Definition
1. Definition
Use the information in the following table to configure settings that dictate the behavior of how resources are accessed. This method is similar to the IBM Verify Identity Access Definition, but with more configuration settings that are introduced in IBM Verify Identity Access OIDC Provider.
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
id | Definition ID | string | No (Required for DCR flows) | |
name | Definition Name | string | No (Required for DCR flows) | |
grant_types | Supported grant types. | string[] | Yes | |
access_policy_id | Access Policy Rule ID. | string | No | |
preauth_access_policy_id | Pre Authentication Access Policy Rule ID. | string | No | |
pre_mappingrule_id | Pre-Token mapping rule ID. | string | No | |
post_mappingrule_id | Post-Token mapping rule ID. | string | No | |
ropc_mappingrule_id | ROPC-mapping rule ID. | string | No | |
base_url | Base url of the endpoints. | valid url string, example: https://www.idp.com/isvaop | Yes | |
mtls_base_url | Base url of the MTLS endpoints. | valid url string, example: https://www.idp-mtls.com/isvaop | No | |
mtls_certificate_header_name | HTTP header name that contains MTLS certificate. | string, example: X-Client-Certificate | No | |
token_settings | Token Settings | |||
authorization_details_types_supported | Authorization Details Types | |||
ignore_unknown_authorization_details_type | Boolean flag to indicate if unknown authorization details type should be ignored or should error out | Boolean | No | false |
authorization_details_types_schema | Authorization Details Types Schema | |||
pre_auth_settings | Pre Authorized Code Setting | |||
features | Feature Flags | |||
backchannel_settings | Backchannel Settings | |||
attribute_map | Attribute mapping to resolve claims. | map of string -> string | ||
metadata | name-value pair to override metadata information | map of string -> any | ||
request_object | JWT-Secured Authorization Request Settings | |||
dpop_max_lifetime | Lifetime of DPoP proof JWT in seconds. | integer | No | |
dpop_validation_time_skew | Time skew in seconds used during DPoP proof validation. | integer | No | |
jwt_bearer_validation_time_skew | Time skew in seconds used during JWT validation for JWT Bearer grant flow. | integer | No | |
client_assertion_validation_time_skew | Time skew in seconds used during client assertion validation. | integer | No | |
request_object_validation_time_skew | Time skew in seconds used during request object validation. | integer | No | |
jwt_token_validation_time_skew | Time skew in seconds used during JWT token validation. | integer | No |
1.1. Token Settings
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
issuer | OP's issuer URI. | valid url string | Yes | |
signing_alg | Signing algorithm for ID token generated. | string | Yes | |
signing_keystore | Signing keystore name. | string | Yes | |
signing_keylabel | Signing key label. | string | Yes | |
encryption_alg | Key encryption algorithm for ID token generated. | string | No | |
encryption_enc | Content encryption algorithm for ID token generated. | string | No | |
authorization_code_lifetime | Lifetime of authorization code. | integer | No | 300s |
access_token_lifetime | Lifetime of access token. | integer | No | 7200s |
id_token_lifetime | Lifetime of id_token. | integer | No | 3600s |
refresh_token_lifetime | Lifetime of refresh token. | integer | No | 64800s |
1.2. Features Flags
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
enable_fault_tolerance | Enable multiple refresh tokens for fault tolerance. | Boolean | No | No |
consent_prompt | Prompt for consent vs auto-consent. | ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER | No | ALWAYS_PROMPT |
fapi_compliant | Whether to enforce all the FAPI checks. | Boolean | No | No |
enforce_par | Accept only authorized request using push authorize. | Boolean | No | No |
prefer_claims_at_userinfo | This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token. | Boolean | No | No |
1.3. Backchannel Settings
These settings are related to Client-Initiated Backchannel Authentication (CIBA).
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
default_expiry | The default CIBA session lifetime in seconds. | integer | No | 900s |
maximum_expiry | Maximum CIBA session lifetime in seconds. | integer | No | 1800s |
polling_interval | Polling interval value that is communicated to the relying party. | integer | No | 5s |
notifyuser_mappingrule_id | Mapping rule ID that is run when the user is notified. | string | No | notifyuser |
checkstatus_mappingrule_id | Mapping rule ID that is run when the authentication status is checked. | string | No | checkstatus |
user_code_support | Whether this CIBA implementation supports user_code . This information is published in .well-known endpoint. | Boolean | No | false |
1.4. JWT Secured Authorization Request Settings
These settings are related to JWT-Secured Authorization Request(JAR).
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
lifetime | The maximum lifetime of the incoming request-JWT in seconds. | integer | No | |
require_expiry | Boolean flag to check if the request-JWT contains a exp claim | Boolean | No | false |
only_request_object_params | Boolean flag to enforce the request-JWT to contain all the request parameters. | Boolean | No | false |
enforce_single_usage | Boolean flag to enforce single use of a request-JWT. | Boolean | No | false |
1.5. Device flow settings
These settings are Device Authorization Grant.
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
device_flow_polling_interval_in_secs | Polling interval in seconds | integer | No | 5 |
device_flow_codelifetime_in_secs | Validity of the device code in seconds | integer | No | 300 |
device_flow_usercode_length | Length of the user code. Has to be set of a value greater than 6 | integer | No | 6 |
device_flow_usercode_charset | Character set for user code, should be characters that are unique and greater that the code length | string | No | ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 |
enforce_clientauth_device_authorize | To enforce client authentication at the device authorization endpoint | boolean | No | true |
1.6. Authorization Details Types
These settings are Authorization Details Types Supported. It is an array of types supported.
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
type | Supported authorization details type | string | Yes | |
strategy | The identifier of the authorization details type is calculated based on the strategy | string | No | default |
script | If strategy is custom, an in line JavaScript is expected, the JS need to set an ID as a last statement in the script | string | No |
1.7. Authorization Details Types Schema
These settings are Authorization Details Types schema.
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
type | Supported authorization details type | string | Yes | |
content | The path to the JSON schema file used to validate the incoming authorization_details JSON schema. | string | Yes |
1.8. Pre-Authorized Code Setting
These settings are Device Authorization Grant.
Name | Description | Valid Value | Mandatory | Default |
---|---|---|---|---|
pre_authorize_code_lifetime_in_secs | Lifetime of the pre authorized code | integer | No | 1800 |
require_transaction_code | Flag to indicate is the transaction code should be generated | boolean | No | false |
transaction_code_charset | The character set for the transaction code | string | No | [0-9] |
transaction_code_length | The transaction code length | integer | No | 4 |
definition:
id: 1 # Definition ID
name: OIDC Definition # Definition Name
grant_types: # Supported grant types.
- authorization_code
- implicit
- password
- client_credentials
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
- urn:ietf:params:oauth:grant-type:jwt-bearer
- urn:ietf:params:oauth:grant-type:device_code
- urn:ietf:params:oauth:grant-type:pre-authorized_code
access_policy_id: 1 # Access Policy Rule ID.
pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID.
post_mappingrule_id: isvaop_posttoken # Post-Token mapping rule ID.
ropc_mappingrule_id: ropc # ROPC mapping rule ID.
base_url: https://isvaop.ibm.com:445 # Base url of the endpoints.
mtls_base_url: https://isvaop.ibm.com:445 # Base url of the MTLS endpoints.
mtls_certificate_header_name: x-client-certificate # HTTP header name that contains MTLS certificate.
authorization_details_types_supported:
- type: payment_initiation
strategy: default
script: null
- type: account_information
strategy: sha512
script: null
- type: openid_credential
strategy: sha512
script: null
ignore_unknown_authorization_details_type: false
authorization_details_types_schema:
- type: payment_initiation
content: '@schema/payment_initiation.json'
- type: account_information
content: '@schema/account_information.json'
- type: openid_credential
content: '@schema/openid_credential.json'
features: # Features Flags
enable_fault_tolerance: false # Enable multiple refresh token for fault tolerance.
consent_prompt: ALWAYS_PROMPT # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER
fapi_compliant: false # Whether to enforce all the FAPI checks.
enforce_par: false # Only accept authorize request using push authorize.
prefer_claims_at_userinfo: true # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS512 # Signing algorithm for ID token generated.
signing_keystore: rt_profile_keys # Signing keystore name.
signing_keylabel: rsa256 # Signing key label.
encryption_alg: none # Key encryption algorithm for ID token generated.
encryption_enc: none # Content encryption algorithm for ID token generated.
authorization_code_lifetime: 300 # Lifetime of authorization code.
access_token_lifetime: 7200 # Lifetime of access token.
id_token_lifetime: 3600 # Lifetime of id_token.
refresh_token_lifetime: 64800 # Lifetime of refresh token.
backchannel_settings: # Backchannel Settings
default_expiry: 900 # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds.
maximum_expiry: 1800 # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds.
polling_interval: 5 # Polling interval value that will be communicated to the relying party. Default is 5 seconds.
notifyuser_mappingrule_id: notifyuser # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`.
checkstatus_mappingrule_id: checkstatus # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`.
user_code_support: false # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint.
attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml
name: display_name
age: age
website: website
metadata: # name-value pair to override metadata information
claims_supported:
- iss
- name
- displayName
dpop_max_lifetime: 3600 # Lifetime of DPoP proof JWT.
request_object:
lifetime: 3600 # Lifetime of the incoming JWT-Secured Authorization Request.
require_expiry: true # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim.
only_request_object_params: false # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters.
enforce_single_usage: false # Boolean flag to enforce single use of a JWT-Secured Authorization Request.
device_flow_settings:
device_flow_polling_interval_in_secs: 8 # Polling interval in seconds
device_flow_codelifetime_in_sec: 200 # Lifetime seconds for device_code
device_flow_usercode_length: 7 # User code length
device_flow_usercode_charset: 'ABCDEF1234' # User code character set
enforce_clientauth_device_authorize: true # Boolean flag to enforce client authentication at device authorization
Updated 3 months ago
Did this page help you?