OAuth Client Federation Endpoint

OAuth client endpoint configuration allows to create and edit configuration settings for local OAuth Client FEPs that represent the client side of the OAuth communication.

Description

Description of the configuration object

Context path

The context path of the web application. If not specified, the context path is set to the default 'unknown' value.

Do exclude from authorization

Whether or not the web application shall be excluded from authorization process defined by the DirX Access PEP.

Port assignment identifiers

Identifiers of the port assignments for the web application. Port assignments specify the HTTP(S) ports on which the web application will listen.

Primary port assignment identifier

Identifier of the primary port assignment for given web application. It can be used for calculation of the FEP location, if location is not specified.

CORS parameters

Additional CORS parameters to those already generated from the existing endpoint configuration. CORS parameters are used to filter CORS requests.

Allowed origins

Origins allowed in the Origin header when filtering CORS requests. This parameter has to be combined with 'allowedMethods' and 'allowedHeaders'. According to the CORS specification, the Origin header can contain the string null. It is possible to include this string in this configuration property with following meaning:

  • without null included - Origin header null leads to response FORBIDDEN,

  • with null included - Origin header null leads to request being further processed,

  • * enables also the null string.

Allowed methods

HTTP request methods which the CORS filter will accept. Set GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH to allow any HTTP request method.

Allowed headers

HTTP request headers which the CORS filter will accept. Set * to allow any HTTP request header.

Associated Web PEP identifier

The identifier of the Web PEP that enforces the security policy at the endpoint.

OAuth authentication method identifier

The authentication method to be used for authenticating the user.

Default partnership (client) metadata identifier

The value used when a request to the OAuth Client FEP does not contain a partnership identifier.

OAuth Server metadata update interval

The interval (seconds) at which OAuth Server metadata are reloaded. OAuth Server metadata with a configured URL are periodically reloaded. Set this field to zero or a negative number to disable this feature. If a metadata URL is accessed via TLS, the WebApplications container JRE keystore is used for certificate path validation.

Partnership metadata mapping

The partnership mapping between client and server metadata. The purpose of this table is to obtain the server metadata that corresponds to the partnership identifier. The client metadata identifier must match the partnership identifier supplied in the incoming request.

Single logout reference

Reference to the Single Logout configuration for this OAuth Client Endpoint.

Enabled logout endpoints

Determines what logout endpoints are enabled for this OAuth client.

  • ` INBOUND_FRONTCHANNEL`: the OAuth Client will support OpenID Connect Frontchannel logout notifications at the /<oauth-client-context-path>/frontchannel_logout URI.

  • ` INBOUND_BACKCHANNEL`: the OAuth Client will support OpenID Connect Backchannel logout notifications at the /<oauth-client-context-path>/backchannel_logout URI.

  • ` OUTBOUND_RP_INITIATED`: the OAuth Client will accept requests at the /<oauth-client-context-path>/logout URI, that use the session cookie to initiate OpenID RP initiated single logout flow.