OpenID Connect Relying Party custom properties

OpenID Connect Relying Party custom properties
We define these OpenID Connect properties in the Custom Properties panel for the OpenID Connect TAI using the administrative console. The custom properties are used to determine the behavior of the OpenID Connect Relying Part, and to communicate with an OpenID Connect Provider (OP). We can configure custom properties for multiple OpenID Connect providers.

To assign unique property names that identify each OpenID Connect provider, a provider_<id> is embedded in the property name and used to group the properties associated with each Provider. The provider_<id>s are numbered sequentially for each Provider. There are some custom properties that apply to all the providers and these properties are not prefixed with provider_<id>.

Custom properties for the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI):

Property name Values Description
provider_<id>.identifier Specify any string value. No default value Unique name for each OpenID connect provider identified by the <id> in the provider_<id> prefix. This identifier is used to build the redirect URL registered with the OP. For example:

provider_1.identifier=abc
provider_2.identifier=test
Redirect URL:https://myrp.com:9443/oidcclient/abc

provider_<id>.clientId Specify any string value. No default value The id used to identify the Relying Party instance to the OpenID connect Provider server. It must be unique among all the RP clients registered to the provider.
provider_<id>.clientSecret We can specify plaintext or XOR encoded value. No default value Secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret registered for this client. For example:
app_a_secret
{xor}Pi8vAD4ALDo8LTor

provider_<id>.authorizeEndpointUrl Any URL value. No default value Endpoint URL for redirecting authorization requests to the OpenID Connect Provider. For example:
https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize

provider_<id>.tokenEndpointUrl Any URL value. No default value Endpoint URL for redirecting token requests to the OpenID Connect Provider. For example:
https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe

provider_<id>.interceptedPathFilter
We can specify a comma-separated list of URI patterns. This property does not have a default value. Comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI will intercept the request. To intercept ALL requests use "/.*". For example:
/abcCompanyApps.*, /snoop

provider_<id>.introspectEndpoint Any URL value. No default value Endpoint URL for calling the OpenID Connect Provider's introspection endpoint. For example:
https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect

callbackServletContext Specify any context root value, but it must match the context root configured for the OpenID connect RP callback servlet. Default is /oidcclient. Context root configured for the Relying Party callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere . It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient
provider_<id>.signatureAlgorithm

none
HS256 (Default)
RS256

Algorithm used to secure messages from the OpenID Connect provider.
provider_<id>.jwkEndpointUrl Any URL value. No default value The URL of the OP's JSON Web Key (JWK) set document containing the signing key the RP uses to validate the signature from the OP. This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the signVerifyAlias custom property to obtain the OP's signing certificate from the default trust store.

provider_<id>.userIdentifier Default is sub. Set to a claim name used by the vendor's ID Token that represents a user's unique identifier. For example, we can set userIdentifier = email if we are using Google's OP.
provider_<id>.opServerConnectionTimeout Any integer value. Default is 20000 (20 seconds). Time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
provider_<id>.scope Default is openid profile. Scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.
provider_<id>.issuerIdentifier Default is the value derived from the authorizedEndpointUrl. The issuer of the IDToken. If this property is not set, it is derived from the authorizedEndpointUrl value. For example:

https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP

provider_<id>.groupIdentifier Default is groupIds. The groups attribute name set by the Provider in the IDToken. For example: groupIds.
provider_<id>.mapIdentityToRegistryUser

true
false (the default)

When false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. The users and groups do not need to exist in the WAS user registry.

When true, the Relying Party maps the OpenID Connect authenticated user to the same user (by shortname) in the WAS user registry. All users must be maintained in the WAS user registry. If OpenID Connect authenticates a user that is not in the local WAS user registry, an error occurs.

provider_<id>.redirectToRPHostAndPort No default value. This RP registers its redirect URL with the OP as...
https://<host name>:<ssl port> /oidcclient/signin_cb

...where both the host name and ssl port are automatically resolved. If there is a proxy in front of the RP, we can override the host name and port with the attribute redirectToRPHostAndPort, and we can set redirectToRPHostAndPort to...
https://hostname:<ssl port>

For example:

https://myrs.abc.com:9443

provider_<id>.allowImplicitClientFlow

true
false (the default)

This property determines how the Relying Party authenticates BasicAuth tokens. When true, the TAI authenticates the Basic Auth token and the LTPA token using implicit flow. When the property is set to false, the TAI authenticates the Basic Auth token and the LTPA token using the authorization code flow.
provider_<id>.excludedPathFilter We can specify comma-separated list of URI patterns. No default value. Comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI should not protect this request. This can be used to provide exceptions to the interceptedPathFilter. For example:
/abcCompanyApps/admin.*, /abcCompanyApps/public.*

provider_<id>.signVerifyAlias
No default value. Alias of the certificate in the default trust store that might be used to verify the signature from the OP. On a single server, the default trust store is NodeDefaultTrustStore, otherwise, it is CellDefaultTrustStore. This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK).

jndiCacheName When a dynamic cache service is enabled, a DistributedObjectCache named OIDCRPDistributedCacheMap with...

KEY_ENABLE_CACHE_REPLICATION=true
KEY_REPLICATION_DOMAIN=DynaCacheCluster

The attributes of this cache cannot be changed.
To use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance managed by the dynamic cache service. See Use object cache instances. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheSize and sessionCacheCleanupFrequency is ignored. For example:
services/cache/myOpenidRpCache

sessionCacheSize Any integer value. Default is the value of 10000. Size of internal cache the Relying Party uses. All subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use.
sessionCacheCleanupFrequency Any integer value. Default is the value of 1800. Frequency, in seconds, at which the stale value of the session cache is purged. Only used when the dynamic cache service is not in use.
httpOnly

true (default)
false

When true, the httpOnly flag is set on the cookie.
httpsRequired

true (default)
false

When true, the RP will only establish a connection if the OP supports https communication. If true, but the scheme of the authorizeEndpointUrl, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize.
encodeParameters

true
false (default)

URL encode client_id and client_secret before sending to IdP.
contentType Custom property. Default value of text/html; charset=UTF-8. Set response to text or html.

Related:

OpenID Connect overview
Configure an OpenID Connect Relying Party
Use object cache instances

Property name	Values	Description
provider_<id>.identifier	Specify any string value. No default value	Unique name for each OpenID connect provider identified by the <id> in the provider_<id> prefix. This identifier is used to build the redirect URL registered with the OP. For example: provider_1.identifier=abc provider_2.identifier=test Redirect URL:https://myrp.com:9443/oidcclient/abc
provider_<id>.clientId	Specify any string value. No default value	The id used to identify the Relying Party instance to the OpenID connect Provider server. It must be unique among all the RP clients registered to the provider.
provider_<id>.clientSecret	We can specify plaintext or XOR encoded value. No default value	Secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret registered for this client. For example: app_a_secret {xor}Pi8vAD4ALDo8LTor
provider_<id>.authorizeEndpointUrl	Any URL value. No default value	Endpoint URL for redirecting authorization requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize
provider_<id>.tokenEndpointUrl	Any URL value. No default value	Endpoint URL for redirecting token requests to the OpenID Connect Provider. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe
provider_<id>.interceptedPathFilter	We can specify a comma-separated list of URI patterns. This property does not have a default value.	Comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI will intercept the request. To intercept ALL requests use "/.". For example: /abcCompanyApps., /snoop
provider_<id>.introspectEndpoint	Any URL value. No default value	Endpoint URL for calling the OpenID Connect Provider's introspection endpoint. For example: https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect
callbackServletContext	Specify any context root value, but it must match the context root configured for the OpenID connect RP callback servlet. Default is /oidcclient.	Context root configured for the Relying Party callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property should be set to /oidcclient. The value of this property must match the context root configured when deploying the com_ibm_ws_security_oidc_servlet_war into the local WebSphere . It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. For example: /oidcclient
provider_<id>.signatureAlgorithm	none HS256 (Default) RS256	Algorithm used to secure messages from the OpenID Connect provider.
provider_<id>.jwkEndpointUrl	Any URL value. No default value	The URL of the OP's JSON Web Key (JWK) set document containing the signing key the RP uses to validate the signature from the OP. This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the signVerifyAlias custom property to obtain the OP's signing certificate from the default trust store.
provider_<id>.userIdentifier	Default is sub.	Set to a claim name used by the vendor's ID Token that represents a user's unique identifier. For example, we can set userIdentifier = email if we are using Google's OP.
provider_<id>.opServerConnectionTimeout	Any integer value. Default is 20000 (20 seconds).	Time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
provider_<id>.scope	Default is openid profile.	Scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.
provider_<id>.issuerIdentifier	Default is the value derived from the authorizedEndpointUrl.	The issuer of the IDToken. If this property is not set, it is derived from the authorizedEndpointUrl value. For example: https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP
provider_<id>.groupIdentifier	Default is groupIds.	The groups attribute name set by the Provider in the IDToken. For example: groupIds.
provider_<id>.mapIdentityToRegistryUser	true false (the default)	When false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. The users and groups do not need to exist in the WAS user registry. When true, the Relying Party maps the OpenID Connect authenticated user to the same user (by shortname) in the WAS user registry. All users must be maintained in the WAS user registry. If OpenID Connect authenticates a user that is not in the local WAS user registry, an error occurs.
provider_<id>.redirectToRPHostAndPort	No default value.	This RP registers its redirect URL with the OP as... https://<host name>:<ssl port> /oidcclient/signin_cb ...where both the host name and ssl port are automatically resolved. If there is a proxy in front of the RP, we can override the host name and port with the attribute redirectToRPHostAndPort, and we can set redirectToRPHostAndPort to... https://hostname:<ssl port> For example: https://myrs.abc.com:9443
provider_<id>.allowImplicitClientFlow	true false (the default)	This property determines how the Relying Party authenticates BasicAuth tokens. When true, the TAI authenticates the Basic Auth token and the LTPA token using implicit flow. When the property is set to false, the TAI authenticates the Basic Auth token and the LTPA token using the authorization code flow.
provider_<id>.excludedPathFilter	We can specify comma-separated list of URI patterns. No default value.	Comma-separated list of regular expression patterns that are compared against the request URI to see if the TAI should not protect this request. This can be used to provide exceptions to the interceptedPathFilter. For example: /abcCompanyApps/admin., /abcCompanyApps/public.
provider_<id>.signVerifyAlias	No default value.	Alias of the certificate in the default trust store that might be used to verify the signature from the OP. On a single server, the default trust store is NodeDefaultTrustStore, otherwise, it is CellDefaultTrustStore. This property must be set if the signatureAlgorithm custom property is set to RS256 and we do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK).
jndiCacheName	When a dynamic cache service is enabled, a DistributedObjectCache named OIDCRPDistributedCacheMap with... KEY_ENABLE_CACHE_REPLICATION=true KEY_REPLICATION_DOMAIN=DynaCacheCluster The attributes of this cache cannot be changed.	To use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance managed by the dynamic cache service. See Use object cache instances. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheSize and sessionCacheCleanupFrequency is ignored. For example: services/cache/myOpenidRpCache
sessionCacheSize	Any integer value. Default is the value of 10000.	Size of internal cache the Relying Party uses. All subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable) once the cache size limit is reached. This property is only used when the dynamic cache service is not in use.
sessionCacheCleanupFrequency	Any integer value. Default is the value of 1800.	Frequency, in seconds, at which the stale value of the session cache is purged. Only used when the dynamic cache service is not in use.
httpOnly	true (default) false	When true, the httpOnly flag is set on the cookie.
httpsRequired	true (default) false	When true, the RP will only establish a connection if the OP supports https communication. If true, but the scheme of the authorizeEndpointUrl, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize.
encodeParameters	true false (default)	URL encode client_id and client_secret before sending to IdP.
contentType	Custom property. Default value of text/html; charset=UTF-8.	Set response to text or html.