Definition

1. Definition

Use the information in the following table to configure settings that dictate the behavior of how resources are accessed. This method is similar to the IBM Security Verify Access Definition, but with more configuration settings that are introduced in IBM Security Verify Access OIDC Provider.

Name	Description	Valid Value	Mandatory
`id`	Definition ID	string	No (Required for DCR flows)
`name`	Definition Name	string	No (Required for DCR flows)
`grant_types`	Supported grant types.	string[]	Yes
`access_policy_id`	Access Policy Rule ID.	string	No
`preauth_access_policy_id`	Pre Authentication Access Policy Rule ID.	string	No
`pre_mappingrule_id`	Pre-Token mapping rule ID.	string	No
`post_mappingrule_id`	Post-Token mapping rule ID.	string	No
`ropc_mappingrule_id`	ROPC-mapping rule ID.	string	No
`base_url`	Base url of the endpoints.	valid url string, example: `https://www.idp.com/isvaop`	Yes
`mtls_base_url`	Base url of the MTLS endpoints.	valid url string, example: `https://www.idp-mtls.com/isvaop`	No
`mtls_certificate_header_name`	HTTP header name that contains MTLS certificate.	string, example: `X-Client-Certificate`	No
`token_settings`	Token Settings
`features`	Feature Flags
`backchannel_settings`	Backchannel Settings
`attribute_map`	Attribute mapping to resolve claims.	map of `string -> string`
`metadata`	name-value pair to override metadata information	map of `string -> any`
`request_object`	JWT-Secured Authorization Request Settings
`dpop_max_lifetime`	Lifetime of DPoP proof JWT in seconds.	integer	No
`dpop_validation_time_skew`	Time skew in seconds used during DPoP proof validation.	integer	No
`jwt_bearer_validation_time_skew`	Time skew in seconds used during JWT validation for JWT Bearer grant flow.	integer	No
`client_assertion_validation_time_skew`	Time skew in seconds used during client assertion validation.	integer	No
`request_object_validation_time_skew`	Time skew in seconds used during request object validation.	integer	No
`jwt_token_validation_time_skew`	Time skew in seconds used during JWT token validation.	integer	No

1.1. Token Settings

Name	Description	Valid Value	Mandatory	Default
issuer	OP's issuer URI.	valid url string	Yes
signing_alg	Signing algorithm for ID token generated.	string	Yes
signing_keystore	Signing keystore name.	string	Yes
signing_keylabel	Signing key label.	string	Yes
encryption_alg	Key encryption algorithm for ID token generated.	string	No
encryption_enc	Content encryption algorithm for ID token generated.	string	No
authorization_code_lifetime	Lifetime of authorization code.	integer	No	300s
access_token_lifetime	Lifetime of access token.	integer	No	7200s
id_token_lifetime	Lifetime of id_token.	integer	No	3600s
refresh_token_lifetime	Lifetime of refresh token.	integer	No	64800s

1.2. Features Flags

Name	Description	Valid Value	Mandatory	Default
enable_fault_tolerance	Enable multiple refresh tokens for fault tolerance.	Boolean	No	No
consent_prompt	Prompt for consent vs auto-consent.	ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER	No	ALWAYS_PROMPT
fapi_compliant	Whether to enforce all the FAPI checks.	Boolean	No	No
enforce_par	Accept only authorized request using push authorize.	Boolean	No	No
prefer_claims_at_userinfo	This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.	Boolean	No	No

1.3. Backchannel Settings

These settings are related to Client-Initiated Backchannel Authentication (CIBA).

Name	Description	Valid Value	Mandatory	Default
default_expiry	The default CIBA session lifetime in seconds.	integer	No	900s
maximum_expiry	Maximum CIBA session lifetime in seconds.	integer	No	1800s
polling_interval	Polling interval value that is communicated to the relying party.	integer	No	5s
notifyuser_mappingrule_id	Mapping rule ID that is run when the user is notified.	string	No	`notifyuser`
checkstatus_mappingrule_id	Mapping rule ID that is run when the authentication status is checked.	string	No	`checkstatus`
user_code_support	Whether this CIBA implementation supports `user_code`. This information is published in `.well-known` endpoint.	Boolean	No	false

1.4. JWT Secured Authorization Request Settings

These settings are related to JWT-Secured Authorization Request(JAR).

Name	Description	Valid Value	Mandatory	Default
lifetime	The maximum lifetime of the incoming request-JWT in seconds.	integer	No
require_expiry	Boolean flag to check if the request-JWT contains a exp claim	Boolean	No	false
only_request_object_params	Boolean flag to enforce the request-JWT to contain all the request parameters.	Boolean	No	false
enforce_single_usage	Boolean flag to enforce single use of a request-JWT.	Boolean	No	false

1.5. Device flow settings

These settings are Device Authorization Grant.

Name	Description	Valid Value	Mandatory	Default
device_flow_polling_interval_in_secs	Polling interval in seconds	integer	No	5
device_flow_codelifetime_in_secs	Validity of the device code in seconds	integer	No	300
device_flow_usercode_length	Length of the user code. Has to be set of a value greater than 6	integer	No	6
device_flow_usercode_charset	Character set for user code, should be characters that are unique and greater that the code length	string	No	ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
enforce_clientauth_device_authorize	To enforce client authentication at the device authorization endpoint	boolean	No	true

definition:
  id: 1                                                     # Definition ID
  name: OIDC Definition                                     # Definition Name
  grant_types:                                              # Supported grant types.
    - authorization_code
    - implicit
    - password
    - client_credentials
    - refresh_token
    - urn:openid:params:grant-type:ciba
    - urn:ietf:params:oauth:grant-type:token-exchange
    - urn:ietf:params:oauth:grant-type:jwt-bearer
    - urn:ietf:params:oauth:grant-type:device_code
  access_policy_id: 1                                       # Access Policy Rule ID.
  pre_mappingrule_id: isvaop_pretoken                       # Pre-Token mapping rule ID.
  post_mappingrule_id: isvaop_posttoken                     # Post-Token mapping rule ID.
  ropc_mappingrule_id: ropc                                 # ROPC mapping rule ID.
  base_url: https://isvaop.ibm.com:445                      # Base url of the endpoints.
  mtls_base_url: https://isvaop.ibm.com:445                 # Base url of the MTLS endpoints.
  mtls_certificate_header_name: x-client-certificate        # HTTP header name that contains MTLS certificate.
  features:                                                 # Features Flags
    enable_fault_tolerance: false                           # Enable multiple refresh token for fault tolerance.
    consent_prompt: ALWAYS_PROMPT                           # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER
    fapi_compliant: false                                   # Whether to enforce all the FAPI checks.
    enforce_par: false                                      # Only accept authorize request using push authorize.
    prefer_claims_at_userinfo: true                         # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
  token_settings:                                           # Token Settings
    issuer: https://isvaop.ibm.com                          # OP's issuer URI.
    signing_alg: PS512                                      # Signing algorithm for ID token generated.
    signing_keystore: rt_profile_keys                       # Signing keystore name.
    signing_keylabel: rsa256                                # Signing key label.
    encryption_alg: none                                    # Key encryption algorithm for ID token generated.
    encryption_enc: none                                    # Content encryption algorithm for ID token generated.
    authorization_code_lifetime: 300                        # Lifetime of authorization code.
    access_token_lifetime: 7200                             # Lifetime of access token.
    id_token_lifetime: 3600                                 # Lifetime of id_token.
    refresh_token_lifetime: 64800                           # Lifetime of refresh token.
  backchannel_settings:                                     # Backchannel Settings
    default_expiry: 900                                     # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds.
    maximum_expiry: 1800                                    # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds.
    polling_interval: 5                                     # Polling interval value that will be communicated to the relying party. Default is 5 seconds.
    notifyuser_mappingrule_id: notifyuser                   # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`.
    checkstatus_mappingrule_id: checkstatus                 # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`.
    user_code_support: false                                # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint.
  attribute_map:                                            # Attribute mapping to resolve claims. also refer to attributesources.yml
    name: display_name
    age: age
    website: website
  metadata:                                                 # name-value pair to override metadata information
    claims_supported:
      - iss
      - name
      - displayName
  dpop_max_lifetime: 3600                                   # Lifetime of DPoP proof JWT. 
  request_object:
    lifetime: 3600                                          # Lifetime of the incoming JWT-Secured Authorization Request.
    require_expiry: true                                    # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim.
    only_request_object_params: false                       # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters.
    enforce_single_usage: false                             # Boolean flag to enforce single use of a JWT-Secured Authorization Request.
  device_flow_settings:
    device_flow_polling_interval_in_secs: 8                 # Polling interval in seconds
    device_flow_codelifetime_in_sec: 200                    # Lifetime seconds for device_code
    device_flow_usercode_length: 7                          # User code length
    device_flow_usercode_charset: 'ABCDEF1234'              # User code character set
    enforce_clientauth_device_authorize: true               # Boolean flag to enforce client authentication at device authorization