Skip to content

Janssen Auth Server Configuration Properties#

Property Name Description
accessTokenLifetime The lifetime of the short lived Access Token Details
accessTokenSigningAlgValuesSupported A list of the JWS signing algorithms (alg values) supported by the OP for the access token to encode the Claims in a JWT Details
activeSessionAuthorizationScope Authorization Scope for active session Details
agamaConfiguration Engine Config which offers an alternative way to build authentication flows in Janssen server Details
allowAllValueForRevokeEndpoint Boolean value true allow all value for revoke endpoint Details
allowBlankValuesInDiscoveryResponse Boolean value specifying whether to allow blank values in discovery response Details
allowEndSessionWithUnmatchedSid default value false. If true, sid check will be skipped Details
allowIdTokenWithoutImplicitGrantType Specifies if a token without implicit grant types is allowed Details
allowPostLogoutRedirectWithoutValidation Allows post-logout redirect without validation for the End Session endpoint (still AS validates it against clientWhiteList url pattern property) Details
allowSpontaneousScopes Specifies whether to allow spontaneous scopes Details
authenticationFilters This list details filters for user authentication Details
authenticationFiltersEnabled Boolean value specifying whether to enable user authentication filters Details
authenticationProtectionConfiguration Authentication Brute Force Protection Configuration Details
authorizationCodeLifetime The lifetime of the Authorization Code Details
authorizationEncryptionAlgValuesSupported List of authorization encryption algorithms supported by this OP Details
authorizationEncryptionEncValuesSupported A list of the authorization encryption algorithms supported Details
authorizationEndpoint The authorization endpoint URL Details
authorizationRequestCustomAllowedParameters This list details the allowed custom parameters for authorization requests Details
authorizationSigningAlgValuesSupported List of authorization signing algorithms supported by this OP Details
backchannelAuthenticationEndpoint Backchannel Authentication Endpoint Details
backchannelAuthenticationRequestSigningAlgValuesSupported Backchannel Authentication Request Signing Alg Values Supported Details
backchannelAuthenticationResponseExpiresIn Backchannel Authentication Response Expires In Details
backchannelAuthenticationResponseInterval Backchannel Authentication Response Interval Details
backchannelBindingMessagePattern Backchannel Binding Message Pattern Details
backchannelClientId Backchannel Client Id Details
backchannelDeviceRegistrationEndpoint Backchannel Device Registration Endpoint Details
backchannelLoginHintClaims Backchannel Login Hint Claims Details
backchannelRedirectUri Backchannel Redirect Uri Details
backchannelRequestsProcessorJobChunkSize Each backchannel request processor iteration fetches chunk of data to be processed Details
backchannelRequestsProcessorJobIntervalSec Specifies the allowable elapsed time in seconds backchannel request processor executes Details
backchannelTokenDeliveryModesSupported Backchannel Token Delivery Modes Supported Details
backchannelUserCodeParameterSupported Backchannel User Code Parameter Supported Details
baseEndpoint The base URL for endpoints Details
blockWebviewAuthorizationEnabled Enable/Disable block authorizations that originate from Webview (Mobile apps). Details
changeSessionIdOnAuthentication Boolean value specifying whether change session_id on authentication. Default value is true Details
checkSessionIFrame URL for an OP IFrame that supports cross-origin communications for session state information with the RP Client using the HTML5 postMessage API Details
checkUserPresenceOnRefreshToken Check whether user exists and is active before creating RefreshToken. Set it to true if check is needed(Default value is false - don't check. Details
cibaEndUserNotificationConfig CIBA End User Notification Config Details
cibaGrantLifeExtraTimeSec Specifies the CIBA Grant life extra time in seconds Details
cibaMaxExpirationTimeAllowedSec Specifies the CIBA token expiration time in seconds Details
claimsLocalesSupported This list details the languages and scripts supported for values in the claims being returned Details
claimsParameterSupported Specifies whether the OP supports use of the claims parameter Details
claimTypesSupported A list of the Claim Types that the OpenID Provider supports Details
cleanServiceBatchChunkSize Clean service chunk size which is used during clean up Details
cleanServiceInterval Time interval for the Clean Service in seconds Details
clientAuthenticationFilters This list details filters for client authentication Details
clientAuthenticationFiltersEnabled Boolean value specifying whether to enable client authentication filters Details
clientBlackList This list specified which client redirection URIs are black-listed Details
clientInfoEndpoint The Client Info endpoint URL Details
clientRegDefaultToCodeFlowWithRefresh Boolean value specifying whether to add Authorization Code Flow with Refresh grant during client registratio Details
clientWhiteList This list specifies which client redirection URIs are white-listed Details
configurationUpdateInterval The interval for configuration update in seconds Details
consentGatheringScriptBackwardCompatibility Boolean value specifying whether to turn on Consent Gathering Script backward compatibility mode. If true AS will pick up script with higher level globally. If false (default) AS will pick up script based on client configuration Details
cookieDomain Sets cookie domain for all cookies created by OP Details
corsConfigurationFilters This list specifies the CORS configuration filters Details
cssLocation The location for CSS files Details
customHeadersWithAuthorizationResponse Choose whether to enable the custom response header parameter to return custom headers with the authorization response Details
dateFormatterPatterns List of key value date formatters, e.g. 'userinfo: 'yyyy-MM-dd', etc. Details
dcrAuthorizationWithClientCredentials Boolean value indicating if DCR authorization to be performed using client credentials Details
dcrAuthorizationWithMTLS Boolean value indicating if DCR authorization allowed with MTLS Details
dcrForbidExpirationTimeInRequest Boolean value specifying whether to allow to set client's expiration time in seconds during dynamic registration. Details
dcrSignatureValidationEnabled Boolean value enables DCR signature validation. Default is false Details
dcrSignatureValidationJwks Specifies JWKS for all DCR's validations Details
dcrSignatureValidationJwksUri Specifies JWKS URI for all DCR's validations Details
dcrSignatureValidationSharedSecret Specifies shared secret for Dynamic Client Registration Details
dcrSignatureValidationSoftwareStatementJwksClaim Specifies claim name inside software statement. Value of claim should point to inlined JWKS Details
dcrSignatureValidationSoftwareStatementJwksURIClaim Specifies claim name inside software statement. Value of claim should point to JWKS URI Details
dcrSsaValidationConfigs DCR SSA Validation configurations used to perform validation of SSA or DCR Details
defaultSignatureAlgorithm The default signature algorithm to sign ID Tokens Details
defaultSubjectType The default subject type used for dynamic client registration Details
deviceAuthzAcr Device authz acr Details
deviceAuthzEndpoint URL for the Device Authorization Details
deviceAuthzRequestExpiresIn Expiration time given for device authorization requests Details
deviceAuthzResponseTypeToProcessAuthz Response type used to process device authz requests Details
deviceAuthzTokenPollInterval Default interval returned to the client to process device token requests Details
disableAuthnForMaxAgeZero Boolean value specifying whether to disable authentication when max_age=0 Details
disableJdkLogger Choose whether to disable JDK loggers Details
disablePromptConsent Boolean value specifying whether to disable prompt=consent Details
disablePromptLogin Boolean value specifying whether to disable prompt=login Details
disableU2fEndpoint Choose whether to disable U2F endpoints Details
discoveryAllowedKeys List of configuration response claim allowed to be displayed in discovery endpoint Details
discoveryCacheLifetimeInMinutes Lifetime of discovery cache Details
discoveryDenyKeys List of configuration response claims which must not be displayed in discovery endpoint response Details
displayValuesSupported A list of the display parameter values that the OpenID Provider supports Details
dnName DN of certificate issuer Details
dpopJtiCacheTime Demonstration of Proof-of-Possession (DPoP) cache time Details
dpopNonceCacheTime Demonstration of Proof-of-Possession (DPoP) nonce cache time Details
dpopSigningAlgValuesSupported Demonstration of Proof-of-Possession (DPoP) authorization signing algorithms supported Details
dpopTimeframe Demonstration of Proof-of-Possession (DPoP) timeout Details
dpopUseNonce Demonstration of Proof-of-Possession (DPoP) use nonce Details
dynamicGrantTypeDefault This list details which OAuth 2.0 grant types can be set up with the client registration API Details
dynamicRegistrationAllowedPasswordGrantScopes List of grant scopes for dynamic registration Details
dynamicRegistrationCustomAttributes This list details the custom attributes allowed for dynamic registration Details
dynamicRegistrationCustomObjectClass LDAP custom object class for dynamic registration Details
dynamicRegistrationDefaultCustomAttributes This map provides default custom attributes with values for dynamic registration Details
dynamicRegistrationExpirationTime Expiration time in seconds for clients created with dynamic registration, 0 or -1 means never expire Details
dynamicRegistrationPasswordGrantTypeEnabled Boolean value specifying whether to enable Password Grant Type during Dynamic Registration Details
dynamicRegistrationPersistClientAuthorizations Boolean value specifying whether to persist client authorizations Details
dynamicRegistrationScopesParamEnabled Boolean value specifying whether to enable scopes parameter in dynamic registration Details
enableClientGrantTypeUpdate Choose if client can update Grant Type values Details
enabledOAuthAuditLogging enable OAuth Audit Logging Details
endSessionEndpoint URL at the OP to which an RP can perform a redirect to request that the end user be logged out at the OP Details
endSessionWithAccessToken Choose whether to accept access tokens to call end_session endpoint Details
errorHandlingMethod A list of possible error handling methods. Possible values: remote (send error back to RP), internal (show error page) Details
errorReasonEnabled Boolean value specifying whether to return detailed reason of the error from AS. Default value is false Details
expirationNotificatorEnabled Boolean value specifying whether expiration notificator is enabled (used to identify expiration for persistence that support TTL, like Couchbase) Details
expirationNotificatorIntervalInSeconds The expiration notificator interval in second Details
expirationNotificatorMapSizeLimit The expiration notificator maximum size limit Details
externalLoggerConfiguration The path to the external log4j2 logging configuration Details
externalUriWhiteList This list specifies which external URIs can be called by AS (if empty any URI can be called) Details
fapiCompatibility Boolean value specifying whether to turn on FAPI compatibility mode. If true AS behaves in more strict mode Details
featureFlags List of enabled feature flags Details
forceIdTokenHintPrecense Boolean value specifying whether force id_token_hint parameter presence Details
forceOfflineAccessScopeToEnableRefreshToken Boolean value specifying whether force offline_access scope to enable refresh_token grant type. Default value is true Details
forceSignedRequestObject Boolean value true indicates that signed request object is mandatory Details
frontChannelLogoutSessionSupported Choose whether to support front channel session logout Details
grantTypesAndResponseTypesAutofixEnabled Boolean value specifying whether to Grant types and Response types can be auto fixed Details
grantTypesSupported This list details which OAuth 2.0 grant types are supported by this OP Details
httpLoggingEnabled Enable/disable request/response logging filter Details
httpLoggingExcludePaths This list details the base URIs for which the request/response logging filter will not record activity Details
httpLoggingResponseBodyContent Defines if Response body will be logged. Default value is false Details
idGenerationEndpoint ID Generation endpoint URL Details
idTokenEncryptionAlgValuesSupported A list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT Details
idTokenEncryptionEncValuesSupported A list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT Details
idTokenFilterClaimsBasedOnAccessToken Boolean value specifying whether idToken filters claims based on accessToken Details
idTokenLifetime The lifetime of the ID Token Details
idTokenSigningAlgValuesSupported A list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT Details
idTokenTokenBindingCnfValuesSupported Array containing a list of the JWT Confirmation Method member names supported by the OP for Token Binding of ID Tokens. The presence of this parameter indicates that the OpenID Provider supports Token Binding of ID Tokens. If omitted, the default is that the OpenID Provider does not support Token Binding of ID Tokens Details
imgLocation The location for image files Details
includeSidInResponse Boolean value specifying whether to include sessionId in response Details
introspectionAccessTokenMustHaveIntrospectionScope If True, rejects introspection requests if access_token does not have the 'introspection' scope in its authorization header. Comparing to 'uma_protection', 'introspection' scope is not allowed for dynamic registration' Details
introspectionAccessTokenMustHaveUmaProtectionScope If True, rejects introspection requests if access_token does not have the uma_protection scope in its authorization header Details
introspectionEndpoint Introspection endpoint URL Details
introspectionResponseScopesBackwardCompatibility Boolean value specifying introspection response backward compatibility mode Details
introspectionScriptBackwardCompatibility Boolean value specifying whether switch off client's introspection scripts (true value) and run all scripts that exists on server. Default value is false Details
introspectionSkipAuthorization Specifies if authorization to be skipped for introspection Details
invalidateSessionCookiesAfterAuthorizationFlow Boolean value to specify whether to invalidate session_id and consent_session_id cookies right after successful or unsuccessful authorization Details
issuer URL using the https scheme that OP asserts as Issuer identifier Details
jansId URL for the Inum generator Service Details
jansOpenIdConnectVersion OpenID Connect Version Details
jmsBrokerURISet JMS Broker URI Set Details
jmsPassword JMS Password Details
jmsUserName JMS UserName Details
jsLocation The location for JavaScript files Details
jwksAlgorithmsSupported A list of algorithms that will be used in JWKS endpoint Details
jwksUri URL of the OP's JSON Web Key Set (JWK) document. This contains the signing key(s) the RP uses to validate signatures from the OP Details
keepAuthenticatorAttributesOnAcrChange Boolean value specifying whether to keep authenticator attributes on ACR change Details
keyAlgsAllowedForGeneration List of algorithm allowed to be used for key generation Details
keyRegenerationEnabled Boolean value specifying whether to regenerate keys Details
keyRegenerationInterval The interval for key regeneration in hours Details
keySelectionStrategy Key Selection Strategy : OLDER, NEWER, FIRST Details
keySignWithSameKeyButDiffAlg Specifies if signing to be done with same key but apply different algorithms Details
keyStoreFile The Key Store File (JKS) Details
keyStoreSecret The Key Store password Details
legacyIdTokenClaims Choose whether to include claims in ID tokens Details
logClientIdOnClientAuthentication Choose if application should log the Client ID on client authentication Details
logClientNameOnClientAuthentication Choose if application should log the Client Name on client authentication Details
loggingLayout Logging layout used for Jans Authorization Server loggers Details
loggingLevel Specify the logging level of loggers Details
logNotFoundEntityAsError Boolean value specifying whether to log not_found entity exception as error or as trace. Default value is false (trace). Details
metricReporterInterval The interval for metric reporter in seconds Details
metricReporterKeepDataDays The days to keep metric reported data Details
mtlsAuthorizationEndpoint URL for Mutual TLS (mTLS) Client Authentication and Certificate-Bound Access Tokens (MTLS) Endpoint Details
mtlsCheckSessionIFrame URL for Mutual TLS (mTLS) IFrame that supports cross-origin communications for session state information with the RP Client using the HTML5 postMessage API Details
mtlsClientInfoEndpoint URL for Mutual TLS (mTLS) Client Info endpoint Details
mtlsDeviceAuthzEndpoint Mutual TLS (mTLS) device authorization endpoint URL Details
mtlsEndSessionEndpoint URL for Mutual TLS (mTLS) to which an RP can perform a redirect to request that the end user be logged out at the OP Details
mtlsIdGenerationEndpoint Mutual TLS (mTLS) ID generation endpoint URL Details
mtlsIntrospectionEndpoint Mutual TLS (mTLS) introspection endpoint URL Details
mtlsJwksUri URL for Mutual TLS (mTLS) of the OP's JSON Web Key Set (JWK) document Details
mtlsParEndpoint Mutual TLS (mTLS) Pushed Authorization Requests(PAR) endpoint URL Details
mtlsRegistrationEndpoint Mutual TLS (mTLS) registration endpoint URL Details
mtlsTokenEndpoint URL for Mutual TLS (mTLS) Authorization token Endpoint Details
mtlsTokenRevocationEndpoint URL for Mutual TLS (mTLS) Authorization token revocation endpoint Details
mtlsUserInfoEndpoint Mutual TLS (mTLS) user info endpoint URL Details
openIdConfigurationEndpoint URL for the Open ID Connect Configuration Endpoint Details
openIdDiscoveryEndpoint Discovery endpoint URL Details
openidScopeBackwardCompatibility Set to false to only allow token endpoint request for openid scope with grant type equals to authorization_code, restrict access to userinfo to scope openid and only return id_token if scope contains openid Details
openidSubAttribute Specifies which LDAP attribute is used for the subject identifier claim Details
opPolicyUri URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP Details
opTosUri URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service Details
pairwiseCalculationKey Key to calculate algorithmic pairwise IDs Details
pairwiseCalculationSalt Salt to calculate algorithmic pairwise IDs Details
pairwiseIdType the pairwise ID type Details
parEndpoint URL for Pushed Authorisation Request (PAR) Endpoint Details
persistIdToken Specifies whether to persist id_token (otherwise saves into cache) Details
persistRefreshToken Specifies whether to persist refresh_token (otherwise saves into cache) Details
personCustomObjectClassList This list details LDAP custom object classes for dynamic person enrollment Details
publicSubjectIdentifierPerClientEnabled Specifies whether public subject identifier is allowed per client Details
redirectUrisRegexEnabled Enable/Disable redirect uris validation using regular expression Details
refreshTokenExtendLifetimeOnRotation Boolean value specifying whether to extend refresh tokens on rotation Details
refreshTokenLifetime The lifetime of the Refresh Token Details
registrationEndpoint Registration endpoint URL Details
rejectEndSessionIfIdTokenExpired default value false. If true and id_token is not found in db, request is rejected Details
rejectJwtWithNoneAlg Boolean value specifying whether reject JWT requested or validated with algorithm None. Default value is true Details
removeRefreshTokensForClientOnLogout Boolean value specifying whether to remove Refresh Tokens on logout. Default value is true Details
requestObjectEncryptionAlgValuesSupported A list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects Details
requestObjectEncryptionEncValuesSupported A list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects Details
requestObjectSigningAlgValuesSupported A list of the JWS signing algorithms (alg values) supported by the OP for Request Objects Details
requestParameterSupported Boolean value specifying whether the OP supports use of the request parameter Details
requestUriBlockList Block list for requestUri that can come to Authorization Endpoint (e.g. localhost) Details
requestUriHashVerificationEnabled Boolean value specifying whether the OP supports use of the request_uri hash verification Details
requestUriParameterSupported Boolean value specifying whether the OP supports use of the request_uri parameter Details
requirePar Boolean value to indicate of Pushed Authorisation Request(PAR)is required Details
requirePkce Boolean value true check for Proof Key for Code Exchange (PKCE) Details
requireRequestObjectEncryption Boolean value true encrypts request object Details
requireRequestUriRegistration Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter Details
responseModesSupported This list details which OAuth 2.0 response modes are supported by this OP Details
responseTypesSupported This list details which OAuth 2.0 response_type values are supported by this OP. Details
returnClientSecretOnRead Boolean value specifying whether a client_secret is returned on client GET or PUT. Set to true by default which means to return secret Details
returnDeviceSecretFromAuthzEndpoint Details
rotateClientRegistrationAccessTokenOnUsage Boolean value specifying whether to rotate client registration access token after each usage Details
rotateDeviceSecret Details
sectorIdentifierCacheLifetimeInMinutes Sector Identifier cache lifetime in minutes Details
serverSessionIdLifetime Dedicated property to control lifetime of the server side OP session object in seconds. Overrides sessionIdLifetime. By default value is 0, so object lifetime equals sessionIdLifetime (which sets both cookie and object expiration). It can be useful if goal is to keep different values for client cookie and server object Details
serviceDocumentation URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider Details
sessionIdLifetime The lifetime of session id in seconds. If 0 or -1 then expiration is not set. session_id cookie expires when browser session ends Details
sessionIdPersistInCache Boolean value specifying whether to persist session_id in cache Details
sessionIdPersistOnPromptNone Boolean value specifying whether to persist session ID on prompt none Details
sessionIdRequestParameterEnabled Boolean value specifying whether to enable session_id HTTP request parameter Details
sessionIdUnauthenticatedUnusedLifetime The lifetime for unused unauthenticated session states Details
sessionIdUnusedLifetime The lifetime for unused session states Details
shareSubjectIdBetweenClientsWithSameSectorId When true, clients with the same Sector ID also share the same Subject ID Details
skipAuthenticationFilterOptionsMethod Force Authentication Filtker to process OPTIONS request Details
skipAuthorizationForOpenIdScopeAndPairwiseId Choose whether to skip authorization if a client has an OpenId scope and a pairwise ID Details
skipRefreshTokenDuringRefreshing Boolean value specifying whether to skip refreshing tokens on refreshing Details
softwareStatementValidationClaimName Validation claim name for software statement Details
softwareStatementValidationType Validation type used for software statement Details
spontaneousScopeLifetime The lifetime of spontaneous scope in seconds Details
ssaConfiguration SSA Configuration Details
statAuthorizationScope Scope required for Statistical Authorization Details
staticDecryptionKid Specifies static decryption Kid Details
staticKid Specifies static Kid Details
statTimerIntervalInSeconds Statistical data capture time interval Details
subjectIdentifiersPerClientSupported A list of the subject identifiers supported per client Details
subjectTypesSupported This list details which Subject Identifier types that the OP supports. Valid types include pairwise and public. Details
tokenEndpoint The token endpoint URL Details
tokenEndpointAuthMethodsSupported A list of Client Authentication methods supported by this Token Endpoint Details
tokenEndpointAuthSigningAlgValuesSupported A list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods Details
tokenRevocationEndpoint The URL for the access_token or refresh_token revocation endpoint Details
trustedClientEnabled Boolean value specifying whether a client is trusted and no authorization is required Details
trustedSsaIssuers List of trusted SSA issuers with configuration (e.g. automatically granted scopes). Details
uiLocalesSupported This list details the languages and scripts supported for the user interface Details
umaAddScopesAutomatically Add UMA scopes automatically if it is not registered yet Details
umaConfigurationEndpoint UMA Configuration endpoint URL Details
umaGrantAccessIfNoPolicies Specify whether to grant access to resources if there is no any policies associated with scopes Details
umaPctLifetime UMA PCT lifetime Details
umaResourceLifetime UMA Resource lifetime Details
umaRestrictResourceToAssociatedClient Restrict access to resource by associated client Details
umaRptAsJwt Issue RPT as JWT or as random string Details
umaRptLifetime UMA RPT lifetime Details
umaTicketLifetime UMA ticket lifetime Details
umaValidateClaimToken Validate claim_token as id_token assuming it is issued by local id Details
updateClientAccessTime Choose if application should update oxLastAccessTime/oxLastLogonTime attributes upon client authentication Details
updateUserLastLogonTime Choose if application should update oxLastLogonTime attribute upon user authentication Details
useHighestLevelScriptIfAcrScriptNotFound Enable/Disable usage of highest level script in case ACR script does not exist Details
useLocalCache Cache in local memory cache attributes, scopes, clients and organization entry with expiration 60 seconds Details
useNestedJwtDuringEncryption Boolean value specifying whether to use nested Jwt during encryption Details
userInfoEncryptionAlgValuesSupported This JSON Array lists which JWS encryption algorithms (alg values) [JWA] can be used by for the UserInfo endpoint to encode the claims in a JWT Details
userInfoEncryptionEncValuesSupported This JSON Array lists which JWS encryption algorithms (enc values) [JWA] can be used by for the UserInfo endpoint to encode the claims in a JWT Details
userInfoEndpoint The User Info endpoint URL Details
userInfoSigningAlgValuesSupported This JSON Array lists which JWS signing algorithms (alg values) [JWA] can be used by for the UserInfo endpoint to encode the claims in a JWT Details
webKeysStorage Web Key Storage Type Details

accessTokenLifetime#

  • Description: The lifetime of the short lived Access Token

  • Required: No

  • Default value: None

accessTokenSigningAlgValuesSupported#

  • Description: A list of the JWS signing algorithms (alg values) supported by the OP for the access token to encode the Claims in a JWT

  • Required: No

  • Default value: None

activeSessionAuthorizationScope#

  • Description: Authorization Scope for active session

  • Required: No

  • Default value: None

agamaConfiguration#

  • Description: Engine Config which offers an alternative way to build authentication flows in Janssen server

  • Required: No

  • Default value: None

allowAllValueForRevokeEndpoint#

  • Description: Boolean value true allow all value for revoke endpoint

  • Required: No

  • Default value: false

allowBlankValuesInDiscoveryResponse#

  • Description: Boolean value specifying whether to allow blank values in discovery response

  • Required: No

  • Default value: false

allowEndSessionWithUnmatchedSid#

  • Description: default value false. If true, sid check will be skipped

  • Required: No

  • Default value: false

allowIdTokenWithoutImplicitGrantType#

  • Description: Specifies if a token without implicit grant types is allowed

  • Required: No

  • Default value: None

allowPostLogoutRedirectWithoutValidation#

  • Description: Allows post-logout redirect without validation for the End Session endpoint (still AS validates it against clientWhiteList url pattern property)

  • Required: No

  • Default value: false

allowSpontaneousScopes#

  • Description: Specifies whether to allow spontaneous scopes

  • Required: No

  • Default value: None

authenticationFilters#

  • Description: This list details filters for user authentication

  • Required: No

  • Default value: None

authenticationFiltersEnabled#

  • Description: Boolean value specifying whether to enable user authentication filters

  • Required: No

  • Default value: None

authenticationProtectionConfiguration#

  • Description: Authentication Brute Force Protection Configuration

  • Required: No

  • Default value: None

authorizationCodeLifetime#

  • Description: The lifetime of the Authorization Code

  • Required: No

  • Default value: None

authorizationEncryptionAlgValuesSupported#

  • Description: List of authorization encryption algorithms supported by this OP

  • Required: No

  • Default value: None

authorizationEncryptionEncValuesSupported#

  • Description: A list of the authorization encryption algorithms supported

  • Required: No

  • Default value: None

authorizationEndpoint#

  • Description: The authorization endpoint URL

  • Required: No

  • Default value: None

authorizationRequestCustomAllowedParameters#

  • Description: This list details the allowed custom parameters for authorization requests

  • Required: No

  • Default value: None

authorizationSigningAlgValuesSupported#

  • Description: List of authorization signing algorithms supported by this OP

  • Required: No

  • Default value: None

backchannelAuthenticationEndpoint#

  • Description: Backchannel Authentication Endpoint

  • Required: No

  • Default value: None

backchannelAuthenticationRequestSigningAlgValuesSupported#

  • Description: Backchannel Authentication Request Signing Alg Values Supported

  • Required: No

  • Default value: None

backchannelAuthenticationResponseExpiresIn#

  • Description: Backchannel Authentication Response Expires In

  • Required: No

  • Default value: None

backchannelAuthenticationResponseInterval#

  • Description: Backchannel Authentication Response Interval

  • Required: No

  • Default value: None

backchannelBindingMessagePattern#

  • Description: Backchannel Binding Message Pattern

  • Required: No

  • Default value: None

backchannelClientId#

  • Description: Backchannel Client Id

  • Required: No

  • Default value: None

backchannelDeviceRegistrationEndpoint#

  • Description: Backchannel Device Registration Endpoint

  • Required: No

  • Default value: None

backchannelLoginHintClaims#

  • Description: Backchannel Login Hint Claims

  • Required: No

  • Default value: None

backchannelRedirectUri#

  • Description: Backchannel Redirect Uri

  • Required: No

  • Default value: None

backchannelRequestsProcessorJobChunkSize#

  • Description: Each backchannel request processor iteration fetches chunk of data to be processed

  • Required: No

  • Default value: None

backchannelRequestsProcessorJobIntervalSec#

  • Description: Specifies the allowable elapsed time in seconds backchannel request processor executes

  • Required: No

  • Default value: None

backchannelTokenDeliveryModesSupported#

  • Description: Backchannel Token Delivery Modes Supported

  • Required: No

  • Default value: None

backchannelUserCodeParameterSupported#

  • Description: Backchannel User Code Parameter Supported

  • Required: No

  • Default value: None

baseEndpoint#

  • Description: The base URL for endpoints

  • Required: No

  • Default value: None

blockWebviewAuthorizationEnabled#

  • Description: Enable/Disable block authorizations that originate from Webview (Mobile apps).

  • Required: No

  • Default value: false

changeSessionIdOnAuthentication#

  • Description: Boolean value specifying whether change session_id on authentication. Default value is true

  • Required: No

  • Default value: true

checkSessionIFrame#

  • Description: URL for an OP IFrame that supports cross-origin communications for session state information with the RP Client using the HTML5 postMessage API

  • Required: No

  • Default value: None

checkUserPresenceOnRefreshToken#

  • Description: Check whether user exists and is active before creating RefreshToken. Set it to true if check is needed(Default value is false - don't check.

  • Required: No

  • Default value: false

cibaEndUserNotificationConfig#

  • Description: CIBA End User Notification Config

  • Required: No

  • Default value: None

cibaGrantLifeExtraTimeSec#

  • Description: Specifies the CIBA Grant life extra time in seconds

  • Required: No

  • Default value: None

cibaMaxExpirationTimeAllowedSec#

  • Description: Specifies the CIBA token expiration time in seconds

  • Required: No

  • Default value: None

claimsLocalesSupported#

  • Description: This list details the languages and scripts supported for values in the claims being returned

  • Required: No

  • Default value: None

claimsParameterSupported#

  • Description: Specifies whether the OP supports use of the claims parameter

  • Required: No

  • Default value: None

claimTypesSupported#

  • Description: A list of the Claim Types that the OpenID Provider supports

  • Required: No

  • Default value: None

cleanServiceBatchChunkSize#

  • Description: Clean service chunk size which is used during clean up

  • Required: No

  • Default value: 100

cleanServiceInterval#

  • Description: Time interval for the Clean Service in seconds

  • Required: No

  • Default value: None

clientAuthenticationFilters#

  • Description: This list details filters for client authentication

  • Required: No

  • Default value: None

clientAuthenticationFiltersEnabled#

  • Description: Boolean value specifying whether to enable client authentication filters

  • Required: No

  • Default value: None

clientBlackList#

  • Description: This list specified which client redirection URIs are black-listed

  • Required: No

  • Default value: None

clientInfoEndpoint#

  • Description: The Client Info endpoint URL

  • Required: No

  • Default value: None

clientRegDefaultToCodeFlowWithRefresh#

  • Description: Boolean value specifying whether to add Authorization Code Flow with Refresh grant during client registratio

  • Required: No

  • Default value: None

clientWhiteList#

  • Description: This list specifies which client redirection URIs are white-listed

  • Required: No

  • Default value: None

configurationUpdateInterval#

  • Description: The interval for configuration update in seconds

  • Required: No

  • Default value: None

consentGatheringScriptBackwardCompatibility#

  • Description: Boolean value specifying whether to turn on Consent Gathering Script backward compatibility mode. If true AS will pick up script with higher level globally. If false (default) AS will pick up script based on client configuration

  • Required: No

  • Default value: false

cookieDomain#

  • Description: Sets cookie domain for all cookies created by OP

  • Required: No

  • Default value: None

corsConfigurationFilters#

  • Description: This list specifies the CORS configuration filters

  • Required: No

  • Default value: None

cssLocation#

  • Description: The location for CSS files

  • Required: No

  • Default value: None

customHeadersWithAuthorizationResponse#

  • Description: Choose whether to enable the custom response header parameter to return custom headers with the authorization response

  • Required: No

  • Default value: None

dateFormatterPatterns#

  • Description: List of key value date formatters, e.g. 'userinfo: 'yyyy-MM-dd', etc.

  • Required: No

  • Default value: None

dcrAuthorizationWithClientCredentials#

  • Description: Boolean value indicating if DCR authorization to be performed using client credentials

  • Required: No

  • Default value: false

dcrAuthorizationWithMTLS#

  • Description: Boolean value indicating if DCR authorization allowed with MTLS

  • Required: No

  • Default value: false

dcrForbidExpirationTimeInRequest#

  • Description: Boolean value specifying whether to allow to set client's expiration time in seconds during dynamic registration.

  • Required: No

  • Default value: false

dcrSignatureValidationEnabled#

  • Description: Boolean value enables DCR signature validation. Default is false

  • Required: No

  • Default value: false

dcrSignatureValidationJwks#

  • Description: Specifies JWKS for all DCR's validations

  • Required: No

  • Default value: None

dcrSignatureValidationJwksUri#

  • Description: Specifies JWKS URI for all DCR's validations

  • Required: No

  • Default value: None

dcrSignatureValidationSharedSecret#

  • Description: Specifies shared secret for Dynamic Client Registration

  • Required: No

  • Default value: None

dcrSignatureValidationSoftwareStatementJwksClaim#

  • Description: Specifies claim name inside software statement. Value of claim should point to inlined JWKS

  • Required: No

  • Default value: None

dcrSignatureValidationSoftwareStatementJwksURIClaim#

  • Description: Specifies claim name inside software statement. Value of claim should point to JWKS URI

  • Required: No

  • Default value: None

dcrSsaValidationConfigs#

  • Description: DCR SSA Validation configurations used to perform validation of SSA or DCR

  • Required: No

  • Default value: None

defaultSignatureAlgorithm#

  • Description: The default signature algorithm to sign ID Tokens

  • Required: No

  • Default value: None

defaultSubjectType#

  • Description: The default subject type used for dynamic client registration

  • Required: No

  • Default value: None

deviceAuthzAcr#

  • Description: Device authz acr

  • Required: No

  • Default value: None

deviceAuthzEndpoint#

  • Description: URL for the Device Authorization

  • Required: No

  • Default value: None

deviceAuthzRequestExpiresIn#

  • Description: Expiration time given for device authorization requests

  • Required: No

  • Default value: None

deviceAuthzResponseTypeToProcessAuthz#

  • Description: Response type used to process device authz requests

  • Required: No

  • Default value: None

deviceAuthzTokenPollInterval#

  • Description: Default interval returned to the client to process device token requests

  • Required: No

  • Default value: None

disableAuthnForMaxAgeZero#

  • Description: Boolean value specifying whether to disable authentication when max_age=0

  • Required: No

  • Default value: false

disableJdkLogger#

  • Description: Choose whether to disable JDK loggers

  • Required: No

  • Default value: true

disablePromptConsent#

  • Description: Boolean value specifying whether to disable prompt=consent

  • Required: No

  • Default value: false

disablePromptLogin#

  • Description: Boolean value specifying whether to disable prompt=login

  • Required: No

  • Default value: false

disableU2fEndpoint#

  • Description: Choose whether to disable U2F endpoints

  • Required: No

  • Default value: false

discoveryAllowedKeys#

  • Description: List of configuration response claim allowed to be displayed in discovery endpoint

  • Required: No

  • Default value: None

discoveryCacheLifetimeInMinutes#

  • Description: Lifetime of discovery cache

  • Required: No

  • Default value: 60

discoveryDenyKeys#

  • Description: List of configuration response claims which must not be displayed in discovery endpoint response

  • Required: No

  • Default value: None

displayValuesSupported#

  • Description: A list of the display parameter values that the OpenID Provider supports

  • Required: No

  • Default value: None

dnName#

  • Description: DN of certificate issuer

  • Required: No

  • Default value: None

dpopJtiCacheTime#

  • Description: Demonstration of Proof-of-Possession (DPoP) cache time

  • Required: No

  • Default value: 3600

dpopNonceCacheTime#

  • Description: Demonstration of Proof-of-Possession (DPoP) nonce cache time

  • Required: No

  • Default value: 3600

dpopSigningAlgValuesSupported#

  • Description: Demonstration of Proof-of-Possession (DPoP) authorization signing algorithms supported

  • Required: No

  • Default value: None

dpopTimeframe#

  • Description: Demonstration of Proof-of-Possession (DPoP) timeout

  • Required: No

  • Default value: 5

dpopUseNonce#

  • Description: Demonstration of Proof-of-Possession (DPoP) use nonce

  • Required: No

  • Default value: false

dynamicGrantTypeDefault#

  • Description: This list details which OAuth 2.0 grant types can be set up with the client registration API

  • Required: No

  • Default value: None

dynamicRegistrationAllowedPasswordGrantScopes#

  • Description: List of grant scopes for dynamic registration

  • Required: No

  • Default value: None

dynamicRegistrationCustomAttributes#

  • Description: This list details the custom attributes allowed for dynamic registration

  • Required: No

  • Default value: None

dynamicRegistrationCustomObjectClass#

  • Description: LDAP custom object class for dynamic registration

  • Required: No

  • Default value: None

dynamicRegistrationDefaultCustomAttributes#

  • Description: This map provides default custom attributes with values for dynamic registration

  • Required: No

  • Default value: None

dynamicRegistrationExpirationTime#

  • Description: Expiration time in seconds for clients created with dynamic registration, 0 or -1 means never expire

  • Required: No

  • Default value: -1

dynamicRegistrationPasswordGrantTypeEnabled#

  • Description: Boolean value specifying whether to enable Password Grant Type during Dynamic Registration

  • Required: No

  • Default value: false

dynamicRegistrationPersistClientAuthorizations#

  • Description: Boolean value specifying whether to persist client authorizations

  • Required: No

  • Default value: None

dynamicRegistrationScopesParamEnabled#

  • Description: Boolean value specifying whether to enable scopes parameter in dynamic registration

  • Required: No

  • Default value: None

enableClientGrantTypeUpdate#

  • Description: Choose if client can update Grant Type values

  • Required: No

  • Default value: None

enabledOAuthAuditLogging#

  • Description: enable OAuth Audit Logging

  • Required: No

  • Default value: None

endSessionEndpoint#

  • Description: URL at the OP to which an RP can perform a redirect to request that the end user be logged out at the OP

  • Required: No

  • Default value: None

endSessionWithAccessToken#

  • Description: Choose whether to accept access tokens to call end_session endpoint

  • Required: No

  • Default value: None

errorHandlingMethod#

  • Description: A list of possible error handling methods. Possible values: remote (send error back to RP), internal (show error page)

  • Required: No

  • Default value: remote

errorReasonEnabled#

  • Description: Boolean value specifying whether to return detailed reason of the error from AS. Default value is false

  • Required: No

  • Default value: false

expirationNotificatorEnabled#

  • Description: Boolean value specifying whether expiration notificator is enabled (used to identify expiration for persistence that support TTL, like Couchbase)

  • Required: No

  • Default value: false

expirationNotificatorIntervalInSeconds#

  • Description: The expiration notificator interval in second

  • Required: No

  • Default value: None

expirationNotificatorMapSizeLimit#

  • Description: The expiration notificator maximum size limit

  • Required: No

  • Default value: None

externalLoggerConfiguration#

  • Description: The path to the external log4j2 logging configuration

  • Required: No

  • Default value: None

externalUriWhiteList#

  • Description: This list specifies which external URIs can be called by AS (if empty any URI can be called)

  • Required: No

  • Default value: None

fapiCompatibility#

  • Description: Boolean value specifying whether to turn on FAPI compatibility mode. If true AS behaves in more strict mode

  • Required: No

  • Default value: false

featureFlags#

  • Description: List of enabled feature flags

  • Required: No

  • Default value: None

forceIdTokenHintPrecense#

  • Description: Boolean value specifying whether force id_token_hint parameter presence

  • Required: No

  • Default value: false

forceOfflineAccessScopeToEnableRefreshToken#

  • Description: Boolean value specifying whether force offline_access scope to enable refresh_token grant type. Default value is true

  • Required: No

  • Default value: true

forceSignedRequestObject#

  • Description: Boolean value true indicates that signed request object is mandatory

  • Required: No

  • Default value: false

frontChannelLogoutSessionSupported#

  • Description: Choose whether to support front channel session logout

  • Required: No

  • Default value: None

grantTypesAndResponseTypesAutofixEnabled#

  • Description: Boolean value specifying whether to Grant types and Response types can be auto fixed

  • Required: No

  • Default value: None

grantTypesSupported#

  • Description: This list details which OAuth 2.0 grant types are supported by this OP

  • Required: No

  • Default value: None

httpLoggingEnabled#

  • Description: Enable/disable request/response logging filter

  • Required: No

  • Default value: None

httpLoggingExcludePaths#

  • Description: This list details the base URIs for which the request/response logging filter will not record activity

  • Required: No

  • Default value: None

httpLoggingResponseBodyContent#

  • Description: Defines if Response body will be logged. Default value is false

  • Required: No

  • Default value: false

idGenerationEndpoint#

  • Description: ID Generation endpoint URL

  • Required: No

  • Default value: None

idTokenEncryptionAlgValuesSupported#

  • Description: A list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT

  • Required: No

  • Default value: None

idTokenEncryptionEncValuesSupported#

  • Description: A list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT

  • Required: No

  • Default value: None

idTokenFilterClaimsBasedOnAccessToken#

  • Description: Boolean value specifying whether idToken filters claims based on accessToken

  • Required: No

  • Default value: None

idTokenLifetime#

  • Description: The lifetime of the ID Token

  • Required: No

  • Default value: None

idTokenSigningAlgValuesSupported#

  • Description: A list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT

  • Required: No

  • Default value: None

idTokenTokenBindingCnfValuesSupported#

  • Description: Array containing a list of the JWT Confirmation Method member names supported by the OP for Token Binding of ID Tokens. The presence of this parameter indicates that the OpenID Provider supports Token Binding of ID Tokens. If omitted, the default is that the OpenID Provider does not support Token Binding of ID Tokens

  • Required: No

  • Default value: None

imgLocation#

  • Description: The location for image files

  • Required: No

  • Default value: None

includeSidInResponse#

  • Description: Boolean value specifying whether to include sessionId in response

  • Required: No

  • Default value: false

introspectionAccessTokenMustHaveIntrospectionScope#

  • Description: If True, rejects introspection requests if access_token does not have the 'introspection' scope in its authorization header. Comparing to 'uma_protection', 'introspection' scope is not allowed for dynamic registration'

  • Required: No

  • Default value: false

introspectionAccessTokenMustHaveUmaProtectionScope#

  • Description: If True, rejects introspection requests if access_token does not have the uma_protection scope in its authorization header

  • Required: No

  • Default value: false

introspectionEndpoint#

  • Description: Introspection endpoint URL

  • Required: No

  • Default value: None

introspectionResponseScopesBackwardCompatibility#

  • Description: Boolean value specifying introspection response backward compatibility mode

  • Required: No

  • Default value: false

introspectionScriptBackwardCompatibility#

  • Description: Boolean value specifying whether switch off client's introspection scripts (true value) and run all scripts that exists on server. Default value is false

  • Required: No

  • Default value: false

introspectionSkipAuthorization#

  • Description: Specifies if authorization to be skipped for introspection

  • Required: No

  • Default value: None

invalidateSessionCookiesAfterAuthorizationFlow#

  • Description: Boolean value to specify whether to invalidate session_id and consent_session_id cookies right after successful or unsuccessful authorization

  • Required: No

  • Default value: false

issuer#

  • Description: URL using the https scheme that OP asserts as Issuer identifier

  • Required: No

  • Default value: None

jansId#

  • Description: URL for the Inum generator Service

  • Required: No

  • Default value: None

jansOpenIdConnectVersion#

  • Description: OpenID Connect Version

  • Required: No

  • Default value: None

jmsBrokerURISet#

  • Description: JMS Broker URI Set

  • Required: No

  • Default value: None

jmsPassword#

  • Description: JMS Password

  • Required: No

  • Default value: None

jmsUserName#

  • Description: JMS UserName

  • Required: No

  • Default value: None

jsLocation#

  • Description: The location for JavaScript files

  • Required: No

  • Default value: None

jwksAlgorithmsSupported#

  • Description: A list of algorithms that will be used in JWKS endpoint

  • Required: No

  • Default value: None

jwksUri#

  • Description: URL of the OP's JSON Web Key Set (JWK) document. This contains the signing key(s) the RP uses to validate signatures from the OP

  • Required: No

  • Default value: None

keepAuthenticatorAttributesOnAcrChange#

  • Description: Boolean value specifying whether to keep authenticator attributes on ACR change

  • Required: No

  • Default value: false

keyAlgsAllowedForGeneration#

  • Description: List of algorithm allowed to be used for key generation

  • Required: No

  • Default value: None

keyRegenerationEnabled#

  • Description: Boolean value specifying whether to regenerate keys

  • Required: No

  • Default value: None

keyRegenerationInterval#

  • Description: The interval for key regeneration in hours

  • Required: No

  • Default value: None

keySelectionStrategy#

  • Description: Key Selection Strategy : OLDER, NEWER, FIRST

  • Required: No

  • Default value: OLDER

keySignWithSameKeyButDiffAlg#

  • Description: Specifies if signing to be done with same key but apply different algorithms

  • Required: No

  • Default value: None

keyStoreFile#

  • Description: The Key Store File (JKS)

  • Required: No

  • Default value: None

keyStoreSecret#

  • Description: The Key Store password

  • Required: No

  • Default value: None

legacyIdTokenClaims#

  • Description: Choose whether to include claims in ID tokens

  • Required: No

  • Default value: None

logClientIdOnClientAuthentication#

  • Description: Choose if application should log the Client ID on client authentication

  • Required: No

  • Default value: None

logClientNameOnClientAuthentication#

  • Description: Choose if application should log the Client Name on client authentication

  • Required: No

  • Default value: None

loggingLayout#

  • Description: Logging layout used for Jans Authorization Server loggers

  • Required: No

  • Default value: None

loggingLevel#

  • Description: Specify the logging level of loggers

  • Required: No

  • Default value: None

logNotFoundEntityAsError#

  • Description: Boolean value specifying whether to log not_found entity exception as error or as trace. Default value is false (trace).

  • Required: No

  • Default value: None

metricReporterInterval#

  • Description: The interval for metric reporter in seconds

  • Required: No

  • Default value: None

metricReporterKeepDataDays#

  • Description: The days to keep metric reported data

  • Required: No

  • Default value: None

mtlsAuthorizationEndpoint#

  • Description: URL for Mutual TLS (mTLS) Client Authentication and Certificate-Bound Access Tokens (MTLS) Endpoint

  • Required: No

  • Default value: None

mtlsCheckSessionIFrame#

  • Description: URL for Mutual TLS (mTLS) IFrame that supports cross-origin communications for session state information with the RP Client using the HTML5 postMessage API

  • Required: No

  • Default value: None

mtlsClientInfoEndpoint#

  • Description: URL for Mutual TLS (mTLS) Client Info endpoint

  • Required: No

  • Default value: None

mtlsDeviceAuthzEndpoint#

  • Description: Mutual TLS (mTLS) device authorization endpoint URL

  • Required: No

  • Default value: None

mtlsEndSessionEndpoint#

  • Description: URL for Mutual TLS (mTLS) to which an RP can perform a redirect to request that the end user be logged out at the OP

  • Required: No

  • Default value: None

mtlsIdGenerationEndpoint#

  • Description: Mutual TLS (mTLS) ID generation endpoint URL

  • Required: No

  • Default value: None

mtlsIntrospectionEndpoint#

  • Description: Mutual TLS (mTLS) introspection endpoint URL

  • Required: No

  • Default value: None

mtlsJwksUri#

  • Description: URL for Mutual TLS (mTLS) of the OP's JSON Web Key Set (JWK) document

  • Required: No

  • Default value: None

mtlsParEndpoint#

  • Description: Mutual TLS (mTLS) Pushed Authorization Requests(PAR) endpoint URL

  • Required: No

  • Default value: None

mtlsRegistrationEndpoint#

  • Description: Mutual TLS (mTLS) registration endpoint URL

  • Required: No

  • Default value: None

mtlsTokenEndpoint#

  • Description: URL for Mutual TLS (mTLS) Authorization token Endpoint

  • Required: No

  • Default value: None

mtlsTokenRevocationEndpoint#

  • Description: URL for Mutual TLS (mTLS) Authorization token revocation endpoint

  • Required: No

  • Default value: None

mtlsUserInfoEndpoint#

  • Description: Mutual TLS (mTLS) user info endpoint URL

  • Required: No

  • Default value: None

openIdConfigurationEndpoint#

  • Description: URL for the Open ID Connect Configuration Endpoint

  • Required: No

  • Default value: None

openIdDiscoveryEndpoint#

  • Description: Discovery endpoint URL

  • Required: No

  • Default value: None

openidScopeBackwardCompatibility#

  • Description: Set to false to only allow token endpoint request for openid scope with grant type equals to authorization_code, restrict access to userinfo to scope openid and only return id_token if scope contains openid

  • Required: No

  • Default value: false

openidSubAttribute#

  • Description: Specifies which LDAP attribute is used for the subject identifier claim

  • Required: No

  • Default value: None

opPolicyUri#

  • Description: URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP

  • Required: No

  • Default value: None

opTosUri#

  • Description: URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service

  • Required: No

  • Default value: None

pairwiseCalculationKey#

  • Description: Key to calculate algorithmic pairwise IDs

  • Required: No

  • Default value: None

pairwiseCalculationSalt#

  • Description: Salt to calculate algorithmic pairwise IDs

  • Required: No

  • Default value: None

pairwiseIdType#

  • Description: the pairwise ID type

  • Required: No

  • Default value: None

parEndpoint#

  • Description: URL for Pushed Authorisation Request (PAR) Endpoint

  • Required: No

  • Default value: None

persistIdToken#

  • Description: Specifies whether to persist id_token (otherwise saves into cache)

  • Required: No

  • Default value: false

persistRefreshToken#

  • Description: Specifies whether to persist refresh_token (otherwise saves into cache)

  • Required: No

  • Default value: true

personCustomObjectClassList#

  • Description: This list details LDAP custom object classes for dynamic person enrollment

  • Required: No

  • Default value: None

publicSubjectIdentifierPerClientEnabled#

  • Description: Specifies whether public subject identifier is allowed per client

  • Required: No

  • Default value: false

redirectUrisRegexEnabled#

  • Description: Enable/Disable redirect uris validation using regular expression

  • Required: No

  • Default value: false

refreshTokenExtendLifetimeOnRotation#

  • Description: Boolean value specifying whether to extend refresh tokens on rotation

  • Required: No

  • Default value: false

refreshTokenLifetime#

  • Description: The lifetime of the Refresh Token

  • Required: No

  • Default value: None

registrationEndpoint#

  • Description: Registration endpoint URL

  • Required: No

  • Default value: None

rejectEndSessionIfIdTokenExpired#

  • Description: default value false. If true and id_token is not found in db, request is rejected

  • Required: No

  • Default value: false

rejectJwtWithNoneAlg#

  • Description: Boolean value specifying whether reject JWT requested or validated with algorithm None. Default value is true

  • Required: No

  • Default value: true

removeRefreshTokensForClientOnLogout#

  • Description: Boolean value specifying whether to remove Refresh Tokens on logout. Default value is true

  • Required: No

  • Default value: true

requestObjectEncryptionAlgValuesSupported#

  • Description: A list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects

  • Required: No

  • Default value: None

requestObjectEncryptionEncValuesSupported#

  • Description: A list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects

  • Required: No

  • Default value: None

requestObjectSigningAlgValuesSupported#

  • Description: A list of the JWS signing algorithms (alg values) supported by the OP for Request Objects

  • Required: No

  • Default value: None

requestParameterSupported#

  • Description: Boolean value specifying whether the OP supports use of the request parameter

  • Required: No

  • Default value: None

requestUriBlockList#

  • Description: Block list for requestUri that can come to Authorization Endpoint (e.g. localhost)

  • Required: No

  • Default value: None

requestUriHashVerificationEnabled#

  • Description: Boolean value specifying whether the OP supports use of the request_uri hash verification

  • Required: No

  • Default value: None

requestUriParameterSupported#

  • Description: Boolean value specifying whether the OP supports use of the request_uri parameter

  • Required: No

  • Default value: None

requirePar#

  • Description: Boolean value to indicate of Pushed Authorisation Request(PAR)is required

  • Required: No

  • Default value: false

requirePkce#

  • Description: Boolean value true check for Proof Key for Code Exchange (PKCE)

  • Required: No

  • Default value: false

requireRequestObjectEncryption#

  • Description: Boolean value true encrypts request object

  • Required: No

  • Default value: false

requireRequestUriRegistration#

  • Description: Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter

  • Required: No

  • Default value: None

responseModesSupported#

  • Description: This list details which OAuth 2.0 response modes are supported by this OP

  • Required: No

  • Default value: None

responseTypesSupported#

  • Description: This list details which OAuth 2.0 response_type values are supported by this OP.

  • Required: No

  • Default value: By default, every combination of code, token and id_token is supported.

returnClientSecretOnRead#

  • Description: Boolean value specifying whether a client_secret is returned on client GET or PUT. Set to true by default which means to return secret

  • Required: No

  • Default value: false

returnDeviceSecretFromAuthzEndpoint#

  • Description:

  • Required: No

  • Default value: false

rotateClientRegistrationAccessTokenOnUsage#

  • Description: Boolean value specifying whether to rotate client registration access token after each usage

  • Required: No

  • Default value: false

rotateDeviceSecret#

  • Description:

  • Required: No

  • Default value: false

sectorIdentifierCacheLifetimeInMinutes#

  • Description: Sector Identifier cache lifetime in minutes

  • Required: No

  • Default value: 1440

serverSessionIdLifetime#

  • Description: Dedicated property to control lifetime of the server side OP session object in seconds. Overrides sessionIdLifetime. By default value is 0, so object lifetime equals sessionIdLifetime (which sets both cookie and object expiration). It can be useful if goal is to keep different values for client cookie and server object

  • Required: No

  • Default value: None

serviceDocumentation#

  • Description: URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider

  • Required: No

  • Default value: None

sessionIdLifetime#

  • Description: The lifetime of session id in seconds. If 0 or -1 then expiration is not set. session_id cookie expires when browser session ends

  • Required: No

  • Default value: None

sessionIdPersistInCache#

  • Description: Boolean value specifying whether to persist session_id in cache

  • Required: No

  • Default value: false

sessionIdPersistOnPromptNone#

  • Description: Boolean value specifying whether to persist session ID on prompt none

  • Required: No

  • Default value: None

sessionIdRequestParameterEnabled#

  • Description: Boolean value specifying whether to enable session_id HTTP request parameter

  • Required: No

  • Default value: false

sessionIdUnauthenticatedUnusedLifetime#

  • Description: The lifetime for unused unauthenticated session states

  • Required: No

  • Default value: None

sessionIdUnusedLifetime#

  • Description: The lifetime for unused session states

  • Required: No

  • Default value: None

shareSubjectIdBetweenClientsWithSameSectorId#

  • Description: When true, clients with the same Sector ID also share the same Subject ID

  • Required: No

  • Default value: false

skipAuthenticationFilterOptionsMethod#

  • Description: Force Authentication Filtker to process OPTIONS request

  • Required: No

  • Default value: true

skipAuthorizationForOpenIdScopeAndPairwiseId#

  • Description: Choose whether to skip authorization if a client has an OpenId scope and a pairwise ID

  • Required: No

  • Default value: false

skipRefreshTokenDuringRefreshing#

  • Description: Boolean value specifying whether to skip refreshing tokens on refreshing

  • Required: No

  • Default value: false

softwareStatementValidationClaimName#

  • Description: Validation claim name for software statement

  • Required: No

  • Default value: None

softwareStatementValidationType#

  • Description: Validation type used for software statement

  • Required: No

  • Default value: None

spontaneousScopeLifetime#

  • Description: The lifetime of spontaneous scope in seconds

  • Required: No

  • Default value: None

ssaConfiguration#

  • Description: SSA Configuration

  • Required: No

  • Default value: None

statAuthorizationScope#

  • Description: Scope required for Statistical Authorization

  • Required: No

  • Default value: None

staticDecryptionKid#

  • Description: Specifies static decryption Kid

  • Required: No

  • Default value: None

staticKid#

  • Description: Specifies static Kid

  • Required: No

  • Default value: None

statTimerIntervalInSeconds#

  • Description: Statistical data capture time interval

  • Required: No

  • Default value: None

subjectIdentifiersPerClientSupported#

  • Description: A list of the subject identifiers supported per client

  • Required: No

  • Default value: None

subjectTypesSupported#

  • Description: This list details which Subject Identifier types that the OP supports. Valid types include pairwise and public.

  • Required: No

  • Default value: None

tokenEndpoint#

  • Description: The token endpoint URL

  • Required: No

  • Default value: None

tokenEndpointAuthMethodsSupported#

  • Description: A list of Client Authentication methods supported by this Token Endpoint

  • Required: No

  • Default value: None

tokenEndpointAuthSigningAlgValuesSupported#

  • Description: A list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods

  • Required: No

  • Default value: None

tokenRevocationEndpoint#

  • Description: The URL for the access_token or refresh_token revocation endpoint

  • Required: No

  • Default value: None

trustedClientEnabled#

  • Description: Boolean value specifying whether a client is trusted and no authorization is required

  • Required: No

  • Default value: None

trustedSsaIssuers#

  • Description: List of trusted SSA issuers with configuration (e.g. automatically granted scopes).

  • Required: No

  • Default value: None

uiLocalesSupported#

  • Description: This list details the languages and scripts supported for the user interface

  • Required: No

  • Default value: None

umaAddScopesAutomatically#

  • Description: Add UMA scopes automatically if it is not registered yet

  • Required: No

  • Default value: None

umaConfigurationEndpoint#

  • Description: UMA Configuration endpoint URL

  • Required: No

  • Default value: None

umaGrantAccessIfNoPolicies#

  • Description: Specify whether to grant access to resources if there is no any policies associated with scopes

  • Required: No

  • Default value: false

umaPctLifetime#

  • Description: UMA PCT lifetime

  • Required: No

  • Default value: None

umaResourceLifetime#

  • Description: UMA Resource lifetime

  • Required: No

  • Default value: None

umaRestrictResourceToAssociatedClient#

  • Description: Restrict access to resource by associated client

  • Required: No

  • Default value: false

umaRptAsJwt#

  • Description: Issue RPT as JWT or as random string

  • Required: No

  • Default value: false

umaRptLifetime#

  • Description: UMA RPT lifetime

  • Required: No

  • Default value: None

umaTicketLifetime#

  • Description: UMA ticket lifetime

  • Required: No

  • Default value: None

umaValidateClaimToken#

  • Description: Validate claim_token as id_token assuming it is issued by local id

  • Required: No

  • Default value: false

updateClientAccessTime#

  • Description: Choose if application should update oxLastAccessTime/oxLastLogonTime attributes upon client authentication

  • Required: No

  • Default value: None

updateUserLastLogonTime#

  • Description: Choose if application should update oxLastLogonTime attribute upon user authentication

  • Required: No

  • Default value: None

useHighestLevelScriptIfAcrScriptNotFound#

  • Description: Enable/Disable usage of highest level script in case ACR script does not exist

  • Required: No

  • Default value: false

useLocalCache#

  • Description: Cache in local memory cache attributes, scopes, clients and organization entry with expiration 60 seconds

  • Required: No

  • Default value: false

useNestedJwtDuringEncryption#

  • Description: Boolean value specifying whether to use nested Jwt during encryption

  • Required: No

  • Default value: true

userInfoEncryptionAlgValuesSupported#

  • Description: This JSON Array lists which JWS encryption algorithms (alg values) [JWA] can be used by for the UserInfo endpoint to encode the claims in a JWT

  • Required: No

  • Default value: None

userInfoEncryptionEncValuesSupported#

  • Description: This JSON Array lists which JWS encryption algorithms (enc values) [JWA] can be used by for the UserInfo endpoint to encode the claims in a JWT

  • Required: No

  • Default value: None

userInfoEndpoint#

  • Description: The User Info endpoint URL

  • Required: No

  • Default value: None

userInfoSigningAlgValuesSupported#

  • Description: This JSON Array lists which JWS signing algorithms (alg values) [JWA] can be used by for the UserInfo endpoint to encode the claims in a JWT

  • Required: No

  • Default value: None

webKeysStorage#

  • Description: Web Key Storage Type

  • Required: No

  • Default value: None


Last update: 2024-01-30
Created: 2022-07-21