Authorization-server (Section)#
Path: /profiles/profile/settings/authorization-server
The Authorization Server is a full OAuth 2.0 server with OpenID Connect support. It can issue tokens using the token issuer subsystem together with Token Procedures
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| reuse-refresh-tokens | boolean | optional | false | Defines if refresh tokens are created on every refresh or if they are kept |
| revoke-delegation-for-public-clients-reusing-refresh-token | boolean | optional | true | Revoke delegation when public client attempts to reuse refresh token |
| issuer-override | string | optional | - | Override the issuer for tokens issued by this authorization server. Setting this value instead of using the derived value for issuer, can break the standard discovery specification and should therefore only be used in exceptional circumstances, i.e. backwards compatibility or to integrate with existing environments where the derived issuer can not be used. When ‘additional-issuer’ is also configured, this value acts as the default issuer used when the incoming request’s host does not match any entry in ‘additional-issuer’. |
| additional-issuer | multi-value string | optional | - | Additional allowed issuers for this authorization server. When the incoming request’s X-Forwarded-Host or Host header matches the host of one of these entries, that entry is used as the ‘iss’ claim in issued tokens and as the ‘issuer’ field in the discovery metadata. If no entry matches, the derived issuer (or ‘issuer-override’ when set) is used. Tokens whose ‘iss’ claim matches any entry in this list, ‘issuer-override’, or the derived issuer are accepted for introspection and refresh. This makes it possible to run the same profile under multiple hostnames, e.g. during a DNS migration. Each entry must be a valid URI. |
| authorization-manager | leafref → /base:processing/base:authorization-managers/base:authorization-manager/base:id | optional | - | |
| account-manager | leafref → /base:processing/base:account-managers/base:account-manager/base:id | optional | - | The (default) account manager to use for user attribute lookups |
| privacy-policy-url | string | optional | - | An absolute URL that refers to the privacy policy of the Authorization Server |
| terms-of-service-url | string | optional | - | An absolute URL that refers to the terms of service that users must accept when using any client configured in the profile |
| developer-documentation-url | string | optional | - | The published URL of the documentation that describes to developers how to use the service |
| require-secured-authorization-response | empty | optional | - | If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification |
Subsections#
| Name | Type | Description |
|---|---|---|
| refresh-token-revocation | Section | Settings related to refresh-token revocation after it has been used. Only applies if reuse-refresh-tokens is false. |
| database-client | Section | Enables the Database Clients feature. |
| database-scope | Section | Enables the Database Scopes feature. |
| client-authentication | Section | The methods by which an OAuth client may be authenticated |
| request-object | Section | The settings for allowing a request to be provided through a by-value or by-reference request object. By-value request objects are passed using the ‘request’ parameter whereas by-reference ones are provided in the ‘request-uri’ parameter. When enabled, a client can be required to provide a request object JWT. Additional restrictions per the relevant specifications are applied when used at the CIBA and PAR endpoints. |
| authentication-service | Section | |
| client-capabilities | Section | This section defines what a client may do when communicating with the OAuth server |
| scopes | Section | |
| claims | Section | |
| expose-metadata | Section | OAuth metadata endpoint configuration |
| openid-connect | Section | |
| token-procedure-plugins | Section | |
| token-issuance-authorizers | Section | |
| consentors | Section | |
| redirect-uri-validation-policies | Section | Configuration settings for allowing different validation methods for redirect uri’s. |
| client-store | Section | |
| ephemeral-client | Section | Enables the Ephemeral clients feature. |
| dynamic-client-registration | Section | |
| dpop | Section | Configure custom DPoP behavior |
| event-handling | Section | Configures how the token service reacts to events |
| verifiable-credentials | Section | Container with the configuration of all the different types of Verifiable Credentials |