API Protection OpenID Connect Provider properties
When we configure API Protection for OAuth and OpenID Connect, and we enable OpenID Connect, we must specify properties for the OIDC Provider.
The local management interface (LMI) page OpenID Connect and API Protection has a section that prompts for settings for OpenID Connect Provider. Refer to the following list of properties to determine the appropriate value for each property.
For configuration task instructions, see Create an API protection definition.
- Issuer Identifier
- This entry identifies the issuing entity. It must be a valid URL with the protocol prefix https://. For example, https://ibm.com or https://accounts.google.com. It must not include fragment or query portions. The Issuer Identifier is defined by the OIDC specification. See http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier
- Point of Contact Prefix
- The Point of Contact Prefix is used to correctly populate the URLs on the metadata page. It must include the host, port, and path information of the reverse proxy junction to the runtime. For example: https://isam.myidp.ibm.com:443/mga/ . Note that is not a field from the OIDC standard.
- Metadata URI
- A location where we can view your metadata. Metadata is useful to discover the capabilities of an OP. The metadata includes all other URIs. This field is read-only.
- id_token Lifetime
- Time in seconds for which the id_token is valid. The value is the difference between the values in the iat and exp claims of the issued JSON Web Token (JWT). You can use a pre-token mapping rule to overload this value at runtime.
Default: 3600 seconds.
- Signing Algorithm
- The algorithm used to sign the JWT. This setting is the alg claim in the JWT. Use the menu to select the appropriate value. We can use a pre-token mapping rule to overload this value at runtime.
Default: RS256.
- Key Database for Signing
- The Key database used to source the private key for signing the ES/RS signature algorithms. We can use a pre-token mapping rule to overload this value at runtime.
Default: rt_profile_keys
- Certificate Label for Signing
- The label of the key in the selected keystore used as the private key for ES/RS signing. We can use a pre-token mapping rule to overload this value at runtime.
Default: server
- Encrypt ID token
- Boolean value to indicate whether this JWT must be encrypted. Check box to encrypt the token and configure encryption settings. We can use a pre-token mapping rule to overload this value at runtime.
- Key Agreement Algorithm
- The encryption algorithm used for JWT key agreement. This setting is the alg claim in the encrypted JWT. We can use a pre-token mapping rule to overload this value at runtime.
Default: RSA-OAEP-256
- Encryption Algorithm
- The encryption algorithm used for JWT payload encryption. This setting is the enc claim in the encrypted JWT. We can use a pre-token mapping rule to overload this value.
Default: A128CBC-HS256
- Attribute Mapping
We can use the Attribute Mapping section to define attributes that can be used to customize claims from attribute sources. Attribute sources can be: Fixed, Credential, or LDAP.
When we select Enable OpenID Connect, the New and Delete icons are activated for attribute mapping. To create, select New and enter Attribute Name. Select Attribute Source type.
To remove an existing Attribute Name, select the attribute and click Delete.
If we do not select Enable OpenID Connect, we cannot create new attribute mappings.
- Enable client registration
- Check this check box to allow users to register dynamic clients.
- Issue Client Secret
- If dynamic clients are enabled, check this check box to have them to be confidential clients.
Parent topic: Configure API protection