Use the information in the following table to configure settings that dictate the behavior of how resources are accessed. This method is similar to the IBM Security Verify Access Definition, but with more configuration settings that are introduced in IBM Security Verify Access OIDC Provider.
Accept only authorized request using push authorize.
Boolean
No
No
prefer_claims_at_userinfo
This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
Boolean
No
No
1.3. Backchannel Settings
These settings are related to Client-Initiated Backchannel Authentication (CIBA).
Name
Description
Valid Value
Mandatory
Default
default_expiry
The default CIBA session lifetime in seconds.
integer
No
900s
maximum_expiry
Maximum CIBA session lifetime in seconds.
integer
No
1800s
polling_interval
Polling interval value that is communicated to the relying party.
integer
No
5s
notifyuser_mappingrule_id
Mapping rule ID that is run when the user is notified.
string
No
notifyuser
checkstatus_mappingrule_id
Mapping rule ID that is run when the authentication status is checked.
string
No
checkstatus
user_code_support
Whether this CIBA implementation supports user_code. This information is published in .well-known endpoint.
Boolean
No
false
1.4. JWT Secured Authorization Request Settings
These settings are related to JWT-Secured Authorization Request(JAR).
Name
Description
Valid Value
Mandatory
Default
lifetime
The maximum lifetime of the incoming request-JWT in seconds.
integer
No
require_expiry
Boolean flag to check if the request-JWT contains a exp claim
Boolean
No
false
only_request_object_params
Boolean flag to enforce the request-JWT to contain all the request parameters.
Boolean
No
false
enforce_single_usage
Boolean flag to enforce single use of a request-JWT.
Boolean
No
false
definition:
id: 1 # Definition ID
name: OIDC Definition # Definition Name
grant_types: # Supported grant types.
- authorization_code
- implicit
- password
- client_credentials
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
- urn:ietf:params:oauth:grant-type:jwt-bearer
access_policy_id: 1 # Access Policy Rule ID.
pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID.
post_mappingrule_id: isvaop_posttoken # Post-Token mapping rule ID.
ropc_mappingrule_id: ropc # ROPC mapping rule ID.
base_url: https://isvaop.ibm.com:445 # Base url of the endpoints.
mtls_base_url: https://isvaop.ibm.com:445 # Base url of the MTLS endpoints.
mtls_certificate_header_name: x-client-certificate # HTTP header name that contains MTLS certificate.
features: # Features Flags
enable_fault_tolerance: false # Enable multiple refresh token for fault tolerance.
consent_prompt: ALWAYS_PROMPT # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER
fapi_compliant: false # Whether to enforce all the FAPI checks.
enforce_par: false # Only accept authorize request using push authorize.
prefer_claims_at_userinfo: true # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS512 # Signing algorithm for ID token generated.
signing_keystore: rt_profile_keys # Signing keystore name.
signing_keylabel: rsa256 # Signing key label.
encryption_alg: none # Key encryption algorithm for ID token generated.
encryption_enc: none # Content encryption algorithm for ID token generated.
authorization_code_lifetime: 300 # Lifetime of authorization code.
access_token_lifetime: 7200 # Lifetime of access token.
id_token_lifetime: 3600 # Lifetime of id_token.
refresh_token_lifetime: 64800 # Lifetime of refresh token.
backchannel_settings: # Backchannel Settings
default_expiry: 900 # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds.
maximum_expiry: 1800 # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds.
polling_interval: 5 # Polling interval value that will be communicated to the relying party. Default is 5 seconds.
notifyuser_mappingrule_id: notifyuser # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`.
checkstatus_mappingrule_id: checkstatus # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`.
user_code_support: false # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint.
attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml
name: display_name
age: age
website: website
metadata: # name-value pair to override metadata information
claims_supported:
- iss
- name
- displayName
dpop_max_lifetime: 3600 # Lifetime of DPoP proof JWT.
request_object:
lifetime: 3600 # Lifetime of the incoming JWT-Secured Authorization Request.
require_expiry: true # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim.
only_request_object_params: false # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters.
enforce_single_usage: false # Boolean flag to enforce single use of a JWT-Secured Authorization Request.
