OpenID Connect Client (openidConnectClient)

OpenID Connect Client (openidConnectClient)

OpenID Connect client.

Name Type Default Description

accessTokenCacheEnabled boolean true Specifies whether authenticated subjects created using a propagated access tokens are cached.

accessTokenCacheTimeout A period of time with millisecond precision 5m Specifies how long an authenticated subject created using a propagated access token is cached. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

accessTokenInLtpaCookie boolean false Specifies whether the LTPA token includes the access token.

allowCustomCacheKey boolean true Specifies whether a custom cache key is used to store users in an authentication cache. If true and the cache key for a user is not found in the authentication cache, the user will be required to log in again. Set this property to false when we use the jwtSso feature to allow the security subject to be constructed directly from the jwtSso cookie. Set this property to false when we do not use the jwtSso feature to allow the security subject to be constructed directly from the user registry. If the security subject is reconstructed from the user registry, there will be no SSO components in the subject. If the LTPA cookie is used by more than one server, consider setting this property to false. If the application always requires the SSO components to be present in the subject, we must either set this property to true or use the jwtSso feature.

audiences string Specifies a comma-separated list of trusted audiences that is verified against the aud claim in the JSON Web Token.

authFilterRef Top level authFilter element (string). Authentication filter reference.

authenticationTimeLimit A period of time with millisecond precision 420s Maximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authnSessionDisabled boolean true An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.

authorizationEndpointUrl string Specifies an Authorization endpoint URL.

clientId string Identity of the client.

clientSecret Reversably encoded password (string) Secret key of the client.

clockSkew A period of time with millisecond precision 300s Allowed clock skew in seconds when you validate the JSON Web Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

createSession boolean true Specifies whether to create an HttpSession if the current HttpSession does not exist.

disableIssChecking boolean false Require the issuer claim to be absent when the OpenID Connect client validates a JWT access token for inbound propagation or when it performs token introspection for inbound propagation.

disableLtpaCookie boolean false Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead.

discoveryEndpointUrl string Specifies a discovery endpoint URL for an OpenID Connect provider.

discoveryPollingRate A period of time with millisecond precision 300s Duration rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The checking is done only if there is an authentication failure. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

forwardLoginParameter string Specifies a comma-separated list of parameter names to forward to the OpenID Connect provider. If a protected resource request includes one or more of the specified parameters, the OpenID Connect client will include those parameters and their values in the authorization endpoint request to the OpenID Connect provider.

grantType

authorization_code
implicit

authorization_code Specifies the grant type to use for this client. Use of the responseType attribute is preferred instead.
authorization_code
Authorization code grant type
implicit
Implicit grant type

groupIdentifier string groupIds Specifies a JSON attribute in the ID token used as the name of the group that the authenticated principal is a member of.

headerName string The name of the header which carries the inbound token in the request.

hostNameVerificationEnabled boolean true Specifies whether to enable host name verification.

httpsRequired boolean true Require SSL communication between the OpenID relying party and provider service.

id string A unique configuration ID.

inboundPropagation

none
required
supported

none Controls the operation of the token inbound propagation of the OpenID relying party.
none
Do not support inbound token propagation
required
Require inbound token propagation
supported
Support inbound token propagation

includeIdTokenInSubject boolean true Specifies whether to include ID token in the client subject.

initialStateCacheCapacity int
Min: 0 3000 Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself.

isClientSideRedirectSupported boolean true Set this property to false if we do not want to use JavaScript to redirect to the OpenID Connect Provider for the initial authentication request. If JavaScript is not used, any URI fragments that are present in the original inbound request are lost.

issuerIdentifier string A case-sensitive URL using the HTTPS scheme containing scheme, host and optionally port number and path components. Specify multiple values as a comma separated list.

jwkClientId string Specifies the client identifier to include in the basic authentication scheme of the JWK request.

jwkClientSecret Reversably encoded password (string) Specifies the client password to include in the basic authentication scheme of the JWK request.

jwkEndpointUrl string Specifies a JWK endpoint URL.

jwtAccessTokenRemoteValidation

allow
none
require

none Specifies whether a JWT access token that is received for inbound propagation is validated locally by the OpenID Connect client or using the validation method configured by the OpenID Connect client.
allow
A JWT access token that is received for inbound propagation is parsed and validated locally by the OpenID Connect client. If validation fails, the access token is validated using the validation method configured by the OpenID Connect client.
none
A JWT access token that is received for inbound propagation is parsed and validated locally by the OpenID Connect client. If validation fails, the access token is not validated using the validation method configured by the OpenID Connect client.
require
A JWT access token that is received for inbound propagation is validated using the validation method configured by the OpenID Connect client. The access token is not parsed or validated locally by the OpenID Connect client.

keyAliasName string The alias for the private key used for signing client authentication tokens. The public key that corresponds to the private key must also use this alias. The private key must be in the keystore specified by the SSL configuration that is referenced by the sslRef attribute. The public key must be in one of the following locations: the truststore specified by the trustStoreRef attribute, the truststore specified by the SSL configuration that is referenced by the sslRef attribute, or the keystore specified by the SSL configuration that is referenced by the sslRef attribute.

keyManagementKeyAlias string Private key alias of the key management key used to decrypt the Content Encryption Key of a JSON Web Encryption (JWE) token.

mapIdentityToRegistryUser boolean false Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.

nonceEnabled boolean false Enable the nonce parameter in the authorization code flow.

pkceCodeChallengeMethod

S256
disabled
plain

disabled Specifies the challenge method to use for Proof Key for Code Exchange (PKCE). When PKCE is enabled, session affinity is required because a local cache is used.

reAuthnCushion A period of time with millisecond precision 0s The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

reAuthnOnAccessTokenExpire boolean true Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true.

realmIdentifier string realmName Specifies a JSON attribute in the ID token used as the realm name.

realmName string Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false.

redirectJunctionPath string Specifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string.

redirectToRPHostAndPort string After authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request.

resource string Resource parameter is included in the request.

responseType

code
id_token
id_token token
token

Specifies the response requested from the provider, either an authorization code or implicit flow tokens.
code
Authorization code
id_token
ID token
id_token token
ID token and access token
token
Access token

scope string (with whitespace trimmed off) openid profile OpenID Connect scope (as detailed in the OpenID Connect specification) allowed for the provider.

signatureAlgorithm

ES256
ES384
ES512
HS256
HS384
HS512
RS256
RS384
RS512
none

HS256 Signature algorithm that will be used to verify the signature of the ID token.
ES256
Use the ES256 signature algorithm to sign and verify tokens
ES384
Use the ES384 signature algorithm to sign and verify tokens
ES512
Use the ES512 signature algorithm to sign and verify tokens
HS256
Use the HS256 signature algorithm to sign and verify tokens
HS384
Use the HS384 signature algorithm to sign and verify tokens
HS512
Use the HS512 signature algorithm to sign and verify tokens
RS256
Use the RS256 signature algorithm to sign and verify tokens
RS384
Use the RS384 signature algorithm to sign and verify tokens
RS512
Use the RS512 signature algorithm to sign and verify tokens
none
Tokens are not required to be signed

sslRef Top level ssl element (string). Specifies an ID of the SSL configuration used to connect to the OpenID Connect provider.

tokenEndpointAuthMethod

basic
post
private_key_jwt

post The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
basic
Use the HTTP Basic authentication scheme to authenticate the client with the token endpoint of the OpenID Connect provider.
post
Include the client credentials in the request body to authenticate the client with the token endpoint of the OpenID Connect provider.
private_key_jwt
Private key JWT client authentication.

tokenEndpointAuthSigningAlgorithm

ES256
ES384
ES512
RS256
RS384
RS512

RS256 The signature algorithm to use to sign tokens used for client authentication.
ES256
Use the ES256 signature algorithm to sign tokens used for client authentication
ES384
Use the ES384 signature algorithm to sign tokens used for client authentication
ES512
Use the ES512 signature algorithm to sign tokens used for client authentication
RS256
Use the RS256 signature algorithm to sign tokens used for client authentication
RS384
Use the RS384 signature algorithm to sign tokens used for client authentication
RS512
Use the RS512 signature algorithm to sign tokens used for client authentication

tokenEndpointUrl string Specifies a token endpoint URL.

tokenOrderToFetchCallerClaims

AccessToken IDToken UserInfo
IDToken

IDToken Specifies token order to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client continues the search with other tokens in the list.
AccessToken IDToken UserInfo
Uses the AccessToken, IDToken, and Userinfo tokens in that order to determine the caller claims
IDToken
Uses only the IDToken to determine the caller claims

tokenRequestOriginHeader string Specifies the value to use in the Origin HTTP header included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request.

tokenReuse boolean false Specifies whether JSON Web Tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token.

trustAliasName string Key alias name to locate public key for signature validation with asymmetric algorithm.

trustStoreRef Top level keyStore element (string). A keystore containing the public key necessary for verifying the signature of the ID token.

uniqueUserIdentifier string uniqueSecurityName Specifies a JSON attribute in the ID token used as the unique user name as it applies to the WSCredential in the subject.

useSystemPropertiesForHttpClientConnections boolean false Specifies whether to use Java system properties when the OpenID Connect client creates HTTP client connections. Set this property to true if we want the connections to use the http* or javax* system properties.

userIdentifier string Specifies a JSON attribute in the ID token used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used.

userIdentityToCreateSubject string sub Specifies a JSON attribute in the ID token used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. The value for this property is overridden by the value for userIdentifier, if specified.

userInfoEndpointEnabled boolean false Specifies whether the User info endpoint is contacted.

userInfoEndpointUrl string Specifies a User Info endpoint URL

validationEndpointUrl string The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod.

validationMethod

introspect
userinfo

introspect The method of validation on the token inbound propagation.
introspect
Validate inbound tokens using token introspection
userinfo
Validate inbound tokens using the userinfo endpoint

authFilter
Authentication filter reference.

authFilter > cookie
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Name.

authFilter > host
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Name.

authFilter > remoteAddress
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

ip string Specifies the remote host TCP/IP address.

matchType

contains
equals
greaterThan
lessThan
notContain

contains Match type.

authFilter > requestHeader
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Name.

value string The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

urlPattern string
Required Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent
A unique configuration ID.

Name Type Default Description

agent string
Required Specifies the browser's user agent to help identify which browser is being used.

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

authFilter > webApp
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Name.

authzParameter
Specifies custom parameters to send to authorization endpoint of the OpenID Connect provider.

Name Type Default Description

id string A unique configuration ID.

name string Specifies name of the additional parameter.

value string Specifies value of the additional parameter.

tokenParameter
Specifies custom parameters to send to token endpoint of the OpenID Connect provider.

Name Type Default Description

id string A unique configuration ID.

name string Specifies name of the additional parameter.

value string Specifies value of the additional parameter.

Name	Type	Default	Description
accessTokenCacheEnabled	boolean	true	Specifies whether authenticated subjects created using a propagated access tokens are cached.
accessTokenCacheTimeout	A period of time with millisecond precision	5m	Specifies how long an authenticated subject created using a propagated access token is cached. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
accessTokenInLtpaCookie	boolean	false	Specifies whether the LTPA token includes the access token.
allowCustomCacheKey	boolean	true	Specifies whether a custom cache key is used to store users in an authentication cache. If true and the cache key for a user is not found in the authentication cache, the user will be required to log in again. Set this property to false when we use the jwtSso feature to allow the security subject to be constructed directly from the jwtSso cookie. Set this property to false when we do not use the jwtSso feature to allow the security subject to be constructed directly from the user registry. If the security subject is reconstructed from the user registry, there will be no SSO components in the subject. If the LTPA cookie is used by more than one server, consider setting this property to false. If the application always requires the SSO components to be present in the subject, we must either set this property to true or use the jwtSso feature.
audiences	string		Specifies a comma-separated list of trusted audiences that is verified against the aud claim in the JSON Web Token.
authFilterRef	Top level authFilter element (string).		Authentication filter reference.
authenticationTimeLimit	A period of time with millisecond precision	420s	Maximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
authnSessionDisabled	boolean	true	An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.
authorizationEndpointUrl	string		Specifies an Authorization endpoint URL.
clientId	string		Identity of the client.
clientSecret	Reversably encoded password (string)		Secret key of the client.
clockSkew	A period of time with millisecond precision	300s	Allowed clock skew in seconds when you validate the JSON Web Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
createSession	boolean	true	Specifies whether to create an HttpSession if the current HttpSession does not exist.
disableIssChecking	boolean	false	Require the issuer claim to be absent when the OpenID Connect client validates a JWT access token for inbound propagation or when it performs token introspection for inbound propagation.
disableLtpaCookie	boolean	false	Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead.
discoveryEndpointUrl	string		Specifies a discovery endpoint URL for an OpenID Connect provider.
discoveryPollingRate	A period of time with millisecond precision	300s	Duration rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The checking is done only if there is an authentication failure. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
forwardLoginParameter	string		Specifies a comma-separated list of parameter names to forward to the OpenID Connect provider. If a protected resource request includes one or more of the specified parameters, the OpenID Connect client will include those parameters and their values in the authorization endpoint request to the OpenID Connect provider.
grantType	authorization_code implicit	authorization_code	Specifies the grant type to use for this client. Use of the responseType attribute is preferred instead. authorization_code Authorization code grant type implicit Implicit grant type
groupIdentifier	string	groupIds	Specifies a JSON attribute in the ID token used as the name of the group that the authenticated principal is a member of.
headerName	string		The name of the header which carries the inbound token in the request.
hostNameVerificationEnabled	boolean	true	Specifies whether to enable host name verification.
httpsRequired	boolean	true	Require SSL communication between the OpenID relying party and provider service.
id	string		A unique configuration ID.
inboundPropagation	none required supported	none	Controls the operation of the token inbound propagation of the OpenID relying party. none Do not support inbound token propagation required Require inbound token propagation supported Support inbound token propagation
includeIdTokenInSubject	boolean	true	Specifies whether to include ID token in the client subject.
initialStateCacheCapacity	int Min: 0	3000	Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself.
isClientSideRedirectSupported	boolean	true	Set this property to false if we do not want to use JavaScript to redirect to the OpenID Connect Provider for the initial authentication request. If JavaScript is not used, any URI fragments that are present in the original inbound request are lost.
issuerIdentifier	string		A case-sensitive URL using the HTTPS scheme containing scheme, host and optionally port number and path components. Specify multiple values as a comma separated list.
jwkClientId	string		Specifies the client identifier to include in the basic authentication scheme of the JWK request.
jwkClientSecret	Reversably encoded password (string)		Specifies the client password to include in the basic authentication scheme of the JWK request.
jwkEndpointUrl	string		Specifies a JWK endpoint URL.
jwtAccessTokenRemoteValidation	allow none require	none	Specifies whether a JWT access token that is received for inbound propagation is validated locally by the OpenID Connect client or using the validation method configured by the OpenID Connect client. allow A JWT access token that is received for inbound propagation is parsed and validated locally by the OpenID Connect client. If validation fails, the access token is validated using the validation method configured by the OpenID Connect client. none A JWT access token that is received for inbound propagation is parsed and validated locally by the OpenID Connect client. If validation fails, the access token is not validated using the validation method configured by the OpenID Connect client. require A JWT access token that is received for inbound propagation is validated using the validation method configured by the OpenID Connect client. The access token is not parsed or validated locally by the OpenID Connect client.
keyAliasName	string		The alias for the private key used for signing client authentication tokens. The public key that corresponds to the private key must also use this alias. The private key must be in the keystore specified by the SSL configuration that is referenced by the sslRef attribute. The public key must be in one of the following locations: the truststore specified by the trustStoreRef attribute, the truststore specified by the SSL configuration that is referenced by the sslRef attribute, or the keystore specified by the SSL configuration that is referenced by the sslRef attribute.
keyManagementKeyAlias	string		Private key alias of the key management key used to decrypt the Content Encryption Key of a JSON Web Encryption (JWE) token.
mapIdentityToRegistryUser	boolean	false	Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.
nonceEnabled	boolean	false	Enable the nonce parameter in the authorization code flow.
pkceCodeChallengeMethod	S256 disabled plain	disabled	Specifies the challenge method to use for Proof Key for Code Exchange (PKCE). When PKCE is enabled, session affinity is required because a local cache is used.
reAuthnCushion	A period of time with millisecond precision	0s	The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
reAuthnOnAccessTokenExpire	boolean	true	Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true.
realmIdentifier	string	realmName	Specifies a JSON attribute in the ID token used as the realm name.
realmName	string		Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false.
redirectJunctionPath	string		Specifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string.
redirectToRPHostAndPort	string		After authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request.
resource	string		Resource parameter is included in the request.
responseType	code id_token id_token token token		Specifies the response requested from the provider, either an authorization code or implicit flow tokens. code Authorization code id_token ID token id_token token ID token and access token token Access token
scope	string (with whitespace trimmed off)	openid profile	OpenID Connect scope (as detailed in the OpenID Connect specification) allowed for the provider.
signatureAlgorithm	ES256 ES384 ES512 HS256 HS384 HS512 RS256 RS384 RS512 none	HS256	Signature algorithm that will be used to verify the signature of the ID token. ES256 Use the ES256 signature algorithm to sign and verify tokens ES384 Use the ES384 signature algorithm to sign and verify tokens ES512 Use the ES512 signature algorithm to sign and verify tokens HS256 Use the HS256 signature algorithm to sign and verify tokens HS384 Use the HS384 signature algorithm to sign and verify tokens HS512 Use the HS512 signature algorithm to sign and verify tokens RS256 Use the RS256 signature algorithm to sign and verify tokens RS384 Use the RS384 signature algorithm to sign and verify tokens RS512 Use the RS512 signature algorithm to sign and verify tokens none Tokens are not required to be signed
sslRef	Top level ssl element (string).		Specifies an ID of the SSL configuration used to connect to the OpenID Connect provider.
tokenEndpointAuthMethod	basic post private_key_jwt	post	The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client. basic Use the HTTP Basic authentication scheme to authenticate the client with the token endpoint of the OpenID Connect provider. post Include the client credentials in the request body to authenticate the client with the token endpoint of the OpenID Connect provider. private_key_jwt Private key JWT client authentication.
tokenEndpointAuthSigningAlgorithm	ES256 ES384 ES512 RS256 RS384 RS512	RS256	The signature algorithm to use to sign tokens used for client authentication. ES256 Use the ES256 signature algorithm to sign tokens used for client authentication ES384 Use the ES384 signature algorithm to sign tokens used for client authentication ES512 Use the ES512 signature algorithm to sign tokens used for client authentication RS256 Use the RS256 signature algorithm to sign tokens used for client authentication RS384 Use the RS384 signature algorithm to sign tokens used for client authentication RS512 Use the RS512 signature algorithm to sign tokens used for client authentication
tokenEndpointUrl	string		Specifies a token endpoint URL.
tokenOrderToFetchCallerClaims	AccessToken IDToken UserInfo IDToken	IDToken	Specifies token order to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client continues the search with other tokens in the list. AccessToken IDToken UserInfo Uses the AccessToken, IDToken, and Userinfo tokens in that order to determine the caller claims IDToken Uses only the IDToken to determine the caller claims
tokenRequestOriginHeader	string		Specifies the value to use in the Origin HTTP header included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request.
tokenReuse	boolean	false	Specifies whether JSON Web Tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token.
trustAliasName	string		Key alias name to locate public key for signature validation with asymmetric algorithm.
trustStoreRef	Top level keyStore element (string).		A keystore containing the public key necessary for verifying the signature of the ID token.
uniqueUserIdentifier	string	uniqueSecurityName	Specifies a JSON attribute in the ID token used as the unique user name as it applies to the WSCredential in the subject.
useSystemPropertiesForHttpClientConnections	boolean	false	Specifies whether to use Java system properties when the OpenID Connect client creates HTTP client connections. Set this property to true if we want the connections to use the http* or javax* system properties.
userIdentifier	string		Specifies a JSON attribute in the ID token used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used.
userIdentityToCreateSubject	string	sub	Specifies a JSON attribute in the ID token used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. The value for this property is overridden by the value for userIdentifier, if specified.
userInfoEndpointEnabled	boolean	false	Specifies whether the User info endpoint is contacted.
userInfoEndpointUrl	string		Specifies a User Info endpoint URL
validationEndpointUrl	string		The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod.
validationMethod	introspect userinfo	introspect	The method of validation on the token inbound propagation. introspect Validate inbound tokens using token introspection userinfo Validate inbound tokens using the userinfo endpoint

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Match type.
name	string Required		Name.
value	string		The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".