Authorization-server (Section)#
Path: /profiles/profile{id, type}/settings/authorization-server
The Authorization Server is a full OAuth 2.0 server with OpenID Connect support. It can issue tokens using the token issuer subsystem together with Token Procedures
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| reuse-refresh-tokens | boolean | optional | false | Defines if refresh tokens are created on every refresh or if they are kept |
| revoke-delegation-for-public-clients-reusing-refresh-token | boolean | optional | true | Revoke delegation when public client attempts to reuse refresh token |
| issuer-override | string | optional | Override the issuer for tokens issued by this authorization server. Setting this value instead of using the derived value for issuer, can break the standard discovery specification and should therefore only be used in exceptional circumstances, i.e. backwards compatibility or to integrate with existing environments where the derived issuer can not be used. | |
| authorization-manager | leafref | optional | ||
| account-manager | leafref | optional | The (default) account manager to use for user attribute lookups | |
| privacy-policy-url | uri | optional | An absolute URL that refers to the privacy policy of the Authorization Server | |
| terms-of-service-url | uri | optional | An absolute URL that refers to the terms of service that users must accept when using any client configured in the profile | |
| developer-documentation-url | uri | optional | The published URL of the documentation that describes to developers how to use the service | |
| require-secured-authorization-response | empty | optional | If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification |
Subsections#
| Name | Type | Description |
|---|---|---|
| database-client | Section | Enables the Database Clients feature. |
| client-authentication | Section | The methods by which an OAuth client may be authenticated |
| request-object | Section | The settings for allowing a request to be provided through a by-value or by-reference request object. By-value request objects are passed using the ‘request’ parameter whereas by-reference ones are provided in the ‘request-uri’ parameter. When enabled, a client can be required to provide a request object JWT. Additional restrictions per the relevant specifications are applied when used at the CIBA and PAR endpoints. |
| authentication-service | Section | None |
| client-capabilities | Section | This section defines what a client may do when communicating with the OAuth server |
| scopes | Section | None |
| claims | Section | None |
| expose-metadata | Section | OAuth metadata endpoint configuration |
| openid-connect | Section | None |
| token-procedure-plugins | Section | None |
| consentors | Section | None |
| redirect-uri-validation-policies | Section | Configuration settings for allowing different validation methods for redirect uri’s. |
| client-store | Section | None |
| dynamic-client-registration | Section | None |
| dpop | Section | Configure custom DPoP behavior |
| event-handling | Section | Configures how the token service reacts to events |
| verifiable-credentials | Section | Container with the configuration of all the different types of Verifiable Credentials |