaop/configdirectory of the container.- when
typeiszip
- use
@annotation to specify the customized template pages zip file path, which is relative to the/var/isvaop/configdirectory of the container.- or use
B64:annotation to specify the base64 encoded customized template pages zip file.
8. [Optional] Property root > javascript
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/javascript Description: JavaScript Settings
Read more about JavaScript Settings.
Example:
javascript: # Javascript Settings timeout: 0 # Maximum execution time for a script in ms. Set to 0 for unlimited execution time. max_load: 16 # Maximum number of v8 engine spawned. max_ctx_in_isolate: 50 # Maximum reuse of v8 engine before recreated. Set to 0 to disable. use_pool: false # If true, run in `pool` mode, otherwise run in `worker` mode.8.1. [Optional] Property root > javascript > use_pool
Type booleanDefault falseDescription: If true, run in
poolmode, otherwise run inworkermode.8.2. [Optional] Property root > javascript > max_load
Type numberDefault 16Description: Maximum number of v8 engine created.
9. [Optional] Property root > janitor
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/janitor Description: In ISVAOP, we use a binary janitor to perform cleanup of data. Read more about Database cleanup
Example:
janitor: # Janitor Settings batch_size: 1000 # It is the maximum records being cleaned up with each iteration. max_duration: 0 # When the max_duration is set to 0, the janitor program runs until all records are cleaned up. check_frequency: 10 # It indicates the number of iterations to be run before the janitor check whether the maximum duration is exceeded.9.1. [Optional] Property root > janitor > batch_size
Type numberDefault 1000Description: It is the maximum records being cleaned up with each iteration.
9.2. [Optional] Property root > janitor > max_duration
Type numberDefault 0Description: When the max_duration is set to 0, the janitor program runs until all records are cleaned up. Depending on how often you run the janitor, the number of records can be large. The maximum duration needs to be specified in milliseconds.
10. [Optional] Property root > logging
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/logging Description: Logging Settings
Read more about Logging Settings.
Example:
logging: # Logging Settings level: finest # Logging level setting. If the level is not set or invalid, `info` will be used. `panic`, `fatal`, `error`, `warn`, `warning` (alias of `warn`), `info`, `debug`, `fine`(alias of `debug`), `trace`, `finest` (alias of `trace`)10.1. [Optional] Property root > logging > level
Type enum (of string)Default "info"Description: Logging level setting. If the level is not set or invalid,
infois used.
warningis alias ofwarnfineis alias ofdebugfinestis alias oftraceMust be one of:
- "panic"
- "fatal"
- "error"
- "warn"
- "warning"
- "info"
- "debug"
- "fine"
- "trace"
- "finest"
11. [Optional] Property root > dynamic_registration
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/dynamic_registration Description: Dynamic Client Profile
Read more about Dynamic Client Profile.
Example:
dynamic_registration: recipe: FAPI_UK-OB # Security profile to use, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR mappingrule_id: dcr # Dynamic registration mapping rule ID. software_statement_validation: # Software statement validation settings. jwks_uri: http://172.16.123.1:3000/jwks/obdirectory # Jwks URI containing the public key required to validate the software statement signature. signing_algs: # Accepted signing algorithms. - ES256 registration_endpoint_authentication: # Authentication settings for POST operation. require_mtls: true # Specifies whether the endpoint requires MTLS. require_bearer_token: true # Specifies whether the endpoint requires bearer token. require_software_statement: false # Specifies whether the endpoint requires software statement. allow_custom_client_creds: true # Only for POST. Specifies whether to accept client_id/client_secret in the POST payload. management_endpoint_authentication: # Authentication settings for PUT/GET/DELETE operations. require_mtls: false # Specifies whether the endpoint requires MTLS. require_bearer_token: true # Specifies whether the endpoint requires bearer token. require_software_statement: false # Specifies whether the endpoint requires software statement. This is only applicable for PUT operation. registration_access_token: # Registration access token settings. generate: true # Specifies whether to produce registration access token as part of POST/PUT/GET operations. lifetime: 86400 # Specifies the lifetime of the registration access token. scopes: # Specify the scopes required by the access token. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token. - cdr:registration11.1. [Optional] Property root > dynamic_registration > recipe
Type enum (of string)Default "Default"Description: Security profile to be used, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR
Must be one of:
- "Default"
- "FAPI_DEFAULT"
- "FAPI_UK-OB"
- "FAPI_AU-CDR"
11.2. [Optional] Property root > dynamic_registration > mappingrule_id
Type stringDescription: Dynamic registration-mapping rule ID.
11.3. [Optional] Property root > dynamic_registration > software_statement_validation
Type objectAdditional properties Description: Software Statement Validation
Read more about Software Statement Validation.
11.3.1. [Optional] Property root > dynamic_registration > software_statement_validation > jwks_uri
Type stringDescription: JWKS URI containing the public key that is needed to validate the software statement signature.
11.3.2. [Optional] Property root > dynamic_registration > software_statement_validation > signing_algs
Type array of stringDescription: Accepted signing algorithms
Each item of this array must be Description signing_algs items -
11.3.2.1. root > dynamic_registration > software_statement_validation > signing_algs > signing_algs items
Type string11.4. [Optional] Property root > dynamic_registration > registration_endpoint_authentication
Type objectAdditional properties Description: Registration Endpoint Authentication
Read more about Registration Endpoint Authentication.
11.4.1. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_mtls
Type booleanDefault falseDescription: Specifies whether the endpoint requires MTLS.
11.4.2. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_bearer_token
Type booleanDefault falseDescription: Specifies whether the endpoint requires bearer token.
11.5. [Optional] Property root > dynamic_registration > management_endpoint_authentication
Type objectAdditional properties Description: Management Endpoint Authentication
Read more about Management Endpoint Authentication.
11.5.1. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_mtls
Type booleanDefault falseDescription: Specifies whether the endpoint requires MTLS.
11.6. [Optional] Property root > dynamic_registration > registration_access_token
Type objectAdditional properties Description: Registration Access Token
Read more about Registration Access Token.
11.6.1. [Optional] Property root > dynamic_registration > registration_access_token > generate
Type booleanDescription: Specifies whether to produce registration access token as part of POST/PUT/GET operations.
11.6.2. [Optional] Property root > dynamic_registration > registration_access_token > lifetime
Type numberDescription: Specifies the lifetime of the registration access token.
11.6.3. [Optional] Property root > dynamic_registration > registration_access_token > scopes
Type array of stringDescription: Specify the access token scopes. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.
Each item of this array must be Description scopes items -
Type string
12. [Optional] Property root > secrets
Type objectAdditional properties Defined in yaml_provider.yml#/definitions/secrets Description: Secrets
Read more about Secrets.
Example:
secrets: obf_key: "<obfuscation key>" enc_key: "@private.pem"
13. [Required] Property root > runtime_db
Type stringDefined in yaml_storage.yml#/definitions/runtime_db Description: Runtime Database Configuration
Read more about Runtime Database Configuration.
14. [Required] Property root > session_cache
Type objectAdditional properties Defined in yaml_storage.yml#/definitions/session_cache Description: Session Cache Configuration
Read more about Session Cache Configuration.
14.1. [Required] Property root > session_cache > type
Type enum (of string)Description: Specifies the type of session cache,
in-memory,redis, ordb.Must be one of:
- "in-memory"
- "redis"
- "db"
14.2. [Optional] Property root > session_cache > life_time
Type numberDefault 600Description: For
in-memorysession cache type, specifies the session entry duration in seconds.
15. [Required] Property root > server_connections
Type array of objectDefined in yaml_storage.yml#/definitions/server_connections Description: Specifies a list of server connection configurations.
Read more about Storage Configuration.
Each item of this array must be Description server_connections items Specifies the server connection configuration details. ...
Type objectAdditional properties Description: Specifies the server connection configuration details.
Server connection can be categorized into
database,redisorldap. Refer to each server connection category for details.15.1.1. [Optional] Property root > server_connections > server_connections items > server_connection (database)
Type objectAdditional properties Description: Runtime Database Server Connection
Read more about Runtime Database Server Connection.
Examples:
# PostgreSQL Runtime Database configuration sample runtime_db: mypq # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. # cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection # life_time: 600 # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600` # max_entries: 60000 # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000` server_connections: # Server connections - name: mypq # Connection name type: postgresql # Connection type, `redis`, `ldap`, `postgresql`, `oracle` database_name: verify-access # Specifies the database or service name. For database types only. hosts: # List of host information (IP and port) - hostname: postgresql # Server's hostname hostport: 5432 # Server's host port credential: # Credential information to connect to the server username: postgres # Specifies the username to access the server. password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the password to access the server. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:postgres_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. mutual_auth: key: ks:rt_profile_keys/postgres # When mutual TLS is needed, specify the keystore and label that contains the client's private key. certificate: ks:rt_profile_keys/postgres # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate. ca: - ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection settings max_idle_time: 10 # Maximum idle time in seconds min_pool_size: 5 # Minimum connection pool size max_pool_size: 50 # Maximum connection pool size connect_timeout: 5 # Connect timeout, in seconds aged_timeout: 30 # Aged timeout, in seconds# Oracle Runtime Database configuration sample runtime_db: myoracle # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. server_connections: # Server connections - name: myoracle # Connection name type: oracle # Connection type, `redis`, `ldap`, `postgresql`, `oracle` database_name: verify-access # Specifies the database or service name. For database types only. hosts: # List of host information (IP and port) - hostname: myoracle # Server's hostname hostport: 2484 # Server's host port credential: # Credential information to connect to the server username: SYSTEM # Specifies the username to access the server. password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the password to access the server. It is recommended to obfuscate this. ssl: wallet: # For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS. type: path # The type of content that is being supplied, either a zip file or a directory name. content: oracle/wallet # The content that is used for the wallet. When the type is path, specify the path of the wallet. # type: zip # The content is used for the wallet. When the type is zip, the content can be specified by using either @ or B64: annotation. # content: "@oracle/wallet.zip" # when type is zip, use @ annotation to specify the wallet zip file path. # content: "B64:UEsDBBQACAAIAAJg......+ScAAAAA" # when type is zip, use B64: annotation to specify the base64 encoded wallet zip file. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection settings max_idle_time: 10 # Maximum idle time in seconds aged_timeout: 30 # Aged timeout, in seconds max_idle_size: 5 # Maximum connection idle size max_pool_size: 50 # Maximum connection pool size connect_timeout: 5 # Connect timeout, in seconds# Db2 Runtime Database configuration sample runtime_db: mydb2 # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. server_connections: # Server connections - name: mydb2 # Connection name type: db2 # Connection type, `redis`, `ldap`, `postgresql`, `oracle`, `db2` database_name: verify-access # Specifies the database or service name. For database types only. hosts: # List of host information (IP and port) - hostname: mydb2 # Server's hostname hostport: 50001 # Server's host port credential: # Credential information to connect to the server username: db2inst1 # Specifies the username to access the server. password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the password to access the server. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate for Db2. The Db2 SSL connection certificate must use 'ks', '@' annotation to specify the keystore in P12 format, PEM file or 'B64'annotation to specify the base64 encoded PEM file. If multiple certificates are configured, the first certificate that is specified with '@' or 'B64:' annotation is used. - '@keystore/rt_profile_keys/signer/ca.pem' # '@' annotation to specify the certificate PEM file. # - 'b64:LS0tLS1CRUdJTiBD......tLQo=' # 'B64'annotation to specify the base64 encoded certificate PEM. # - 'ks:db2client' # 'ks'annotation to specify keystore in P12 format. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection settings max_idle_time: 10 # Maximum idle time in seconds aged_timeout: 30 # Aged timeout, in seconds max_idle_size: 5 # Maximum connection idle size max_pool_size: 50 # Maximum connection pool size connect_timeout: 5 # Connect timeout, in seconds15.1.1.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > name
Type stringDescription: Connection name.
15.1.1.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > type
Type enum (of string)Description: Connection type.
The IBM Security Verify Access OIDC Provider (ISVAOP) supports
postgresql,oracleanddb2databases.Must be one of:
- "postgresql"
- "oracle"
- "db2"
15.1.1.3. [Required] Property root > server_connections > server_connections items > server_connection (database) > database_name
Type stringDescription: Specifies the database or service name. For database types only.
15.1.1.4. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts
Type arrayDescription: List of host information (IP and port)
Each item of this array must be Description hosts items -
15.1.1.4.1. root > server_connections > server_connections items > server_connection (database) > hosts > hosts items
Type objectAdditional properties 15.1.1.5. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential
Type objectAdditional properties Defined in #/$def/credential Description: Credential information to connect to the Runtime Database server
15.1.1.6. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl
Type objectAdditional properties Defined in #/$def/ssl_db Description: SSL settings, if missing the connection is non SSL.
15.1.1.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > certificate
Type array of stringDescription: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.1.6.1.1. root > server_connections > server_connections items > server_connection (database) > ssl > certificate > certificate items
Type string15.1.1.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth
Type objectAdditional properties 15.1.1.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > key
Type stringDescription: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.1.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > certificate
Type stringDescription: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.1.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca
Type array of stringDescription: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.1.6.2.3.1. root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca > ca items
Type string15.1.1.6.2.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet
Type objectAdditional properties Description: For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.
Oracle Wallet OverviewOracle Wallet is configuration files that store authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
ISVA OP requires an Oracle client wallet for SSL connection and mutual TLS. Thecwallet.ssofile must present.
See the Oracle Documentation to create or manage an Oracle wallet.
- Go to the Oracle Database Documentation page in Oracle Help Center.
- Select your version of Oracle Database.
- In the Topics section, select Security.
- In the Centralized User Management section, select Oracle Database Enterprise User Security Administrator's Guide.
- See the chapter
Using Oracle Wallet Manager.Or click the following direct links.
- Oracle Database 12c Release 1: Using Oracle Wallet Manager
- Oracle Database 12c Release 2: Using Oracle Wallet Manager
- Oracle Database 19c: Using Oracle Wallet Manager
15.1.1.6.2.4.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > type
Type enum (of string)Description: When wallet is needed, it is the type of content that is being supplied. Either a zip file or a directory name.
Must be one of:
- "path"
- "zip"
15.1.1.6.2.4.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > content
Type stringDescription: The wallet content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
15.1.1.7. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings
Type objectAdditional properties Defined in #/$def/conn_db Description: Connection pool settings.
15.1.1.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > min_pool_size
Type numberDefault 5Description: Minimum connection pool size
15.1.1.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_size
Type numberDefault 10Description: Maximum connection idle size
15.1.1.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_pool_size
Type numberDefault 50Description: Maximum connection pool size
15.1.1.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_time
Type numberDefault 10Description: Maximum idle time in seconds
15.1.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis)
Type objectAdditional properties Description: Session Cache Server Connection
Read more about Session Cache Server Connection.
Example:
runtime_db: mypq # Configuration of runtime database. Points to the database server connection. session_cache: type: redis # Specifies the type of session cache, in-memory, redis, or db. cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection server_connections: # Server connections - name: mypq # Connection name ... - name: ldap_staging # Connection name ... - name: redis-standalone # Connection name type: redis # Connection type deployment: # Redis deployment information. for `redis` type only model: standalone # Deployment model. standalone or sentinel # master: master # Master node information. For `sentinel` model only hosts: # List of host information (IP and port) - hostname: redis # Server's hostname hostport: 6390 # Server's host port credential: # Credential information to connect to the host. username: isva # Specifies the username to access the server password: 'OBF:oUqHV/2VlAeWb1D7uAdfQysti3vh44p5/rpCDR35gn4=' # # Specifies the password for the redis server connection. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:redis_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. mutual_auth: key: ks:rt_profile_keys/redis # When mutual TLS is needed, specify the keystore and label that contains the client's private key. certificate: ks:rt_profile_keys/redis # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate. ca: # The mutual_auth connection certificate array. - ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate. disable_hostname_verification: false # The SSL connection validates the hostname.15.1.2.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > name
Type stringDescription: Connection name.
15.1.2.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > type
Type constDescription: Connection type
Specific value:
"redis"15.1.2.3. [Required] Property root > server_connections > server_connections items > server_connection (redis) > deployment
Type objectAdditional properties Description: Redis deployment information
15.1.2.4. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts
Type arrayDescription: List of host information (IP and port)
Each item of this array must be Description hosts items -
15.1.2.4.1. root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items
Type objectAdditional properties 15.1.2.5. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential
Type objectAdditional properties Defined in #/$def/credential Description: Credential information to connect to the Redis Server.
15.1.2.6. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl
Type objectAdditional properties Defined in #/$def/ssl Description: SSL settings.
15.1.2.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > certificate
Type array of stringDescription: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.2.6.1.1. root > server_connections > server_connections items > server_connection (redis) > ssl > certificate > certificate items
Type string15.1.2.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth
Type objectAdditional properties 15.1.2.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > key
Type stringDescription: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.2.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > certificate
Type stringDescription: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.2.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca
Type array of stringDescription: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.2.6.2.3.1. root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca > ca items
Type string15.1.2.7. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings
Type objectAdditional properties Defined in #/$def/conn_redis Description: Connection pool settings.
15.1.2.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > max_pool_size
Type numberDefault 50Description: Maximum connection pool size.
15.1.2.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > min_idle_size
Type numberDefault 3Description: Minimum connection idle size.
15.1.2.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > aged_timeout
Type numberDefault 10Description: Age timeout, in seconds.
15.1.2.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > connect_timeout
Type numberDefault 5Description: Connect timeout, in seconds.
15.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap)
Type objectAdditional properties Description: LDAP Server Connection
Read more about LDAP Server Connection.
Example:
runtime_db: mypq # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. # cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection # life_time: 600 # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600` # max_entries: 60000 # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000` server_connections: # Server connections - name: mypq # Connection name ... - name: ldap_staging # Connection name type: ldap # Connection type hosts: # List of host information (IP and port) - hostname: openldap # Server's hostname hostport: 636 # Server's host port credential: # Credential information to connect to the host. bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection. bind_password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. mutual_auth: key: ks:rt_profile_keys/ldap # When mutual TLS is needed, specify the keystore and label that contains the client's private key. certificate: ks:rt_profile_keys/ldap # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate. ca: # The mutual_auth connection certificate array. - ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts. max_pool_size: 50 # Maximum connection pool size. connect_timeout: 3 # Connect timeout, in seconds. aged_timeout: 5 # Aged timeout, in seconds.15.1.3.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > name
Type stringDescription: Connection name.
15.1.3.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > type
Type constDescription: Connection type
Specific value:
"ldap"15.1.3.3. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts
Type arrayDescription: List of host information (IP and port)
Each item of this array must be Description hosts items -
15.1.3.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items
Type objectAdditional properties 15.1.3.3.1.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostname
Type stringDescription: LDAP Server's hostname
15.1.3.3.1.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostport
Type numberDescription: LDAP Server's host port
15.1.3.3.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential
Type objectAdditional properties Defined in #/$def/credential_ldap Description: Credential information to connect to the LDAP server. It can be specified at the top level if the settings are common across hosts.
15.1.3.3.1.4. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl
Type objectAdditional properties Defined in #/$def/ssl Description: SSL settings for the server. It can be specified at the top level if the settings are common across hosts.
15.1.3.3.1.4.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate
Type array of stringDescription: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.3.3.1.4.1.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate > certificate items
Type string15.1.3.3.1.4.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth
Type objectAdditional properties 15.1.3.3.1.4.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > key
Type stringDescription: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.3.3.1.4.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > certificate
Type stringDescription: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.3.3.1.4.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca
Type array of stringDescription: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.3.3.1.4.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca > ca items
Type string15.1.3.3.1.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings
Type objectAdditional properties Defined in #/$def/conn_ldap Description: Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
15.1.3.3.1.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > max_pool_size
Type numberDefault 50Description: Maximum connection pool size.
15.1.3.4. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential
Type objectAdditional properties Defined in #/$def/credential_ldap Description: Credential information to connect to the LDAP server
15.1.3.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl
Type objectAdditional properties Defined in #/$def/ssl Description: SSL settings.
15.1.3.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate
Type array of stringDescription: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.3.5.1.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate > certificate items
Type string15.1.3.5.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth
Type objectAdditional properties 15.1.3.5.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > key
Type stringDescription: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.3.5.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > certificate
Type stringDescription: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.3.5.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca
Type array of stringDescription: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.3.5.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca > ca items
Type string15.1.3.6. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings
Type objectAdditional properties Defined in #/$def/conn_ldap Description: Connection pool settings.
15.1.3.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > max_pool_size
Type numberDefault 50Description: Maximum connection pool size.
16. [Optional] Property root > attribute_sources
Type array of objectDefined in yaml_attributesource.yml#/definitions/attribute_sources Description: Attribute Sources
Read more about Attribute Sources.
Each item of this array must be Description attribute_sources items Attribute source can be categorized into 'value', 'credential', and 'ldap'. Refer to each attribute source category for details.
Type objectAdditional properties Description: Attribute source can be categorized into
value,credential, andldap. Refer to each attribute source category for details.16.1.1. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (value)
Type objectAdditional properties 16.1.1.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > id
Type stringDefined in #/$def/attribute_source/properties/id Description: Attribute source ID.
16.1.1.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > name
Type stringDefined in #/$def/attribute_source/properties/name Description: Attribute source name.
16.1.2. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (credential)
Type objectAdditional properties 16.1.2.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > id
Type stringDefined in #/$def/attribute_source/properties/id Description: Attribute source ID.
16.1.2.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > name
Type stringDefined in #/$def/attribute_source/properties/name Description: Attribute source name.
16.1.3. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (ldap)
Type objectAdditional properties 16.1.3.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > id
Type stringDefined in #/$def/attribute_source/properties/id Description: Attribute source ID.
16.1.3.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > name
Type stringDefined in #/$def/attribute_source/properties/name Description: Attribute source name.
16.1.3.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > type
Type constDescription: Attribute source type.
Specific value:
"ldap"16.1.3.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > value
Type stringDescription: Attribute source value. For
ldaptype, it refers to an LDAP attribute to be retrieved.16.1.3.5. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > scope
Type enum (of string)Description: Only applicable for attribute source of type
ldap. LDAP search scope.Must be one of:
- "base"
- "one level"
- "subtree"
16.1.3.6. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > filter
Type stringDescription: Only applicable for attribute source type
ldap. LDAP search filter. It might contain macros as shown in the previous example.16.1.3.7. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > selector
Type stringDescription: Only applicable for attribute source type
ldap. LDAP selector that contains attributes that are retrieved together.Example:
attribute_sources: - id: 1 name: display_name type: value value: anonymous - id: 2 name: age type: credential value: AZN_CRED_AGE - id: 3 name: surname type: ldap value: sn scope: subtree filter: (cn={AZN_CRED_PRINCIPAL_NAME}) selector: nickname,gender,sn srv_conn: ldap baseDN: dc=ibm,dc=com
17. [Optional] Property root > ldapcfg
Type array of objectDefined in yaml_ldapcfg.yml#/definitions/ldapcfg Description: LDAP configuration used by
UserLookupHelperandLdapAttributeUtilJavaScript Utility.
Each item of this array must be Description ldapcfg items LDAP Configuration ...
Type objectAdditional properties Description: LDAP Configuration
Read more about LDAP configuration.
17.1.1. [Required] Property root > ldapcfg > ldapcfg items > name
Type stringDescription: The unique name of this ldap configuration. This name is used to initialize
UserLookupHelperandLdapAttributeUtil.17.1.2. [Required] Property root > ldapcfg > ldapcfg items > filter
Type stringDescription: Search filter for
UserLookupHelper17.1.3. [Required] Property root > ldapcfg > ldapcfg items > user_object_classes
Type stringDescription: Comma-separated user object classes
17.1.4. [Required] Property root > ldapcfg > ldapcfg items > attribute
Type stringDescription: Main Attribute to be retrieved
17.1.5. [Required] Property root > ldapcfg > ldapcfg items > selector
Type stringDescription: Comma-separated attributes that are retrieved
17.1.6. [Required] Property root > ldapcfg > ldapcfg items > srv_conn
Type stringDescription:
srv_connis the ldap server connection's name this ldap configuration applies to. The ldap server connection is defined instorageconfigure -server_connectionssection.Example:
ldapcfg: - name: ldap_staging_config_01 user_object_classes: top,Person,organizationalPerson,inetOrgPerson filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User)) selector: objectClass,cn,sn,givenName,userPassword srv_conn: ldap_staging attribute: uid baseDN: dc=ibm,dc=com
18. [Optional] Property root > clients
Type array of objectDefined in yaml_clients.yml#/definitions/clients Description: Clients
Read more about Clients.
Each item of this array must be Description clients items Client Configuration ...
Type objectAdditional properties Description: Client Configuration
Read more about Client Configuration.
18.1.1. [Required] Property root > clients > clients items > client_id
Type stringDescription: Client identifier.
18.1.2. [Required] Property root > clients > clients items > client_secret
Type stringDescription: Client secret that is used for client authentication, and JWT signing and encryption. It is recommended to be an obfuscated string. The obfuscation key is read from the provider configuration secrets stanza.
18.1.3. [Required] Property root > clients > clients items > client_name
Type stringDescription: Name of the client.
18.1.4. [Optional] Property root > clients > clients items > client_id_issued_at
Type timestampDescription: Timestamp (in seconds) from when the client is created.
18.1.5. [Required] Property root > clients > clients items > enabled
Type booleanDescription: Set to true to enable this client
18.1.6. [Required] Property root > clients > clients items > grant_types
Type string arrayDescription: Grant type that the client is allowed to use at the token endpoint.
18.1.7. [Required] Property root > clients > clients items > response_types
Type string arrayDescription: Response type that the client is allowed to use at the authorization endpoint.
18.1.8. [Required] Property root > clients > clients items > redirect_uris
Type string arrayDescription: Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
18.1.9. [Required] Property root > clients > clients items > request_uris
Type string arrayDescription: Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
18.1.10. [Optional] Property root > clients > clients items > scopes
Type string arrayDescription: A list of scope values that the client can use when it requests access tokens.
18.1.11. [Optional] Property root > clients > clients items > jwks_uri
Type stringDescription: URL string that references the client's JSON Web Key (JWK) set document that contains the client's public keys.
18.1.12. [Optional] Property root > clients > clients items > id_token_signed_response_alg
Type stringDescription: JWS
algalgorithm for signing the ID Token that is issued to the Client. Optional. If present it shall be always the same as the token_settings.signing_alg value set in provider configure.18.1.13. [Optional] Property root > clients > clients items > id_token_encrypted_response_alg
Type stringDescription: JWE
algalgorithm for encrypting the ID Token that is issued to the Client.18.1.14. [Optional] Property root > clients > clients items > id_token_encrypted_response_enc
Type stringDescription: JWE
encalgorithm for encrypting the ID Token that is issued to the Client.18.1.15. [Optional] Property root > clients > clients items > userinfo_signed_response_alg
Type stringDescription: JWS
algalgorithm for signing UserInfo Responses.18.1.16. [Optional] Property root > clients > clients items > userinfo_encrypted_response_alg
Type stringDescription: JWE
algalgorithm for encrypting UserInfo Responses.18.1.17. [Optional] Property root > clients > clients items > userinfo_encrypted_response_enc
Type stringDescription: JWE
encalgorithm for encrypting UserInfo Responses.18.1.18. [Optional] Property root > clients > clients items > request_object_signing_alg
Type stringDescription: JWS
algalgorithm that must be used for signing Request Objects sent to the OIDC Provider.18.1.19. [Optional] Property root > clients > clients items > request_object_encryption_alg
Type stringDescription: JWE
algalgorithm the Relying Party is declaring that it may use for encrypting Request Objects sent to the OIDC Provider.18.1.20. [Optional] Property root > clients > clients items > request_object_encryption_enc
Type stringDescription: JWE
encalgorithm the Relying Party is declaring that it might use for encrypting Request Objects sent to the OIDC Provider.18.1.21. [Required] Property root > clients > clients items > token_endpoint_auth_method
Type stringDescription: Requested authentication method for the backend endpoints (token, introspect, revoke).
18.1.22. [Optional] Property root > clients > clients items > token_endpoint_auth_signing_alg
Type stringDescription: JWS
algalgorithm that must be used for signing the JWT that is used to authenticate the Client at the Token Endpoint for theprivate_key_jwtauthentication methods.18.1.23. [Optional] Property root > clients > clients items > token_endpoint_auth_single_use_jti
Type booleanDescription: When set to
trueand client assertion is used as the method to perform client authentication, the client assertion cannot be reused.18.1.24. [Optional] Property root > clients > clients items > tls_client_auth_subject_dn
Type stringDescription: Expected subject distinguished name of the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.25. [Optional] Property root > clients > clients items > tls_client_auth_san_dns
Type stringDescription: Expected DNS name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.26. [Optional] Property root > clients > clients items > tls_client_auth_san_email
Type stringDescription: Expected RFC822 name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.27. [Optional] Property root > clients > clients items > tls_client_auth_san_ip
Type stringDescription: Expected IP address SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.28. [Optional] Property root > clients > clients items > tls_client_auth_san_uri
Type stringDescription: Expected URI SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.29. [Optional] Property root > clients > clients items > tls_client_certificate_bound_access_tokens
Type booleanDefault falseDescription: Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. The default value is
false.18.1.30. [Optional] Property root > clients > clients items > require_pushed_authorization_requests
Type booleanDescription: Indicates the client's intention to enforce usage of push authorization request (PAR) to trigger authorize flow.
18.1.31. [Optional] Property root > clients > clients items > require_pkce
Type booleanDescription: Indicates the client's intention to enforce usage of proof-key for code exchange.
18.1.32. [Optional] Property root > clients > clients items > backchannel_token_delivery_mode
Type enum (of string)Description: Backchannel token delivery mode. One of the following values:
pollorpingMust be one of:
- "poll"
- "ping"
18.1.33. [Optional] Property root > clients > clients items > backchannel_user_code_parameter
Type booleanDefault falseDescription: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is
false. This parameter only applies when definition.backchannel_settings.user_code_support in provider configure is set totrue18.1.34. [Optional] Property root > clients > clients items > backchannel_client_notification_endpoint
Type stringDescription: REQUIRED if the token delivery mode is set to ping. This is the endpoint to which the ISVAOP will post a notification after a successful or failed end-user authentication. It MUST be an HTTPS URL.
18.1.35. [Optional] Property root > clients > clients items > dpop_bound_access_tokens
Type booleanDescription: Boolean value specifying whether to adds the
jktclaim to thecnfclaim in the access token.18.1.36. [Optional] Property root > clients > clients items > dpop_signing_alg
Type stringDescription: Expected
JWSalg algorithm for signed the DPoP proof JWT. Optional.18.1.37. [Optional] Property root > clients > clients items > dpop_single_use_jti
Type booleanDescription: When set to
truethe DPoP proof JWT should contain a unique identifier in the jti claim which cannot be re-used.18.1.38. [Optional] Property root > clients > clients items > response_modes
Type string arrayDescription: This parameter informs the authorization server of the allowed list of modes that the client expects for the authorization response.
18.1.39. [Optional] Property root > clients > clients items > token_exchange_settings
Type objectAdditional properties Description: Token exchange configuration.
18.1.39.1. [Optional] Property root > clients > clients items > token_exchange_settings > client_groups
Type string arrayDescription: The list of OpenID Connect client groups. Client groups is a way tagging clients. Tokens generated by a client can be used as the subject token for token exchange with another client using the same tag. If this list is empty, any client can use the tokens generated from this client as the subject token for token exchange.
18.1.39.2. [Optional] Property root > clients > clients items > token_exchange_settings > supported_subject_token_types
Type string arrayDescription: This parameter indicates the list of subject token types supported for token exchange. A subject token represents the identity of the party on behalf of whom the token is being requested.
18.1.39.3. [Optional] Property root > clients > clients items > token_exchange_settings > supported_requested_token_types
Type string arrayDescription: This parameter indicates the list of requested token types supported for token exchange.
18.1.39.4. [Optional] Property root > clients > clients items > token_exchange_settings > supported_actor_token_types
Type string arrayDescription: This parameter indicates the list of actor token types supported for token exchange. An actor token represents the identity of the party to whom the access rights of the issued token are being delegated.
18.1.40. [Optional] Property root > clients > clients items > extension
Type objectAdditional properties Description: Other information of the client that does not fit the above metadata.
The following nonexhaustive list of information goes to the extension.18.1.40.1. [Optional] Property root > clients > clients items > extension > company_name
Type stringDescription: Company name that is associated with this Client.
18.1.40.2. [Optional] Property root > clients > clients items > extension > company_url
Type stringDescription: Company URL that is associated with this Client.
18.1.40.3. [Optional] Property root > clients > clients items > extension > email
Type stringDescription: Company URL that is associated with this Client.
18.1.40.4. [Optional] Property root > clients > clients items > extension > phone
Type stringDescription: Phone number that is associated with this Client.
18.1.40.5. [Optional] Property root > clients > clients items > extension > contact_person
Type stringDescription: Contact person that is associated with this Client.
18.1.40.6. [Optional] Property root > clients > clients items > extension > contact_type
Type stringDescription: Contact type that is associated with this Client.
18.1.40.7. [Optional] Property root > clients > clients items > extension > otherInfo
Type stringDescription: Other information associated with this Client.
18.1.40.8. [Optional] Property root > clients > clients items > extension > encryptKey
Type stringDescription: Key label of the signer key that is used to encrypt ID token.
18.1.40.9. [Optional] Property root > clients > clients items > extension > encryptDB
Type stringDescription: Keystore of the signer key that is used to encrypt ID token.
18.1.40.10. [Optional] Property root > clients > clients items > extension > contacts
Type string arrayDescription: Email addresses of people responsible for the Client.
18.1.40.11. [Optional] Property root > clients > clients items > extension > logo_uri
Type stringDescription: URL that references a logo for the Client application.
18.1.40.12. [Optional] Property root > clients > clients items > extension > client_uri
Type stringDescription: URL of the home page of the Client.
Example:
clients: - client_id: clientTemplate client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA=" # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string. client_name: Client Template with Comments # Name of the client. client_id_issued_at: 1642399207 # Timestamp (in seconds) from when the client is created. enabled: true # Set to `true` to enable this client grant_types: # Grant type that the client is allowed to use at the token endpoint. - authorization_code - password - client_credentials - implicit - refresh_token - urn:openid:params:grant-type:ciba - urn:ietf:params:oauth:grant-type:token-exchange - urn:ietf:params:oauth:grant-type:jwt-bearer response_types: # Response type that the client is allowed to use at the authorization endpoint. - code id_token - code - code token - none - code token id_token redirect_uris: # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows. - https://www.rp.com/redirect request_uris: # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider. - https://www.rp.com/request/test.jwt scopes: # A list of scope values that the client can use when requesting access tokens. - cdr:registration - openid - profile jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks # URL string referencing the client's JSON Web Key (JWK) set document, that contains the client's public keys. id_token_signed_response_alg: PS512 # JWS alg algorithm for signing the ID Token that is issued to the Client. Optional. If present it shall be always the same as the token_settings.signing_alg value set in provider.yml id_token_encrypted_response_alg: none # JWE alg algorithm for encrypting the ID Token that is issued to the Client. Optional, default is `none`. id_token_encrypted_response_enc: none # JWE enc algorithm for encrypting the ID Token that is issued to the Client. Optional, default is `none`. userinfo_signed_response_alg: none # JWS alg algorithm for signing UserInfo Responses. userinfo_encrypted_response_alg: none # JWE alg algorithm for encrypting UserInfo Responses. Optional, default is `none`. userinfo_encrypted_response_enc: none # JWE enc algorithm for encrypting UserInfo Responses. Optional, default is `none`. request_object_signing_alg: PS256 # JWS alg algorithm that MUST be used for signing Request Objects sent to the OIDC Provider. request_object_encryption_alg: none # JWE alg algorithm the Relying Party is declaring that it may use for encrypting Request Objects sent to the OIDC Provider. request_object_encryption_enc: none # JWE enc algorithm the Relying Party is declaring that it might use for encrypting Request Objects sent to the OIDC Provider. token_endpoint_auth_method: tls_client_auth # Requested authentication method for the backend endpoints (token, introspect, revoke). # token_endpoint_auth_signing_alg: RS384 # JWS alg algorithm that **must** be used for signing the JWT that is used to authenticate the Client at the Token Endpoint for the `private_key_jwt` authentication methods. token_endpoint_auth_single_use_jti: false # When set to `true` and client assertion is used as the method to perform client authentication, the client assertion cannot be reused. tls_client_auth_subject_dn: CN=clientTemplateWithComments,OU=security,O=IBM,L=singapore,ST=singapore,C=SG # Expected subject distinguished name of the certificate that the OAuth client uses in mutual-TLS authentication. # tls_client_auth_san_dns: www.rp.com # Expected DNS name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication. # tls_client_auth_san_email: [email protected] # Expected RFC822 name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication. # tls_client_auth_san_ip: 1.2.3.4 # Expected IP address SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication. # tls_client_auth_san_uri: https://www.rp.com # Expected URI SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication. tls_client_certificate_bound_access_tokens: false # Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. The default value is `false`. require_pushed_authorization_requests: false # Indicates the client's intention to enforce usage of push authorization request (PAR) to trigger authorize flow. require_pkce: true # Indicates the client's intention to enforce usage of proof-key for code exchange. backchannel_token_delivery_mode: poll # Backchannel token delivery mode. One of the following values: `poll` or `ping` backchannel_user_code_parameter: false # Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is `false`. This parameter only applies when definition.backchannel_settings.user_code_support in provider.yml is set to `true` # backchannel_client_notification_endpoint: http://www.rp.com/auth/notification # REQUIRED if the token delivery mode is set to `ping`. This is the endpoint to which the ISVAOP will post a notification after a successful or failed end-user authentication. It MUST be an HTTPS URL. dpop_bound_access_tokens: true # Boolean value specifying whether to adds the `jkt` claim to the `cnf` claim in the access token. dpop_signing_alg: PS256 # Expected JWS `alg` algorithm for signed the DPoP proof JWT. dpop_single_use_jti: false # When set to `true` the DPoP proof JWT should contain a unique identifier in the `jti` claim which cannot be re-used. response_modes: # This parameter informs the authorization server of the allowed list of response_modes that the client expects for the authorization response. - query - fragment - form_post - query.jwt - fragment.jwt - form_post.jwt - jwt token_exchange_settings: client_groups: - benefits - insurance supported_subject_token_types: - urn:ietf:params:oauth:token-type:access_token - urn:ietf:params:oauth:token-type:refresh_token - urn:ietf:params:oauth:token-type:id_token supported_actor_token_types: - urn:ietf:params:oauth:token-type:access_token - urn:ietf:params:oauth:token-type:refresh_token - urn:ietf:params:oauth:token-type:id_token - urn:x-oath:params:oauth:token-type:device-secret supported_requested_token_types: - urn:ietf:params:oauth:token-type:access_token - urn:ietf:params:oauth:token-type:refresh_token - urn:ietf:params:oauth:token-type:id_token extension: # Other information of the client that does not fit the above metadata. email: [email protected] contact_type: ADMINISTRATOR company_name: IBM encryptDB: rt_encrypt encryptKey: rsa
19. [Required] Property root > keystore
Type array of objectDefined in yaml_keystore.yml#/definitions/keystore Description: Specifies the keystores that IBM Security Verify Access OIDC Provider (ISVAOP) is using.
Also refer to key management.
Each item of this array must be Description keystore items Specify each keystore in one the following types. ...
Type objectAdditional properties Description: Specify each keystore in one the following types.
type description p12Specifies a pfx (.p12 file) keystore pemSpecifies the keystore's certificates and keys in PEM format zipSpecifies the keystore using a zip file pathSpecifies the path to the keystore contents 19.1.1. [Optional] Property root > keystore > keystore items > keystore (p12)
Type objectAdditional properties 19.1.1.1. [Required] Property root > keystore > keystore items > keystore (p12) > name
Type stringDescription: The keystore name
19.1.1.2. [Required] Property root > keystore > keystore items > keystore (p12) > type
Type constDescription: The keystore type
Specific value:
"p12"19.1.1.3. [Required] Property root > keystore > keystore items > keystore (p12) > content
Type stringDescription: The p12 keystore content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
19.1.2. [Optional] Property root > keystore > keystore items > keystore (pem)
Type objectAdditional properties 19.1.2.1. [Required] Property root > keystore > keystore items > keystore (pem) > name
Type stringDescription: The keystore name
19.1.2.2. [Required] Property root > keystore > keystore items > keystore (pem) > type
Type constDescription: The keystore type
Specific value:
"pem"19.1.2.3. [Optional] Property root > keystore > keystore items > keystore (pem) > certificate
Type array of objectDescription: Signer certificates of the keystore in PEM format
Each item of this array must be Description certificate items Signer certificate in PEM format
Type objectAdditional properties Description: Signer certificate in PEM format
19.1.2.3.1.1. [Required] Property root > keystore > keystore items > keystore (pem) > certificate > certificate items > label
Type stringDescription: Signer certificate label
19.1.2.3.1.2. [Required] Property root > keystore > keystore items > keystore (pem) > certificate > certificate items > content
Type stringDescription: Signer certificate content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
19.1.2.4. [Optional] Property root > keystore > keystore items > keystore (pem) > key
Type array of objectDescription: Personal certificate of the keystore in PEM format
Each item of this array must be Description key items Personal certificate in PEM format
Type objectAdditional properties Description: Personal certificate in PEM format
19.1.2.4.1.1. [Required] Property root > keystore > keystore items > keystore (pem) > key > key items > label
Type stringDescription: Personal certificate label
19.1.2.4.1.2. [Required] Property root > keystore > keystore items > keystore (pem) > key > key items > content
Type stringDescription: Personal certificate content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
19.1.3. [Optional] Property root > keystore > keystore items > keystore (zip)
Type objectAdditional properties 19.1.3.1. [Required] Property root > keystore > keystore items > keystore (zip) > name
Type stringDescription: The keystore name
19.1.3.2. [Required] Property root > keystore > keystore items > keystore (zip) > type
Type constDescription: The keystore type
Specific value:
"zip"19.1.3.3. [Required] Property root > keystore > keystore items > keystore (zip) > content
Type stringDescription: The keystore zip file content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
19.1.4. [Optional] Property root > keystore > keystore items > keystore (path)
Type objectAdditional properties 19.1.4.1. [Required] Property root > keystore > keystore items > keystore (path) > name
Type stringDescription: The keystore name
Example:
keystore: - name: ks1 type: p12 content: "B64:<encoded_p12>" password: "OBF:<obfuscated_p12_password>" - name: ks2 type: pem certificate: - label: cert01 content: "B64:<encoded PEM>" - label: cert02 content: "@<file>" - label: cert03 content: | <inline PEM> key: - label: key01 content: "B64:<encoded PEM>" - label: key02 content: "@<file>" - label: key03 content: | <inline PEM> - name: ks3 type: zip content: "B64:<encoded zip>" - name: ks4 type: path content: "keystore/ks4_contents"
20. [Optional] Property root > rules
Type objectAdditional properties Defined in yaml_rules.yml#/definitions/rules Description: Specifies the access policies and mapping rules that IBM Security Verify Access OIDC Provider (ISVAOP) runtime flows are using.
Example:
rules: access_policy: - name: default_policy type: javascript content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ... mapping: - name: isvaop_pretoken content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ... - name: isvaop_posttoken content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ... - name: attrUtil content: "B64:aW1wb3J0Q2xhc3MoUGFj...Cg==" - name: checkstatus content: "configmap:rules/mapping_checkstatus.js" - name : dcr content: "B64:aW1wb...pCn0K" - name: extCache content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ... - name: httpClient content: "configmap:rules/mapping_httpClient.js" - name: jwt content: "B64:aW1wb...T047" - name: ldapClient content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ... - name: library content: "configmap:rules/mapping_library.js" - name: notifyuser content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ... - name: oauthUtil content: "B64:aW1w...Cgo=" - name: ropc content: | importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); ...20.1. [Optional] Property root > rules > mapping
Type array of objectDescription: JavaScript mapping rules
Each item of this array must be Description mapping items JavaScript Mapping rule ...
Type objectAdditional properties Description: JavaScript Mapping rule
Read more about JavaScript Mapping rule.
20.1.1.1. [Required] Property root > rules > mapping > mapping items > name
Type stringDescription: The mapping rule name
20.1.1.2. [Required] Property root > rules > mapping > mapping items > content
Type stringDescription: The mapping rule content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
20.2. [Optional] Property root > rules > access_policy
Type array of objectDescription: Access Policies
Each item of this array must be Description access_policy items Access Policy ...
Type objectAdditional properties Description: Access Policy
Read more about Access Policy.
20.2.1.1. [Required] Property root > rules > access_policy > access_policy items > name
Type stringDescription: The access policy name
20.2.1.2. [Required] Property root > rules > access_policy > access_policy items > content
Type stringDescription: The access policy content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
Updated about 1 year ago