OpenID Connect Relying Party custom properties

OpenID Connect Relying Party custom properties

The following tables list the custom properties for the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI). We can define these properties in the Custom Properties panel for the OpenID Connect TAI using the administrative console.

The custom properties are used to determine the behavior of the OpenID Connect RP, and to communicate with an OpenID Connect Provider (OP). We can configure custom properties for multiple OpenID Connect providers.

To assign unique property names that identify each OpenID Connect provider, a provider_<id> is embedded in the property name and used to group the properties associated with each OP. The provider_<id>s are numbered sequentially for each OP. There are some custom properties that apply to all the providers and these properties are not prefixed with provider_<id>.

The properties are grouped into two categories:

Required properties: Without these properties defined the RP will not initialize and this is functionally the same as no RP installed.
Optional properties: These properties have a default value as documented. They are used to fine tune the behavior of the RP.
Property name Values Description
provider_<id>.identifier
We can specify any string value. This property does not have a default value.
Unique name for each OpenID connect provider identified by the <id> in the provider_<id> prefix. This identifier is used to build the redirect URL registered with the OP.
For example:
provider_1.identifier=abc
provider_2.identifier=test
Redirect URL:https://myrp.com:9443/oidcclient/abc
provider_<id>.clientId We can specify any string value. This property does not have a default value. The id used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients registered to the provider.
provider_<id>.clientSecret
We can specify plaintext or XOR encoded value. This property does not have a default value.
Secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret registered for this client.
For example:
app_a_secret 
{xor}Pi8vAD4ALDo8LTor
provider_<id>.authorizeEndpointUrl We can specify any URL value. This property does not have a default value. Endpoint URL for redirecting authorization requests to the OpenID Connect Provider.
For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize.

provider_<id>.tokenEndpointUrl We can specify any URL value. This property does not have a default value. Endpoint URL for redirecting token requests to the OpenID Connect Provider.
For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe.
Property name Values Description

provider_<id>.interceptedPathFilter
We can specify a comma-separated list of URI patterns. This property does not have a default value. Comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI will intercept the request. To intercept ALL requests use "/.*". For example: /abcCompanyApps.*, /snoop
provider_<id>.introspectEndpoint
We can specify any URL value. This property does not have a default value.
Endpoint URL for calling the OpenID Connect Provider's introspection endpoint.
For example:
https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect
callbackServletContext We can specify any context root value, but it must match the context root configured for the OpenID connect RP callback servlet. Default is /oidcclient. Context root configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere . It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient.
provider_<id>.signatureAlgorithm Specify one of the following:

none
HS256 (Default)
RS256

Algorithm used to secure messages from the OpenID Connect provider.
provider_<id>.jwkEndpointUrl We can specify any URL value. This property does not have a default value. The URL of the OP's JSON Web Key (JWK) set document containing the signing key the RP uses to validate the signature from the OP.

This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the signVerifyAlias custom property to obtain the OP's signing certificate from the default trust store.

provider_<id>.userIdentifier Default is sub. Set to a claim name used by the vendor's ID Token that represents a user's unique identifier. For example, we can set userIdentifier = email if we are using Google's OP.
provider_<id>.opServerConnectionTimeout Specify any integer value. Default is 20000 (20 seconds). Time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
provider_<id>.scope Default is openid profile. Scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.
provider_<id>.issuerIdentifier
By default, this property is set to the value derived from the authorizedEndpointUrl.
The issuer of the IDToken. If this property is not set, it is derived from the authorizedEndpointUrl value.
For example:
https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP
provider_<id>.groupIdentifier By default, this property is set to a value of groupIds. The groups attribute name set by the OpenID Connect Provider in the IDToken. For example: groupIds.
provider_<id>.mapIdentityToRegistryUser Specify one of the following:

true
false (the default)

When false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. The users and groups do not need to exist in the WAS user registry.

When true, the OpenID Connect RP maps the OpenID Connect authenticated user to the same user (by shortname) in the WAS user registry. All users must be maintained in the WAS user registry. If OpenID Connect authenticates a user that is not in the local WAS user registry, an error occurs.
provider_<id>.redirectToRPHostAndPort
No default value.
This RP registers its redirect URL with the OP as https://<host name>:<ssl port> /oidcclient/signin_cb, where both the host name and ssl port are automatically resolved. If there is a proxy in front of the RP, we can override the host name and port with the attribute redirectToRPHostAndPort, and we can set redirectToRPHostAndPort to https://hostname:<ssl port>.
For example:
https://myrs.abc.com:9443
provider_<id>.allowImplicitClientFlow Specify one of the following:

true
false (the default)

This property determines how the OpenID Connect RP authenticates BasicAuth tokens. When true, the TAI authenticates the Basic Auth token and the LTPA token using implicit flow. When the property is set to false, the TAI authenticates the Basic Auth token and the LTPA token using the authorization code flow.
provider_<id>.excludedPathFilter
We can specify comma-separated list of URI patterns. This property does not have a default value.
This property specifies a comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI should not protect this request. This can be used to provide exceptions to the interceptedPathFilter.
For example:
/abcCompanyApps/admin.*, /abcCompanyApps/public.*
provider_<id>.signVerifyAlias
No default value. Alias of the certificate in the default trust store that might be used to verify the signature from the OP. On a single server, the default trust store is NodeDefaultTrustStore, otherwise, it is CellDefaultTrustStore.

This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK).
jndiCacheName
When a dynamic cache service is enabled, aDistributedObjectCache named OIDCRPDistributedCacheMap with KEY_ENABLE_CACHE_REPLICATION=true and KEY_REPLICATION_DOMAIN=DynaCacheCluster is used. The attributes of this cache cannot be changed.
To use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance managed by the dynamic cache service. Read Use object cache instances for information about how to set up a custom object cache instance. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheSize and sessionCacheCleanupFrequency is ignored.
For example:
services/cache/myOpenidRpCache
sessionCacheSize We can specify any integer value. By default, this property is set to the value of 10000. Size of internal cache the OpenID Connect RP uses. All subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use.
sessionCacheCleanupFrequency We can specify any integer value. By default, this property is set to the value of 1800. The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. This property is only used when the dynamic cache service is not in use.
httpOnly
Specify one of the following:

true (default)
false

When true, the httpOnly flag is set on the cookie.
httpsRequired
Specify one of the following:

true (default)
false

When true, the OpenID Connect RP will only establish a connection with an OP that supports https communication. If this property is set to true, but the scheme of the authorizeEndpointUrl, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize.
encodeParameters
Specify one of the following:

true
false (default)

That the client_id andclient_secret should be URL encoded before sending them to the IdP.

contentType
This custom property has a default value of text/html; charset=UTF-8. Change the default value of contentType text or html that is set on the response.
Related:

OpenID Connect overview
Configure an OpenID Connect Relying Party
Use object cache instances

Property name	Values	Description
provider_<id>.identifier	We can specify any string value. This property does not have a default value.	Unique name for each OpenID connect provider identified by the <id> in the provider_<id> prefix. This identifier is used to build the redirect URL registered with the OP. For example: provider_1.identifier=abc provider_2.identifier=test Redirect URL:https://myrp.com:9443/oidcclient/abc
provider_<id>.clientId	We can specify any string value. This property does not have a default value.	The id used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients registered to the provider.
provider_<id>.clientSecret	We can specify plaintext or XOR encoded value. This property does not have a default value.	Secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret registered for this client. For example: app_a_secret {xor}Pi8vAD4ALDo8LTor
provider_<id>.authorizeEndpointUrl	We can specify any URL value. This property does not have a default value.	Endpoint URL for redirecting authorization requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize.
provider_<id>.tokenEndpointUrl	We can specify any URL value. This property does not have a default value.	Endpoint URL for redirecting token requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe.

Property name	Values	Description
provider_<id>.interceptedPathFilter	We can specify a comma-separated list of URI patterns. This property does not have a default value.	Comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI will intercept the request. To intercept ALL requests use "/.". For example: /abcCompanyApps., /snoop
provider_<id>.introspectEndpoint	We can specify any URL value. This property does not have a default value.	Endpoint URL for calling the OpenID Connect Provider's introspection endpoint. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect
callbackServletContext	We can specify any context root value, but it must match the context root configured for the OpenID connect RP callback servlet. Default is /oidcclient.	Context root configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere . It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient.
provider_<id>.signatureAlgorithm	Specify one of the following: none HS256 (Default) RS256	Algorithm used to secure messages from the OpenID Connect provider.
provider_<id>.jwkEndpointUrl	We can specify any URL value. This property does not have a default value.	The URL of the OP's JSON Web Key (JWK) set document containing the signing key the RP uses to validate the signature from the OP. This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the signVerifyAlias custom property to obtain the OP's signing certificate from the default trust store.
provider_<id>.userIdentifier	Default is sub.	Set to a claim name used by the vendor's ID Token that represents a user's unique identifier. For example, we can set userIdentifier = email if we are using Google's OP.
provider_<id>.opServerConnectionTimeout	Specify any integer value. Default is 20000 (20 seconds).	Time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
provider_<id>.scope	Default is openid profile.	Scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.
provider_<id>.issuerIdentifier	By default, this property is set to the value derived from the authorizedEndpointUrl.	The issuer of the IDToken. If this property is not set, it is derived from the authorizedEndpointUrl value. For example: https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP
provider_<id>.groupIdentifier	By default, this property is set to a value of groupIds.	The groups attribute name set by the OpenID Connect Provider in the IDToken. For example: groupIds.
provider_<id>.mapIdentityToRegistryUser	Specify one of the following: true false (the default)	When false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. The users and groups do not need to exist in the WAS user registry. When true, the OpenID Connect RP maps the OpenID Connect authenticated user to the same user (by shortname) in the WAS user registry. All users must be maintained in the WAS user registry. If OpenID Connect authenticates a user that is not in the local WAS user registry, an error occurs.
provider_<id>.redirectToRPHostAndPort	No default value.	This RP registers its redirect URL with the OP as https://<host name>:<ssl port> /oidcclient/signin_cb, where both the host name and ssl port are automatically resolved. If there is a proxy in front of the RP, we can override the host name and port with the attribute redirectToRPHostAndPort, and we can set redirectToRPHostAndPort to https://hostname:<ssl port>. For example: https://myrs.abc.com:9443
provider_<id>.allowImplicitClientFlow	Specify one of the following: true false (the default)	This property determines how the OpenID Connect RP authenticates BasicAuth tokens. When true, the TAI authenticates the Basic Auth token and the LTPA token using implicit flow. When the property is set to false, the TAI authenticates the Basic Auth token and the LTPA token using the authorization code flow.
provider_<id>.excludedPathFilter	We can specify comma-separated list of URI patterns. This property does not have a default value.	This property specifies a comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI should not protect this request. This can be used to provide exceptions to the interceptedPathFilter. For example: /abcCompanyApps/admin., /abcCompanyApps/public.
provider_<id>.signVerifyAlias	No default value.	Alias of the certificate in the default trust store that might be used to verify the signature from the OP. On a single server, the default trust store is NodeDefaultTrustStore, otherwise, it is CellDefaultTrustStore. This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK).
jndiCacheName	When a dynamic cache service is enabled, aDistributedObjectCache named OIDCRPDistributedCacheMap with KEY_ENABLE_CACHE_REPLICATION=true and KEY_REPLICATION_DOMAIN=DynaCacheCluster is used. The attributes of this cache cannot be changed.	To use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance managed by the dynamic cache service. Read Use object cache instances for information about how to set up a custom object cache instance. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheSize and sessionCacheCleanupFrequency is ignored. For example: services/cache/myOpenidRpCache
sessionCacheSize	We can specify any integer value. By default, this property is set to the value of 10000.	Size of internal cache the OpenID Connect RP uses. All subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use.
sessionCacheCleanupFrequency	We can specify any integer value. By default, this property is set to the value of 1800.	The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. This property is only used when the dynamic cache service is not in use.
httpOnly	Specify one of the following: true (default) false	When true, the httpOnly flag is set on the cookie.
httpsRequired	Specify one of the following: true (default) false	When true, the OpenID Connect RP will only establish a connection with an OP that supports https communication. If this property is set to true, but the scheme of the authorizeEndpointUrl, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize.
encodeParameters	Specify one of the following: true false (default)	That the client_id andclient_secret should be URL encoded before sending them to the IdP.
contentType	This custom property has a default value of text/html; charset=UTF-8.	Change the default value of contentType text or html that is set on the response.