OAuthServerEndpoint

OAuth server endpoint configuration for local OAuth 2.0 Servers that represent the server sides of the OAuth communications. The DirX Access OAuth Server is not accessed directly; it requires at least one OAuth Provider FEP. Each OAuth Server’s metadata is automatically generated from the current configuration and can also be accessed through the OAuth Provider FEP at:

  • issuer-url-identification/.well-known/openid-configuration Where issuer-url-identification is the URL of the OAuth Server supplied in the "Issuer" field of the Servers page.

Description

Description of the configuration object

Issuer

The URL identification of the OAuth Server. The value indicates the issuer of authorization codes and tokens and is placed into metadata. When there is no load balancer, the Issuer field should be the same as the OAuth Provider FEP location field. (The simple scenario with one OAuth Provider FEP and one OAuth Server.) When a there is a load balancer in front of multiple OAuth Provider FEPs that point to one OAuth Server, the Issuer field should be the same as the location of the load balancer. If no issuer value is set, the default value 'unknown' is used.

Associated Web PEP identifier

The identifier of the Web PEP that enforces the security policy at the endpoint. If not set, default value 'unknown' is used, but the server will not be able to process requests.

Client metadata identifiers

The metadata of statically-registered remote OAuth clients. Unregistered OAuth clients cannot access the OAuth Server.

Do HTTP redirect URI support

Whether or not unsecure HTTP redirect URIs in client metadata are supported.

Do invalid client metadata support

Whether or not the OAuth Authorization server tries to process requests from clients referenced by invalid client metadata.

Cache validation interval

The frequency with which the validity of issued authorization codes and tokens is checked in seconds.

Crypto container identifiers

The references on crypto containers used for cryptography purposes.

OAuth registration endpoint

Current OAuth registration point.

Rule template registration endpoint

Current OAuth rule template registration point. Value that informs the administrator about the exact location of the rule template registration endpoint.

OAuth server authorization token endpoint

The collection of fields and controls to configure the authorization and token endpoint that issues the authorization codes and tokens. The order of the items is important.

Grant types

The permitted grant types to which authorization codes / token issuance is restricted. Supported grant types are implicit, refresh_token, password, client_credentials, authorization_code and urn:ietf:params:oauth:grant-type:uma-ticket.

Scopes

The permitted scopes to which authorization codes/token issuance is restricted.

Authorization code validity

The validity period for the issued authorization codes in seconds.

Access token validity

The validity period for the issued access tokens in seconds.

Access token representation

The representation of the access token. Possible values are:

  • Random: the access token is represented by the random string. Default option.

  • JWT: the access token is represented by the JSON Web Token.

  • Allowed Values:

    • Random

    • JWT

Do issue Refresh token

Whether or not a refresh token is issued together with an access token.

Do revoke used Refresh token

Whether or not to revoke a refresh token that has been used.

Refresh token validity

The validity period for issued refresh tokens in seconds.

Password Grant Authentication method identifier

The password authentication method reference to be used for password grant types.

Persisted claims token validity

The validity period for issued persisted claims tokens in seconds.

Attribute Template identifiers

The key and value pairs to be imprinted as custom claims in a JSON Web Token (e.g. OpenID Connect ID token).

JWS key identification parameter (ID Token)

The identification of the JSON Web Signature key. Possible values are:

  • None: JWS key identification is not present in JWS header of ID Token as JSON Web Token. Default option.

  • x5c: JWS key is represented by the certification chain.

  • Allowed Values:

    • None

    • x5c

Do ACE support (experimental)

Whether or not to support OAuth ACE specification.

Do PKCE for OAuth 2.0 support

Whether or not to support Proof Key for Code Exchange (PKCE) for OAuth 2.0 specification. Note that the 'Public client support for token endpoint' checkbox must be checked.

Do support Resource Indicators

Whether or not to support Resource Indicators for OAuth 2.0 specification.

Do support JWT format for access token

Whether or not to use the JWT format for the OAuth 2.0 access token according to the RFC#9068.

Do public client support for token endpoint

Whether to support token refresh for public clients and code flow for OAuth 2.0 specification.

Do print user consent

Whether or not ask user to grant his consent to requested properties by client application.

Signing applicability

This parameter has the following consequences:

  • REQUIRED the JWT will always be signed, if an appropriate signing key not available, an error will be thrown,

  • PREFERRED the JWT will be signed if there is an appropriate signing key,

  • NONE the JWT will not be signed.

  • Allowed Values:

    • NONE

    • PREFERRED

    • REQUIRED

Encryption applicability

This parameter has the following consequences:

  • REQUIRED the JWT will always be encrypted, if an appropriate encryption key not available, an error will be thrown,

  • PREFERRED the JWT will be encrypted if there is an appropriate encryption key,

  • NONE the JWT will not be encrypted.

  • Allowed Values:

    • NONE

    • PREFERRED

    • REQUIRED

JWS key identification parameters (Access Token)

The identification of the JSON Web Signature key. If empty, JWS key identification is not present in JWS header of Access token. Possible values are:

  • x5t: JWS key is represented by the certification thumbprint. Default option.

  • x5c: JWS key is represented by the certification chain.

  • kid: JWS key is represented by the key ID.

OAuth server protected endpoint

The collection of fields and controls to configure protected endpoints (endpoints that require authentication for access). Most of these endpoints require authentication via a bearer profile with specific scopes. The order of the items is important.

OAuth server URI suffix

The read-only URI suffix of the OAuth Server protected endpoint. The URI suffix is calculated from the type of the OAuth Server protected endpoint.

OAuth server scopes

The allowed scopes to access the OAuth Server protected endpoint.

Protected endpoint type

The type of the OAuth Server protected endpoint.

  • Allowed Values:

    • Token introspection

    • User info

    • Resource registration

    • Token revocation

    • Permission

    • Policy management

    • Rule template registration

    • Claims interaction

    • Dynamic client registration

Bearer Profile Transmission methods

The transmission methods allowed to be used for authentication via the bearer profile. The transmission methods allowed to be used for authentication via the bearer profile. Supported transmission methods are Header field (default), Body parameter and Query parameter.

Attribute template identifiers

The collection of OAuth attribute templates as the key and value pairs to be returned in a JavaScript Object Notation (JSON) object. The control is valid for user info and introspection protected endpoint.

Permission ticket validity

The validity period for issued permission tickets in seconds. The control is valid for permission protected endpoint.

Token types

The token types that are allowed to be revoked. The control is valid for token revocation protected endpoint. Supported token types are access_token, pct and refresh_token.

Do PCT issuance support

Whether or not persisted claims token (PCT) issuance is supported. The control is valid for claims interaction protected endpoint.

Do support open registration

Whether or not any client with a valid registration request can register itself with the authorization server. The control is valid for dynamic client registration protected endpoint.

Client secret validity

The validity period for expiration of client registrations in seconds. The control is valid for dynamic client registration protected endpoint.

Supported scopes

The registering client can be granted only those preregistered scopes. The control is valid for dynamic client registration protected endpoint.

Do support OpenID registration

Whether or not OpenID Connect Dynamic Client Registration extension is supported. The control is valid for dynamic client registration protected endpoint.

Do support public client type

Whether or not public clients are supported for registration. The control is valid for dynamic client registration protected endpoint.

Do support confidential client type

Whether or not confidential clients are supported for registration. The control is valid for dynamic client registration protected endpoint.

Do support token refresh for public clients

Whether to support token refresh for public clients using code flow for OAuth 2.0 specification.

Custom user access policy URI

The value refers to the address of any custom application that provides the policy management API for the resource registration response. The control is valid for resource registration protected endpoint.