Use the information in the following table to configure settings that dictate the behavior of how resources are accessed. This method is similar to the IBM Verify Identity Access Definition, but with more configuration settings that are introduced in IBM Verify Identity Access OIDC Provider.
Accept only authorized request using push authorize.
Boolean
No
No
prefer_claims_at_userinfo
This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
Boolean
No
No
1.3. Backchannel Settings
These settings are related to Client-Initiated Backchannel Authentication (CIBA).
Name
Description
Valid Value
Mandatory
Default
default_expiry
The default CIBA session lifetime in seconds.
integer
No
900s
maximum_expiry
Maximum CIBA session lifetime in seconds.
integer
No
1800s
polling_interval
Polling interval value that is communicated to the relying party.
integer
No
5s
notifyuser_mappingrule_id
Mapping rule ID that is run when the user is notified.
string
No
notifyuser
checkstatus_mappingrule_id
Mapping rule ID that is run when the authentication status is checked.
string
No
checkstatus
user_code_support
Whether this CIBA implementation supports user_code. This information is published in .well-known endpoint.
Boolean
No
false
1.4. JWT Secured Authorization Request Settings
These settings are related to JWT-Secured Authorization Request(JAR).
Name
Description
Valid Value
Mandatory
Default
lifetime
The maximum lifetime of the incoming request-JWT in seconds.
integer
No
require_expiry
Boolean flag to check if the request-JWT contains a exp claim
Boolean
No
false
only_request_object_params
Boolean flag to enforce the request-JWT to contain all the request parameters.
Boolean
No
false
enforce_single_usage
Boolean flag to enforce single use of a request-JWT.
Boolean
No
false
1.5. Device flow settings
These settings are Device Authorization Grant.
Name
Description
Valid Value
Mandatory
Default
device_flow_polling_interval_in_secs
Polling interval in seconds
integer
No
5
device_flow_codelifetime_in_secs
Validity of the device code in seconds
integer
No
300
device_flow_usercode_length
Length of the user code. Has to be set of a value greater than 6
integer
No
6
device_flow_usercode_charset
Character set for user code, should be characters that are unique and greater that the code length
string
No
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
enforce_clientauth_device_authorize
To enforce client authentication at the device authorization endpoint
boolean
No
true
1.6. Authorization Details Types
These settings are Authorization Details Types Supported. It is an array of types supported.
Name
Description
Valid Value
Mandatory
Default
type
Supported authorization details type
string
Yes
strategy
The identifier of the authorization details type is calculated based on the strategy
string
No
default
script
If strategy is custom, an in line JavaScript is expected, the JS need to set an ID as a last statement in the script
string
No
1.7. Authorization Details Types Schema
These settings are Authorization Details Types schema.
Name
Description
Valid Value
Mandatory
Default
type
Supported authorization details type
string
Yes
content
The path to the JSON schema file used to validate the incoming authorization_details JSON schema.
string
Yes
1.8. Pre-Authorized Code Setting
These settings are Device Authorization Grant.
Name
Description
Valid Value
Mandatory
Default
pre_authorize_code_lifetime_in_secs
Lifetime of the pre authorized code
integer
No
1800
require_transaction_code
Flag to indicate is the transaction code should be generated
boolean
No
false
transaction_code_charset
The character set for the transaction code
string
No
[0-9]
transaction_code_length
The transaction code length
integer
No
4
definition:
id: 1 # Definition ID
name: OIDC Definition # Definition Name
grant_types: # Supported grant types.
- authorization_code
- implicit
- password
- client_credentials
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
- urn:ietf:params:oauth:grant-type:jwt-bearer
- urn:ietf:params:oauth:grant-type:device_code
- urn:ietf:params:oauth:grant-type:pre-authorized_code
access_policy_id: 1 # Access Policy Rule ID.
pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID.
post_mappingrule_id: isvaop_posttoken # Post-Token mapping rule ID.
ropc_mappingrule_id: ropc # ROPC mapping rule ID.
base_url: https://isvaop.ibm.com:445 # Base url of the endpoints.
mtls_base_url: https://isvaop.ibm.com:445 # Base url of the MTLS endpoints.
mtls_certificate_header_name: x-client-certificate # HTTP header name that contains MTLS certificate.
authorization_details_types_supported:
- type: payment_initiation
strategy: default
script: null
- type: account_information
strategy: sha512
script: null
- type: openid_credential
strategy: sha512
script: null
ignore_unknown_authorization_details_type: false
authorization_details_types_schema:
- type: payment_initiation
content: '@schema/payment_initiation.json'
- type: account_information
content: '@schema/account_information.json'
- type: openid_credential
content: '@schema/openid_credential.json'
features: # Features Flags
enable_fault_tolerance: false # Enable multiple refresh token for fault tolerance.
consent_prompt: ALWAYS_PROMPT # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER
fapi_compliant: false # Whether to enforce all the FAPI checks.
enforce_par: false # Only accept authorize request using push authorize.
prefer_claims_at_userinfo: true # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS512 # Signing algorithm for ID token generated.
signing_keystore: rt_profile_keys # Signing keystore name.
signing_keylabel: rsa256 # Signing key label.
encryption_alg: none # Key encryption algorithm for ID token generated.
encryption_enc: none # Content encryption algorithm for ID token generated.
authorization_code_lifetime: 300 # Lifetime of authorization code.
access_token_lifetime: 7200 # Lifetime of access token.
id_token_lifetime: 3600 # Lifetime of id_token.
refresh_token_lifetime: 64800 # Lifetime of refresh token.
backchannel_settings: # Backchannel Settings
default_expiry: 900 # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds.
maximum_expiry: 1800 # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds.
polling_interval: 5 # Polling interval value that will be communicated to the relying party. Default is 5 seconds.
notifyuser_mappingrule_id: notifyuser # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`.
checkstatus_mappingrule_id: checkstatus # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`.
user_code_support: false # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint.
attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml
name: display_name
age: age
website: website
metadata: # name-value pair to override metadata information
claims_supported:
- iss
- name
- displayName
dpop_max_lifetime: 3600 # Lifetime of DPoP proof JWT.
request_object:
lifetime: 3600 # Lifetime of the incoming JWT-Secured Authorization Request.
require_expiry: true # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim.
only_request_object_params: false # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters.
enforce_single_usage: false # Boolean flag to enforce single use of a JWT-Secured Authorization Request.
device_flow_settings:
device_flow_polling_interval_in_secs: 8 # Polling interval in seconds
device_flow_codelifetime_in_sec: 200 # Lifetime seconds for device_code
device_flow_usercode_length: 7 # User code length
device_flow_usercode_charset: 'ABCDEF1234' # User code character set
enforce_clientauth_device_authorize: true # Boolean flag to enforce client authentication at device authorization
