OpenID Connect Relying Party custom properties

OpenID Connect Relying Party custom properties

The following tables list the custom properties for the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI). We can define these properties in the Custom Properties panel for the OpenID Connect TAI using the console.
The custom properties are used to determine the behavior of the OpenID Connect RP, and to communicate with an OpenID Connect Provider.
The properties are grouped into two categories:

Required OpenID Connect Relying Party custom properties: The RP does not initialize if these properties are not defined.

Optional OpenID Connect Relying Party custom properties: These properties are defaulted to some value as documented. They are used to fine-tune the behavior of the RP.

Property name Values Description
interceptedPathFilter We can specify comma-separated list of URI patterns. This property does not have a default value. This property specifies a comma-separated list of regular expression patters that are compared against the request URI to see whether the TAI will intercept the request. To intercept ALL requests use /.*. For example: /abcCompanyApps.*, /snoop
clientId We can specify any string value. This property does not have a default value. ID used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients that are registered to the provider.
clientSecret We can specify plaintext or XOR encoded value. This property does not have a default value. Secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret that is registered for this client.
For example:

app_a_secret {xor}Pi8vAD4ALDo8LTor

authorizeEndpoint We can specify any URL value. This property does not have a default value. Endpoint URL for redirecting authorization requests to the OpenID Connect Provider.
For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize.
tokenEndpointUrl We can specify any URL value. This property does not have a default value. Endpoint URL for redirecting token requests to the OpenID Connect Provider.
For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe.

Property name Values Description
introspectEndpoint We can specify any URL value. This property does not have a default value. The endpoint URL for calling the OpenID Connect Provider's introspection endpoint. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect.
callbackServletContext We can specify any context root value, but it must match the context root configured for the OpenID connect RP callback servlet. By default, this property is set to the value of /oidcclient. Context root configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere . It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient.
signatureAlgorithm We can specify one of the following values:

none

HS256 (Default)

RS256

Algorithm used to secure messages from the OpenID Connect provider.
opServerConnectionTimeout Specify any integer value. By default, this property is set to the value of 20000 (20 seconds). Time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
scope By default, this property is set to the value of openid profile. The scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.
issuerIdentifier By default, this property is set to the value that is derived from the authorizedEndpoint. The issuer of the IDToken. If not set, it is derived from the authorizedEndpoint value. For example: https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP.
groupIdentifier By default, this property is set to a value of groupIds. The groups attribute name set by the OpenID Connect Provider in the IDToken. For example: groupIds.
mapIdentityToRegistryUser We can specify one of the following values:

true

false (the default)

When false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. When the property is set to true, the OpenID Connect RP maps the OpenID Connect authenticated user to the same user (by shortname) in the WAS user registry. All users must be maintained in the WAS user registry. If OpenID Connect authenticates a user that is not in the local WebSphere Application Server user registry, an error occurs.
redirectToRPHostAndPort

true

false (the default)

Determines how the OpenID Connect RP authenticates BasicAuth tokens. When true, the TAI authenticates Basic Auth token and LTPA token using implicit flow. When the property is set to false, it authenticates Basic Auth token and LTPA token by using authorization code flow.
jndiCacheName When dynamic cache service is enabled, a DistributedObjectCache named OIDCRPDistributedCacheMap with KEY_ENABLE_CACHE_REPLICATION=true and KEY_REPLICATION_DOMAIN=DynaCacheCluster is used. The attributes of this cache cannot be changed. To use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance that is managed by the dynamic cache service. Read Use object cache instances for information about how to set up a custom object cache instance. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheSize and sessionCacheCleanupFrequency is ignored. For example: services/cache/myOpenidRpCache.
sessionCacheSize We can specify any integer value. By default, this property is set to the value of 10000. Size of internal cache the OpenID Connect RP uses. All subsequent requests to RP are rejected with HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use.
sessionCacheCleanupFrequency We can specify any integer value. By default, this property is set to the value of 1800. The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. This property is only used when the dynamic cache service is not in use.

Related concepts

OpenID Connect overview

Related tasks

Configure an OpenID Connect Relying Party
Use object cache instances

Property name	Values	Description
interceptedPathFilter	We can specify comma-separated list of URI patterns. This property does not have a default value.	This property specifies a comma-separated list of regular expression patters that are compared against the request URI to see whether the TAI will intercept the request. To intercept ALL requests use /.. For example: /abcCompanyApps., /snoop
clientId	We can specify any string value. This property does not have a default value.	ID used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients that are registered to the provider.
clientSecret	We can specify plaintext or XOR encoded value. This property does not have a default value.	Secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret that is registered for this client. For example: app_a_secret {xor}Pi8vAD4ALDo8LTor
authorizeEndpoint	We can specify any URL value. This property does not have a default value.	Endpoint URL for redirecting authorization requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize.
tokenEndpointUrl	We can specify any URL value. This property does not have a default value.	Endpoint URL for redirecting token requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe.

Property name	Values	Description
introspectEndpoint	We can specify any URL value. This property does not have a default value.	The endpoint URL for calling the OpenID Connect Provider's introspection endpoint. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect.
callbackServletContext	We can specify any context root value, but it must match the context root configured for the OpenID connect RP callback servlet. By default, this property is set to the value of /oidcclient.	Context root configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere . It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient.
signatureAlgorithm	We can specify one of the following values: none HS256 (Default) RS256	Algorithm used to secure messages from the OpenID Connect provider.
opServerConnectionTimeout	Specify any integer value. By default, this property is set to the value of 20000 (20 seconds).	Time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
scope	By default, this property is set to the value of openid profile.	The scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.
issuerIdentifier	By default, this property is set to the value that is derived from the authorizedEndpoint.	The issuer of the IDToken. If not set, it is derived from the authorizedEndpoint value. For example: https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP.
groupIdentifier	By default, this property is set to a value of groupIds.	The groups attribute name set by the OpenID Connect Provider in the IDToken. For example: groupIds.
mapIdentityToRegistryUser	We can specify one of the following values: true false (the default)	When false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. When the property is set to true, the OpenID Connect RP maps the OpenID Connect authenticated user to the same user (by shortname) in the WAS user registry. All users must be maintained in the WAS user registry. If OpenID Connect authenticates a user that is not in the local WebSphere Application Server user registry, an error occurs.
redirectToRPHostAndPort	true false (the default)	Determines how the OpenID Connect RP authenticates BasicAuth tokens. When true, the TAI authenticates Basic Auth token and LTPA token using implicit flow. When the property is set to false, it authenticates Basic Auth token and LTPA token by using authorization code flow.
jndiCacheName	When dynamic cache service is enabled, a DistributedObjectCache named OIDCRPDistributedCacheMap with KEY_ENABLE_CACHE_REPLICATION=true and KEY_REPLICATION_DOMAIN=DynaCacheCluster is used. The attributes of this cache cannot be changed.	To use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance that is managed by the dynamic cache service. Read Use object cache instances for information about how to set up a custom object cache instance. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheSize and sessionCacheCleanupFrequency is ignored. For example: services/cache/myOpenidRpCache.
sessionCacheSize	We can specify any integer value. By default, this property is set to the value of 10000.	Size of internal cache the OpenID Connect RP uses. All subsequent requests to RP are rejected with HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use.
sessionCacheCleanupFrequency	We can specify any integer value. By default, this property is set to the value of 1800.	The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. This property is only used when the dynamic cache service is not in use.