Name | Type | Default | Description |
|---|
idp.authn.oidc.rp.provider.proxyIssuer | String | | Statically-defined Issuer ID of upstream OP to use for authentication. |
idp.authn.oidc.rp.client.clientId | String | | OAuth 2.0 Client Identifier valid at the Authorization Server. |
idp.authn.oidc.rp.client.redirecturl.allowedOrigins | String list | | A list of allowed origins the RP can use when dynamically creating a redirect URI to use. Can be overriden to a fixed redirect URI using the property idp.authn.oidc.rp.client.redirectURL |
idp.authn.oidc.rp.client.redirectURI | String | | The redirect URI to supply to the Authorization Server during an Authentication Request. Is where the Authentication Response is sent. Will override the dynamically computed redirect computed using the idp.authn.oidc.rp.client.redirecturl.allowedOrigins |
idp.authn.oidc.rp.client.clientSecret | String | | OAuth 2.0 secret know only to the IdP and the Authorization Server. Used to authenticate the RP to the Authorization Server and to potentially secure JSON Web Tokens. |
idp.authn.oidc.rp.provider.keyfetch.interval | Duration | 30 minutes | The time duration for which an OpenID Provider’s key set document is cached. |
idp.authn.oidc.rp.client.enc.key | Resource path | | Resource containing a JWK private key for decryption, typically a file in the credentials directory. For example, for decryption id_tokens or UserInfo tokens. |
idp.authn.oidc.rp.client.sig.key | Resource path | | Resource containing private key for signing, typically a file in the credentials directory. For example, to sign the Request Object (if used) sent to the Authorization Server. |
idp.authn.oidc.rp.provider.discoveryRequired | Boolean | false | Whether to invoke OP-discovery prior to running flow. Defualt is false as there is currently no OP discovery mechanism to use. |
idp.authn.oidc.rp.client.requestobject.supported | Boolean | false | Should the authentication request to the Authorization Server be passed inside a Request Object (by value). |
idp.authn.oidc.rp.client.requestobject.encrypted | Boolean | false | If supported, should the Request Object be encrypted. |
idp.authn.oidc.rp.client.requestobject.signed | Boolean | true | If supported, should the Request Object be signed. Defaults to true otherwise the advantage of using a Request Object is limited to certain caching functions. |
idp.authn.oidc.rp.client.userinfo.enabled | Boolean | true | Should the RP request claims from the UserInfo Endpoint. |
idp.authn.oidc.rp.client.userinfo.requireJWTResponse | Boolean | false | If true, the UserInfo response must use the application/jwt format i.e. be returned as a JWT. |
idp.authn.oidc.rp.client.responseMode | String | query | The mechanism the OP uses to response to an Authentication Request from the Authorization Endpoint. Only supports one-of; ‘query’ or ‘form_post’. |
idp.authn.oidc.rp.client.scopes | String list | openid | Define which scopes to request authorization for. By default ‘openid’ is required and always supplied. A comma separated list of additional scopes can be request e.g. ` profile,email` |
dp.authn.oidc.rp.supportedPrincipals | String list | | Comma-delimited list of protocol-specific Principal strings associated with flow. The flow must support principals requested by the SP. By default, the usual password-centric are used. These can be overridden by this property. Remeber that by default these are not added to the authentication result (see idp.authn.oidc.rp.addDefaultPrincipal), instead taking any AMRs or ACRs mapped from the upstream OP. |
idp.authn.oidc.rp.addDefaultPrincipal | Boolean | false | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow. |
idp.authn.oidc.rp.client.authenticationMethod | String | client_secret_basic | The mechanism by which the client authenticates to the Authorization Server when using the Token endpoint. Supports client_secret_basic and client_secret_post. |
idp.authn.oidc.rp.client.idtoken.tlsServerValidationOnly | Boolean | false | If true and the ID Token was retrieved using TLS with server validation, JWS signature checking will be skipped |
idp.authn.oidc.rp.client.idtoken.jwt.verifier.authnLifetime | Duration | PT60S | The maximum authentication age of the auth_time claim if it is requested by the RP in the id_token. If the max_age parameter was requested, the value of MaxAuthenticationAge in the relying party config is used to verify the authentication time and this property becomes redundent. |