OpenID Connect Client

OpenID Connect Client

This feature enables web applications to integrate OpenID Connect Client 1.0 for authenticating users instead of, or in addition to, the configured user registry.

Enable this feature

To enable the OpenID Connect Client feature, add the following element declaration inside the featureManager element in the server.xml file:
<feature>openidConnectClient-1.0</feature>

Developing a feature that depends on this feature

If we are developing a feature that depends on the OpenID Connect Client feature, include the following item in the Subsystem-Content header in the feature manifest file for the new feature:
com.ibm.websphere.appserver.openidConnectClient-1.0; type="osgi.subsystem.feature"

Features that this feature enables

Distributed Map interface for Dynamic Caching

OAuth

Java Servlets 3.0

Secure Socket Layer

Feature configuration elements

We can use the following elements in the server.xml file to configure the OpenID Connect Client feature:

administrator-role

group

user

authCache

authentication

authorization-roles

security-role

group

special-subject

user

basicRegistry

group

member

user

classloading

jaasLoginContextEntry

jaasLoginModule

library

file

fileset

folder

options

library

file

fileset

folder

ltpa

openidConnectClient

quickStartSecurity

trustAssociation

interceptors

library

file

fileset

folder

properties

administrator-role

A collection of users and/or groups assigned the server administrator role.

administrator-role > group

Description: Group assigned a role.

Required: false

Data type: string

administrator-role > user

Description: User assigned a role.

Required: false

Data type: string

authCache

Controls the operation of the authentication cache.

Attribute name Data type Default value Description
allowBasicAuthLookup boolean true Allow lookup by user ID and hashed password.
initialSize int
Minimum: 1
50 Initial number of entries supported by the authentication cache.
maxSize int
Minimum: 1
25000 Maximum number of entries supported by the authentication cache.
timeout A period of time with millisecond precision 600s Amount of time after which an entry in the cache will be removed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authentication

Controls the built-in authentication service configuration.

Attribute name Data type Default value Description
allowHashtableLoginWithIdOnly boolean false Allow an application to login with just an identity in the hashtable properties. Use this option only when we have applications that require this and have other means to validate the identity.
cacheEnabled boolean true Enables the authentication cache.

authorization-roles

A collection of role names and mappings of the roles to users, groups, or special subjects

Attribute name Data type Default value Description
id string A unique configuration ID.

authorization-roles > security-role

Description: A role that is mapped to users and groups in a user registry.

Required: false

Data type:

Attribute name Data type Default value Description
name string Role name.

authorization-roles > security-role > group

Description: Group that has the security role.

Required: false

Data type:

Attribute name Data type Default value Description
access-id string A group access ID in the general form group:realmName/groupUniqueId. A value will be generated if one is not specified.
name string Name of a group that has the security role.

authorization-roles > security-role > special-subject

Description: Special subject that has the security role.

Required: false

Data type:

Attribute name Data type Default value Description
type

EVERYONE

ALL_AUTHENTICATED_USERS

One of the following special subject types: ALL_AUTHENTICATED_USERS, EVERYONE.

EVERYONE

All users for every request, even if the request was not authenticated.

ALL_AUTHENTICATED_USERS

All authenticated users.

authorization-roles > security-role > user

Description: User who has the security role.

Required: false

Data type:

Attribute name Data type Default value Description
access-id string A user access ID in the general form user:realmName/userUniqueId. A value will be generated if one is not specified.
name string Name of a user who has the security role.

basicRegistry

A simple XML-based user registry.

Attribute name Data type Default value Description
id string A unique configuration ID.
ignoreCaseForAuthentication boolean false Allow case-insensitive user name authentication.
realm string BasicRegistry The realm name represents the user registry.

basicRegistry > group

Description: A group in a Basic User Registry.

Required: false

Data type:

Attribute name Data type Default value Description
name string Name of a group in a Basic User Registry.

basicRegistry > group > member

Description: A member of a Basic User Registry group.

Required: false

Data type:

Attribute name Data type Default value Description
name string Name of a user in a Basic User Registry group.

basicRegistry > user

Description: A user in a Basic User Registry.

Required: false

Data type:

Attribute name Data type Default value Description
name string Name of a user in a Basic User Registry.
password One way hashable, or reversably encoded password (string) Password of a user in a Basic User Registry. Stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.

classloading

Global classloading

Attribute name Data type Default value Description
useJarUrls boolean false Whether to use jar: or wsjar: URLs for referencing files in archives

jaasLoginContextEntry

The JAAS login context entry configuration.

Attribute name Data type Default value Description
id string A unique configuration ID.
loginModuleRef List of references to top level jaasLoginModule elements (comma-separated string). hashtable,userNameAndPassword,certificate,token A reference to the ID of a JAAS login module.
name string Name of a JAAS configuration entry.

jaasLoginModule

A login module in the JAAS configuration.

Attribute name Data type Default value Description
className string Fully-qualified package name of the JAAS login module class.
controlFlag

SUFFICIENT

REQUISITE

REQUIRED

OPTIONAL

REQUIRED The login module's control flag. Valid values are REQUIRED, REQUISITE, SUFFICIENT, and OPTIONAL.

SUFFICIENT

This LoginModule is SUFFICIENT as per the JAAS specification. The LoginModule is not required to succeed. If authentication is successful, no other LoginModules will be called and control is returned to the caller.

REQUISITE

This LoginModule is REQUISITE as per the JAAS specification. The LoginModule is required to succeed. If authentication fails, no other LoginModules will be called and control is returned to the caller.

REQUIRED

This LoginModule is REQUIRED as per the JAAS specification. The LoginModule is required to succeed.

OPTIONAL

This LoginModule is OPTIONAL as per the JAAS specification. The LoginModule is not required to succeed.

id string A unique configuration ID.
libraryRef A reference to top level library element (string). A reference to the ID of the shared library configuration.

jaasLoginModule > library

Description: A reference to the ID of the shared library configuration.

Required: false

Data type:

Attribute name Data type Default value Description
apiTypeVisibility string spec,ibm-api,api The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party.
description string Description of shared library for administrators
filesetRef List of references to top level fileset elements (comma-separated string). Id of referenced Fileset
name string Name of shared library for administrators

jaasLoginModule > library > file

Description: Id of referenced File

Required: false

Data type:

Attribute name Data type Default value Description
name Path to a file Fully qualified filename

jaasLoginModule > library > fileset

Description: Id of referenced Fileset

Required: false

Data type:

Attribute name Data type Default value Description
caseSensitive boolean true Boolean to indicate whether or not the search should be case sensitive (default: true).
dir Path to a directory ${server.config.dir} The base directory to search for files.
excludes string The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded.
includes string * The comma or space separated list of file name patterns to include in the search results (default: *).
scanInterval A period of time with millisecond precision 0 Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

jaasLoginModule > library > folder

Description: Id of referenced folder

Required: false

Data type:

Attribute name Data type Default value Description
dir Path to a directory Directory or folder to be included in the library classpath for locating resource files

jaasLoginModule > options

Description: A collection of JAAS Login module options

Required: false

Data type:

library

Shared Library

Attribute name Data type Default value Description
apiTypeVisibility string spec,ibm-api,api The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party.
description string Description of shared library for administrators
filesetRef List of references to top level fileset elements (comma-separated string). Id of referenced Fileset
id string A unique configuration ID.
name string Name of shared library for administrators

library > file

Description: Id of referenced File

Required: false

Data type:

Attribute name Data type Default value Description
name Path to a file Fully qualified filename

library > fileset

Description: Id of referenced Fileset

Required: false

Data type:

Attribute name Data type Default value Description
caseSensitive boolean true Boolean to indicate whether or not the search should be case sensitive (default: true).
dir Path to a directory ${server.config.dir} The base directory to search for files.
excludes string The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded.
includes string * The comma or space separated list of file name patterns to include in the search results (default: *).
scanInterval A period of time with millisecond precision 0 Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

library > folder

Description: Id of referenced folder

Required: false

Data type:

Attribute name Data type Default value Description
dir Path to a directory Directory or folder to be included in the library classpath for locating resource files

ltpa

Lightweight Third Party Authentication (LTPA) token configuration.

Attribute name Data type Default value Description
expiration A period of time with minute precision 120m Amount of time after which a token expires in minutes. Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. We can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.
keysFileName Path to a file ${server.output.dir}/resources/security/ltpa.keys Path of the file containing the token keys.
keysPassword Reversably encoded password (string) {xor}CDo9Hgw= Password for the token keys. Stored in clear text or encoded form. It is recommended to encode the password, use the securityUtility tool with the encode option.
monitorInterval A period of time with millisecond precision 0ms Rate at which the server checks for updates to the LTPA token keys file. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

openidConnectClient

OpenID Connect client.

Attribute name Data type Default value Description
authorizationEndpointUrl string Specifies an Authorization end point URL.
clientId string Identity of the client.
clientSecret Reversably encoded password (string) Secret key of the client.
hostNameVerificationEnabled boolean false Whether to enable host name verification.
httpsRequired boolean true Require SSL communication between the OpenID relying party and provider service.
id string A unique configuration ID.
includeIdTokenInSubject boolean true Whether to include ID token in the client subject.
initialStateCacheCapacity int
Minimum: 0
3000 Beginning capacity of state cache. The capacity grows bigger when needed by itself.
issuerIdentifier string An Issuer Identifier is a case-sensitive URL using the HTTPS scheme containing scheme, host and optionally port number and path components.
mapIdentityToRegistryUser boolean false Whether to map identity to registry user. The user registry is not used to create the user subject.
redirectToRPHostAndPort string Specifies a redirect OpenID relying party host and port number.
scope tokenType openid profile OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider.
signatureAlgorithm

HS256

none

RS256

HS256 Signature algorithm that will be used to verify the signature of the ID token.

HS256

%tokenSignAlgorithm.HS256

none

%tokenSignAlgorithm.NONE

RS256

%tokenSignAlgorithm.RS256

sslRef string Specifies an ID of the SSL configuration used to connect to the OpenID Connect provider.
tokenEndpointUrl string Specifies a token end point URL.
trustAliasName string Key alias name to locate public key for signature validation with asymmetric algorithm.
trustStoreRef string A keystore containing the public key necessary for verifying the signature of the ID token.
userIdentityToCreateSubject string sub Specifies a user identity in the ID token used to create the user subject.

quickStartSecurity

Simple administrative security configuration.

Attribute name Data type Default value Description
userName string Single user defined as part of the quick start security configuration. This user is granted the Administrator role.
userPassword Reversably encoded password (string) Password for the single user defined as part of the quick start security configuration. It is recommended that you encode this password. To do so, use the securityUtility tool with the encode option.

trustAssociation

Controls the operation of the trust association interceptor (TAI).

Attribute name Data type Default value Description
failOverToAppAuthType boolean false Allow an interceptor to fall back to the application authentication mechanism.
id string A unique configuration ID.
invokeForUnprotectedURI boolean false Controls whether the TAI is invoked for an unprotected URI.

trustAssociation > interceptors

Description: Defines a trust association interceptor.

Required: false

Data type:

Attribute name Data type Default value Description
className string Fully-qualified package name of the interceptor class.
enabled boolean true Enables or disables the interceptor.
invokeAfterSSO boolean false Invoke an interceptor after single sign-on (SSO).
invokeBeforeSSO boolean true Invoke an interceptor before single sign-on (SSO).
libraryRef A reference to top level library element (string). A reference to the ID of the shared library configuration.

trustAssociation > interceptors > library

Description: A reference to the ID of the shared library configuration.

Required: false

Data type:

Attribute name Data type Default value Description
apiTypeVisibility string spec,ibm-api,api The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party.
description string Description of shared library for administrators
filesetRef List of references to top level fileset elements (comma-separated string). Id of referenced Fileset
name string Name of shared library for administrators

trustAssociation > interceptors > library > file

Description: Id of referenced File

Required: false

Data type:

Attribute name Data type Default value Description
name Path to a file Fully qualified filename

trustAssociation > interceptors > library > fileset

Description: Id of referenced Fileset

Required: false

Data type:

Attribute name Data type Default value Description
caseSensitive boolean true Boolean to indicate whether or not the search should be case sensitive (default: true).
dir Path to a directory ${server.config.dir} The base directory to search for files.
excludes string The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded.
includes string * The comma or space separated list of file name patterns to include in the search results (default: *).
scanInterval A period of time with millisecond precision 0 Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

trustAssociation > interceptors > library > folder

Description: Id of referenced folder

Required: false

Data type:

Attribute name Data type Default value Description
dir Path to a directory Directory or folder to be included in the library classpath for locating resource files

trustAssociation > interceptors > properties

Description: Collection of properties for the interceptor.

Required: false

Data type:

Attribute name	Data type	Default value	Description
allowBasicAuthLookup	boolean	true	Allow lookup by user ID and hashed password.
initialSize	int Minimum: 1	50	Initial number of entries supported by the authentication cache.
maxSize	int Minimum: 1	25000	Maximum number of entries supported by the authentication cache.
timeout	A period of time with millisecond precision	600s	Amount of time after which an entry in the cache will be removed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

Attribute name	Data type	Default value	Description
allowHashtableLoginWithIdOnly	boolean	false	Allow an application to login with just an identity in the hashtable properties. Use this option only when we have applications that require this and have other means to validate the identity.
cacheEnabled	boolean	true	Enables the authentication cache.

Attribute name	Data type	Default value	Description
access-id	string		A group access ID in the general form group:realmName/groupUniqueId. A value will be generated if one is not specified.
name	string		Name of a group that has the security role.

Attribute name	Data type	Default value	Description
access-id	string		A user access ID in the general form user:realmName/userUniqueId. A value will be generated if one is not specified.
name	string		Name of a user who has the security role.

Attribute name	Data type	Default value	Description
id	string		A unique configuration ID.
ignoreCaseForAuthentication	boolean	false	Allow case-insensitive user name authentication.
realm	string	BasicRegistry	The realm name represents the user registry.

Attribute name	Data type	Default value	Description
name	string		Name of a user in a Basic User Registry.
password	One way hashable, or reversably encoded password (string)		Password of a user in a Basic User Registry. Stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.

Attribute name	Data type	Default value	Description
id	string		A unique configuration ID.
loginModuleRef	List of references to top level jaasLoginModule elements (comma-separated string).	hashtable,userNameAndPassword,certificate,token	A reference to the ID of a JAAS login module.
name	string		Name of a JAAS configuration entry.

Attribute name	Data type	Default value	Description
className	string		Fully-qualified package name of the JAAS login module class.
controlFlag	SUFFICIENT REQUISITE REQUIRED OPTIONAL	REQUIRED	The login module's control flag. Valid values are REQUIRED, REQUISITE, SUFFICIENT, and OPTIONAL. SUFFICIENT This LoginModule is SUFFICIENT as per the JAAS specification. The LoginModule is not required to succeed. If authentication is successful, no other LoginModules will be called and control is returned to the caller. REQUISITE This LoginModule is REQUISITE as per the JAAS specification. The LoginModule is required to succeed. If authentication fails, no other LoginModules will be called and control is returned to the caller. REQUIRED This LoginModule is REQUIRED as per the JAAS specification. The LoginModule is required to succeed. OPTIONAL This LoginModule is OPTIONAL as per the JAAS specification. The LoginModule is not required to succeed.
id	string		A unique configuration ID.
libraryRef	A reference to top level library element (string).		A reference to the ID of the shared library configuration.

Attribute name	Data type	Default value	Description
apiTypeVisibility	string	spec,ibm-api,api	The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party.
description	string		Description of shared library for administrators
filesetRef	List of references to top level fileset elements (comma-separated string).		Id of referenced Fileset
name	string		Name of shared library for administrators

Attribute name	Data type	Default value	Description
caseSensitive	boolean	true	Boolean to indicate whether or not the search should be case sensitive (default: true).
dir	Path to a directory	${server.config.dir}	The base directory to search for files.
excludes	string		The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded.
includes	string	*	The comma or space separated list of file name patterns to include in the search results (default: *).
scanInterval	A period of time with millisecond precision	0	Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

Attribute name	Data type	Default value	Description
expiration	A period of time with minute precision	120m	Amount of time after which a token expires in minutes. Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. We can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes.
keysFileName	Path to a file	${server.output.dir}/resources/security/ltpa.keys	Path of the file containing the token keys.
keysPassword	Reversably encoded password (string)	{xor}CDo9Hgw=	Password for the token keys. Stored in clear text or encoded form. It is recommended to encode the password, use the securityUtility tool with the encode option.
monitorInterval	A period of time with millisecond precision	0ms	Rate at which the server checks for updates to the LTPA token keys file. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

Attribute name	Data type	Default value	Description
authorizationEndpointUrl	string		Specifies an Authorization end point URL.
clientId	string		Identity of the client.
clientSecret	Reversably encoded password (string)		Secret key of the client.
hostNameVerificationEnabled	boolean	false	Whether to enable host name verification.
httpsRequired	boolean	true	Require SSL communication between the OpenID relying party and provider service.
id	string		A unique configuration ID.
includeIdTokenInSubject	boolean	true	Whether to include ID token in the client subject.
initialStateCacheCapacity	int Minimum: 0	3000	Beginning capacity of state cache. The capacity grows bigger when needed by itself.
issuerIdentifier	string		An Issuer Identifier is a case-sensitive URL using the HTTPS scheme containing scheme, host and optionally port number and path components.
mapIdentityToRegistryUser	boolean	false	Whether to map identity to registry user. The user registry is not used to create the user subject.
redirectToRPHostAndPort	string		Specifies a redirect OpenID relying party host and port number.
scope	tokenType	openid profile	OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider.
signatureAlgorithm	HS256 none RS256	HS256	Signature algorithm that will be used to verify the signature of the ID token. HS256 %tokenSignAlgorithm.HS256 none %tokenSignAlgorithm.NONE RS256 %tokenSignAlgorithm.RS256
sslRef	string		Specifies an ID of the SSL configuration used to connect to the OpenID Connect provider.
tokenEndpointUrl	string		Specifies a token end point URL.
trustAliasName	string		Key alias name to locate public key for signature validation with asymmetric algorithm.
trustStoreRef	string		A keystore containing the public key necessary for verifying the signature of the ID token.
userIdentityToCreateSubject	string	sub	Specifies a user identity in the ID token used to create the user subject.

Attribute name	Data type	Default value	Description
userName	string		Single user defined as part of the quick start security configuration. This user is granted the Administrator role.
userPassword	Reversably encoded password (string)		Password for the single user defined as part of the quick start security configuration. It is recommended that you encode this password. To do so, use the securityUtility tool with the encode option.

Attribute name	Data type	Default value	Description
failOverToAppAuthType	boolean	false	Allow an interceptor to fall back to the application authentication mechanism.
id	string		A unique configuration ID.
invokeForUnprotectedURI	boolean	false	Controls whether the TAI is invoked for an unprotected URI.

Attribute name	Data type	Default value	Description
className	string		Fully-qualified package name of the interceptor class.
enabled	boolean	true	Enables or disables the interceptor.
invokeAfterSSO	boolean	false	Invoke an interceptor after single sign-on (SSO).
invokeBeforeSSO	boolean	true	Invoke an interceptor before single sign-on (SSO).
libraryRef	A reference to top level library element (string).		A reference to the ID of the shared library configuration.