Curity logo Documentation
  • Visit curity.io
  • Curity Developer Portal
    Curity Developer Portal
    Downloads Support Resource Library Libraries and SDKs OAuth Tools
  • Contact

  • Home

Table of Contents

  • System Admin Guide
    • Attribute Transformers
      • Regex Transformer
        • Regex transformation examples
      • Data Source Transformer
        • Data Source Transformation example
      • Script Transformer
    • Audit
      • Configuration
        • Logger
        • File Appender
        • Database Appender
        • Batching Log Messages for performance
      • Audit Data
        • Mandatory
        • Optional
      • Audit Events
        • profile-added
        • token-introspected
        • refresh-token-issued
        • refresh-token-revoked
        • access-token-issued
        • access-token-revoked
        • id-token-issued
        • initial-dcr-access-token-issued
        • initial-dcr-access-token-consumed
        • initial-dcr-access-token-revoked
        • dcr-client-registered
        • user-info
        • authorization-code-issued
        • authorization-code-consumed
        • delegation-issued
        • delegation-revoked
        • account-created
        • accounts-linked
        • account-activated
        • account-deleted
        • scim-account-updated
        • scim-account-created
        • scim-account-deleted
        • access-token-authentication
        • client-authentication-success
        • client-authentication-failure
        • cat-verification-failed
        • logout
        • user-authentication-success
        • user-sso-authentication-success
        • sso-session-created
        • bc-authentication-start
        • bc-authentication-success
        • bc-authentication-failure
    • Authorization Managers
      • Groups Authorization Manager
        • Group Rules
      • Scope Authorization Manager
        • Policies, Actions and Rules
        • Configuration
        • Use with OpenID Connect User Info
      • Attribute Authorization Manager
        • Configuration
        • Limitations
        • Examples
    • Credential Managers
      • User Account Credentials
      • Credential Policies
        • Managing Credential Rules State
        • Data source requirements
      • Credential Migration
      • Credential Rehashing
      • Maximum Credential Length (system-wide)
    • Cryptography
      • Configuring certificates
      • Configuring private keystores
        • Using an action to add a keystore
        • Preparing the keystore for embedding in an XML configuration document
      • Converting KeyStores (keystore-entry) into correct PKCS12 format
        • Usage of the convertks script
      • Working with PKCS1 private keys
      • Hardware Security Module
        • Entering a PIN
        • Configuring the HSM
        • Debugging the PKCS#11 Provider
      • EdDSA support
    • Data Sources
      • Overview
        • Configuration Strategy
        • Data Source Usage
      • JDBC
        • Table management
        • Database maintenance
        • Quoted identifiers
        • Configuration
        • Clustering
        • Connection Pool Metrics
        • Credential Data Access
        • MySQL and MariaDB
        • Microsoft SQL Server
        • PostgreSQL
        • Oracle
        • HsqlDB
      • LDAP
        • LDAP for Account and Credential Data Access
        • LDAP for Attribute Data Access
        • Use-case for configuring an LDAP backend for HTML Forms authenticator
        • Connection Pool
      • SCIM
        • SCIM 1.1
        • SCIM 2.0
      • JSON / REST Data Source
        • Configuration
      • DynamoDB
        • Table management
        • Database maintenance
        • User Management Service
        • Credential Data Access
        • Configuration
      • MongoDB
        • Collections management
        • Multi-Tenancy
        • Database maintenance
        • Credential Data Access
        • Configuration
      • Multi-zone
        • Configuration
    • Deployment
      • Cluster
        • Two Node Setup
        • Standalone Admin Setup
        • Asymmetric Setup
      • Scalability
      • Creating a Cluster
        • Preparing Configuration
        • Setup Nodes
        • Service Role
        • Viewing Connected Nodes
        • Cluster Lifecycle
      • Distributed Service
        • Rotating the Distributed Service Key
        • Node Communication
        • Security
      • Deploying with Docker
        • Building a Docker Container
        • Running with docker-compose
      • Multi-region Deployments
        • Authorization flows - Front-channel
        • Authorization flows - Back-channel
        • Data sources
    • Email Providers
      • SMTP Email Provider
        • DomainKeys Identified Mail
        • Embedded Content
      • Configure Email Provider for a Service
    • Http Clients
      • Introduction
      • HTTP Client Configuration
        • Scheme
        • Connection Pool
        • Caching
        • Authentication
        • TLS (encryption)
        • Proxies
      • Metrics
    • Observability
      • Alarms
        • Overview
        • Alarm Types
        • Alarm Handlers
        • Testing Alarms
      • Logging
        • Log Levels
        • Configuration Overview
        • Appenders
        • Loggers
        • Logging Incorrect Cookies
        • Masking
        • Shipping Logs
        • Log4j Scripting Languages
        • Files Not Configurable by Log4j
      • Monitoring
        • JMX
        • Tracing
        • Java Flight Recorder
        • Status Endpoint
        • Prometheus-compliant Metrics
      • OpenTelemetry
        • Configuration
        • Note about unstable components
      • Server Events
        • Event Listener Types
        • Types of Events
    • Scripting
      • Introduction to scripts
        • Procedures during authentication
        • Procedures during token issuance and processing
      • Configuring Scripts
        • Script Types
        • Preparations
        • Configuring using etc/init
        • Writing Scripts
    • SMS Providers
      • Twilio Sms Provider
      • REST Sms Provider
    • Transport Layer Security
      • Server Name Indication
    • Upgrading
      • Upgrading from 10.0.X to 10.1.0
        • Passkeys and WebAuthn Authenticators
        • HTTP Server Header Size Limit
        • OAuth Client Basic HTTP Authentication - URL decoding of client secret
      • Upgrading from 10.1.X to 10.2.0
        • SCIM Delegations endpoint
      • Upgrading from 7.0.X to 7.1.0
        • HAAPI DPoP improved processing
        • Template and message updates
      • Upgrading from 7.1.X to 7.2.0
        • SDK Changes
        • Logging Changes
      • Upgrading from 7.2.X to 7.3.0
        • Authentication Action Attributes
      • Upgrading from 7.3.X to 7.4.0
        • Email templates in Authentication Actions
        • Startup script changes
        • User Management with GraphQL
        • DynamoDB schema changes
      • Upgrading from 7.4.X to 7.5.0
        • HTTP Client Default Timeouts
      • Upgrading from 7.5.X to 7.6.0
        • Systemd config file update
        • New SAML Authenticator
      • Upgrading from 7.6.X to 8.0.0
        • Upgrading the XML Configuration
        • Authorization custom token procedures update
        • DynamoDB schema changes
        • WebAuthn authenticator
        • HAAPI capability and use of legacy DPOP
        • Microsoft SQL Server JDBC driver
        • Changes to HAAPI responses
        • Password-based PBES2 JWE algorithms
        • Windows Connector Failover Update
      • Upgrading from 8.0.X to 8.1.0
        • Database Changes
        • Custom Token Issuers
        • Email Authenticator
      • Upgrading from 8.1.X to 8.2.0
        • User consent template
        • SDK Changes
        • Token Procedure Plugin Configuration
        • Claims
      • Upgrading from 8.2.X to 8.3.0
      • Upgrading from 8.3.X to 8.4.0
        • SDK
        • Database Changes
        • Deprecation notice
        • Logging Incorrect Cookies
      • Upgrading from 8.4.X to 8.5.0
        • Template Changes
        • Deprecation notice
      • Upgrading from 8.5.X to 8.6.0
        • Deprecation notice
      • Upgrading from 8.6.X to 8.7.0
        • Hypermedia API external browser flow
        • HAAPI authorization code and refresh token binding
      • Upgrading from 8.7.X to 9.0.0
        • JDBC data source - database schema changes
        • User management
        • Service name
        • Attribute Authorization Manager
        • Updates on Docker images
        • SDK changes
        • Events and audit data
        • Token Issuers Data Sources
        • Custom Claims
        • Database client change
        • HTML Forms authenticator
        • Logging Incorrect Cookies
        • SAML Authenticator removal
      • Upgrading from 9.0.X to 9.1.0
        • JDBC data source
        • HTML Forms authenticator
        • SDK changes
      • Upgrading from 9.1.X to 9.2.0
        • JDBC data source - database schema changes
        • Template Changes
        • SDK changes
      • Upgrading from 9.2.X to 9.3.0
        • JDBC data source: multi-tenancy and discoverable credentials support
        • DynamoDB Database changes
        • SDK changes
        • Token Handler Applications
      • Upgrading from 9.3.X to 9.4.0
        • JDBC data source: multi-tenancy support for delegations
        • Template Changes
        • Token Handler Applications
        • SDK
      • Upgrading from 9.4.X to 9.5.0
        • Passkeys Authenticator
      • Upgrading from 9.5.X to 9.6.0
        • SDK
        • Template Changes
        • DynamoDB data source: credential data access
      • Upgrading from 9.6.X to 9.7.0
        • Maximum length of inputs used for secret/password validation
        • User Info claims
      • Upgrading from 9.7.X to 10.0.0
        • Token Handler Applications
        • OpenID Connect Authenticator - Signed UserInfo Responses
        • Email Authenticator
        • BankID Authenticator
        • JDBC Data Source - Deprecation of old credential storage schema and related credential modes
        • User Management - Username updates and account deletion with legacy credential data sources
        • OAuth Client Authentication
        • SDK
        • Original Query parameter encoding
      • General Upgrade Procedure
        • Preparing the upgrade
        • Performing the upgrade
        • After the Upgrade
    • DevOps Dashboard
      • Enabling the DevOps Dashboard
      • Requirements of an OAuth Client
      • Group Access
      • Availability
    • System Requirements
      • Operating Systems
      • Minimum Hardware Requirements
      • Recommended Hardware Setup
      • Hypermedia Authentication API
      • Browsers
      • Database
      • User Repositories
      • Networking
      • Hardware Security Module
      • File Encoding
      • HTTP
      • TLS
    • JVM Configuration
      • Changing JVM Settings in the Admin UI
      • Changing the JVM Settings with the CLI
    • Go-live Checklist
      • General System
      • Related Systems
      • All Profile Types
      • Authentication
      • Token Service
      • User Management
      • Configuration
      • Clustering
    • CORS
    • Cross Site Requests
  • Application Service Admin Guide
    • Overview
      • Token Handler Application
        • Creating a Token Handler Application
        • Configuring a Token Handler Application
        • Token Handler Application API
        • SPA Integration
    • Defining an Application Service Profile
  • Authentication Service Admin Guide
    • Overview
      • Authenticators
      • Actions
      • Single Sign-On (SSO)
      • Logout
      • Multi-Tenancy
      • Account Domains
      • Validation Procedures
      • Authenticator Filters
      • Service Providers
      • Protocol Plugins
      • Automatic login
    • Defining an Authentication Service Profile
      • Preparing the Authentication Service Profile
        • Pre-requisite configuration
      • Base Configuration of an Authentication Service Profile
        • Example Create request
    • Authenticators
      • Overview of Authenticators
        • Authenticator purpose
        • Authenticator Base Configuration
        • Multi-factor configuration for Authentication
        • Back-channel Authenticators
      • BankID
        • Integrating with BankID
        • Kinds of BankIDs
        • Trusted BankID Provider
        • Authentication flows
        • Configuration settings
        • Risk Assessment
        • IP address check on same device
        • BankID on the Phone
        • BankID Backchannel Authenticator
        • Testing the Integration and Configuration
        • Persisting the BankID Responses
        • Launch behavior
        • Change specific browser behavior
        • Disable autostart
        • Debugging the templates
      • Duo
        • Configuration Settings
        • Creating a New Authenticator
        • Logging In
      • Dynamic Authenticator
        • Configuration
        • Delegate Authenticator
        • Dynamic Configuration Source
        • Configuration Example
        • Example Use-case
      • Email
        • Using as standalone factor (single factor)
        • Using as second or N-th factor
        • Using an Intermediate Attribute
        • Hyperlink
        • One Time Password (OTP) Code
        • Inactive Accounts
        • Email Throttling
        • Configuration
      • Encap
        • Basic Configuration
        • Registration During Login
        • Additional Information Before Registration
        • Automatic Login
      • Entrust IDaaS
        • Creating an App in Entrust
        • Creating a new Authenticator
      • Facebook Authenticator
        • Configuring Facebook
        • The Redirect URI
        • The Data Deletion Request Callback URL
        • Configuration in the Authentication Service
      • Google Authenticator
        • Configuring Google
        • The Redirect URI
        • Configuration in the Authentication Service
      • HTML Forms Authenticator
        • Paths
        • Validation Scripts
        • Email Provider
        • Automatic Login
        • Password Only
        • Remember Me
        • Binding Message
        • Configuration
      • OpenID Connect Authenticator
        • The Redirect URI
        • JWKS Endpoint
        • Returned attributes
        • Parameter Mappings
        • Configuration
      • OpenID Wallet
        • Configuring OpenID Wallet Authenticator
        • Anonymous JWKS Endpoint
        • Further Reading
      • Passkeys
        • Configuring a Passkeys authenticator
        • Registering devices
        • Hypermedia Authentication API
        • Discoverable Credentials
        • iOS Domain Association
        • Android Domain Association
        • Known limitations
      • PingFederate IdP Adapter Authenticator
        • Authentication Flow
        • Configuration
      • PingFederate
      • SAML2
        • Paths
        • Validation Scripts
        • Configuration
        • SAML2 dynamic authenticator
        • Known limitations
      • Sign in with Apple
        • Configuring a Sign in with Apple Service
        • Setting up the authenticator
      • SITHS
        • Configuring an Authenticator
      • SMS OTP
        • Base Configuration
        • Using as standalone factor (Single factor)
        • Using as second or N-th factor
        • Using an Intermediate Attribute
        • SMS OTP in OTP mode
        • SMS OTP in Hyperlink mode
        • Registration
        • Automatic Login
        • Configuration
      • TOTP - Time base One Time Password
        • Configuring an Authenticator
        • Multiple Device registration
        • Configuring for pre-shared keys
        • Configuring for generated keys
        • Automatic Login
      • Twitter
        • Creating an App in Twitter
        • Configuring the Twitter Authenticator
      • Username
        • Configuration
        • Source Code
      • WebAuthn
        • Device Types
        • Configuring a WebAuthn authenticator
        • Registering devices
        • User Interaction for platform devices
        • Hypermedia Authentication API
        • iOS Domain Association
        • Android Domain Association
        • Known limitations
      • Windows
        • Installing the Windows Connector
        • Configuring an Authenticator
        • Configuring the Windows Connector
        • Troubleshooting
    • Authentication Actions
      • Overview
        • Login Actions
        • SSO Actions
        • Actions and Action Completions
        • Action attributes
        • Actions prompts and backwards navigation
      • Attribute Prompt Action
        • Configuration
        • Localization
      • Auto Create Account
        • Creating accounts
        • Configuration
        • Default Values in the account
        • Errors
      • Auto Link Accounts
        • Overview
        • Configuration
        • Advanced
        • User Confirmation
      • Bundle Action
        • Configuration
      • Conditional Multi-Factor
        • Attribute Enable Condition
        • Attribute ACR Condition
        • Subject Condition
        • Client Property Condition
        • Subject Check
        • Use SSO on second factor
      • Copy Attribute
        • Configuration
      • Data Source Transformer Action
        • Transforming values using data source values
        • Include additional values from datasource
        • Configuration
      • Date/Time Deny Action
      • Debug Attribute Action
      • Deny Action
        • Configuration
      • Geolocation Allow or Deny Country Action
        • Configuration
      • Geolocation Changed Country Action
        • Configuration
      • Geolocation Impossible Journey Action
        • Configuration
      • Geolocation New Country Action
        • Configuration
      • Lookup Account
      • Lookup Links Action
        • Overview
        • Configuration
      • Opt-In MFA
        • Registering a New Factor
        • Managing Factors
        • Recovery Codes
        • Single Sign-On of second factors
        • Configuration
      • Regular Expression Transformer Action
        • Transforming values using regular expressions
        • Excluding attributes
        • Renaming attributes
        • Configuration
      • Registered Passkey
        • Configuration
      • Remove Attribute Transformer Action
        • Configuring attributes for removal
      • Request Acknowledgement
        • Localization
        • Configuration
      • Require Active Account
        • Configuration
      • Reset Password
        • Configuration
        • Example Usage
        • Errors
      • Resolve Account Link
        • Overview
        • Configuration
      • Restart Action
        • Configuration
      • Script Transformer Action
        • Transforming values using script procedures
        • Configuration
      • Selector
        • Configuration
      • Send Email Action
        • Configuration
        • Templates
      • Sequence Action
        • Configuration
      • Set Attribute
        • Configuration
      • Sign-In Selector
        • Configuration
      • Signup
        • Configuration
      • Switch Action
        • Conditions
        • Configuration
      • Time-based Deny Action
      • Update Account
        • Configuration
      • Zone Transfer
        • Configuration
        • Errors
    • Multi-Factor Authentication
      • Using a chain of authenticators
        • More than two factors
        • Single Sign-On and Multi-Factor
        • Freshness and Forced Authentication
        • Using the ACR Parameter
      • Using a Multi-Factor Authentication Action
    • Multi-Tenancy
      • Requirements to Multi-Tenancy
      • Configuring Multi-Tenancy
    • Account Linking
      • Basic Concepts
        • Example of Linking with Facebook
        • Example of Linking with Facebook as Second authenticator
      • Resolving Links
      • Looking up Links
      • Common Linking Flows
        • Linking a foreign account and adding links to the result
        • Linking using the foreign authenticator and resolving immediately
        • Linking using the local authenticator, resolving on next login with foreign
        • Linking two foreign accounts using auto create account
        • Linking two foreign accounts using auto create & resolving on next login
    • Protocol Plugins
      • PingFederate
        • Configuring PingFederate
        • Adapter Configuration
        • Configuring the Authentication Service
      • SAML
        • SAML protocol
        • Configuring the Authentication Service
        • Service Provider (App) integration
        • Federation Server integration
        • SAML Logout
    • Account Manager
      • Registration - Create account
      • Username is Email
    • Service Providers
      • Introduction
      • Managing Service Providers in the Admin UI
      • Framable User Interface
        • Multiple values for ‘allowed-origins’
        • Origin URI pattern format
      • Original Query retry integration
        • Example
        • Example OAuth Client
      • Third Party Cookies
        • Steps to Integrate Preflighting
        • Advanced Preflight behaviour
        • Disabling the Preflight Resource
    • Authenticator Filters
      • User-Agent Authenticator Filter
      • CIDR Authenticator Filter
      • Script Authenticator Filter
      • Geolocation Authenticator Filter
    • Single Sign-On
      • Requirements for SSO
      • Session Duration
        • Session cookies vs Persisted Cookies
        • Database persisted session
        • Expiration
        • Example
      • Overriding SSO
        • Freshness
        • Forcing authentication
    • Automatic Login
      • Authenticator Availability
    • Logout
      • Endpoint
      • Redirect After Logout
        • Using configuration
        • Using query parameter
      • Configuration
    • Geolocation
      • Geolocation Database File
      • Geolocation Actions
        • Geolocation Allow or Deny Country Action
        • Geolocation Changed Country Action
        • Geolocation Impossible Journey Action
        • Geolocation New Country Action
      • Geolocation authenticator filter
      • Geolocation authenticator settings
  • Token Service Admin Guide
    • Introduction to the Token Service
    • Defining an OAuth Profile
      • Preparing the OAuth Profile
        • OpenID Connect
        • Pre-requisite configuration
      • Base Configuration of an OAuth Profile
        • Example create request
    • OAuth Flows
      • Code
        • Proof Key for Code Exchange
      • Implicit
      • Client Credentials
      • Resource Owner Password Credentials
      • OpenID Connect Hybrid Flows
      • OpenID Connect CIBA Flow
        • Signed Authentication Request
      • OAuth 2.0 Token Exchange
        • Default OAuth 2.0 Token Exchange Behaviour
      • Token Exchange
      • Assisted Token
      • Refresh
      • Revoke
      • Introspect
        • Introspect with application/jwt as accept header
      • Json Web Key Set (JWKS)
      • Device Authorization Flow
      • Assertion Flow
        • Token reuse
      • Logout Flow
    • Using the device flow
      • Configuration
      • Endpoints
        • Device Authorization
        • UserCode Verification
        • Token Endpoint
      • Token Procedures
      • Templates
    • Scopes and Claims
      • Adding a scope to the profile
      • Adding a scope to a client
      • Scope Lifetime
      • Required scopes
      • Prefix scopes
        • Customizing prefix scope templates and messages
      • Claims of a scope
      • Claims I/O
      • Claim configuration
        • Claim mappers
        • Claim value providers
        • Configuring a claim
        • Claim Type
    • Configuring OAuth User Authentication
    • OpenID Connect
      • Metadata
      • The “claims” request parameter
      • Issuing pseudonymous subject identifiers
        • Client settings
        • Profile settings
        • Sector Identifier for Dynamic Client Registration
    • OAuth Metadata
    • OpenID Connect Metadata
    • Dynamic Client Registration
      • Architectural Overview of Dynamic Client Registration
        • Deployments and Configurations
        • Initial Access Token
        • Registration
        • Registration Based on a Template Client
        • Registration Based on a Non-templatized Client
      • Enabling Dynamic Client Registration
      • Dynamic Client Registration Management (DCRM)
        • Client Certificates and DCRM
        • DCRM Management Clients
      • Dynamic Client Management With GraphQL
      • Dynamic Client Registration API
        • Templatized Dynamic Client Registration
        • Non-Templatized Dynamic Client Registration
      • Custom Client Properties
    • Database Client Management
      • Database Client VS DCR
      • Enabling Database Clients
      • Configuring a Data Source
      • Create a Database Client Endpoint
      • Authorization Access
      • Managing Database Clients in the DevOps Dashboard
      • Configuring Clients
      • Warnings
      • Database Client Limitations
    • OAuth Client Configuration
      • Client Capabilities
        • Hybrid Capabilities
      • User Authentication
      • Client Authentication
        • Client Secret
        • Client Assertion
        • Secondary authentication
      • Client Framability
        • Examples
      • Redirect URI validation
        • Validation policies
        • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
    • Issuing OAuth and OpenId Connect Tokens
      • Default Token Issuers
      • Custom Token Issuers
      • More on Wrapped Opaque Tokens
      • Encrypted ID Tokens
    • OAuth Endpoint Reference
      • Anonymous
      • Authorize
      • Assisted Token
      • Introspect
      • Revoke
      • Token
      • User Info
      • Dynamic Client Registration
      • Database Client Management
      • Device Authorization
      • OpenID Connect Sessions
      • Backchannel Authentication
      • Verifiable Credentials
    • User Consent
      • Consenting to requested claims
        • Example
      • Asking for consent
        • Example user consent gathering
        • Example with prompt
      • Enabling user consent
      • The user consent template
        • Example claim localization
        • Showing prefix scopes
      • Consentors
    • Consentors
      • BankID
        • Integrating with BankID
        • Signing Consent Data
        • QR Code
        • Asking user for personal number
        • Signing cancellation
        • Configuration settings
        • BankID Consentor Response
        • Testing the Integration and Configuration
        • Persisting the BankID Responses
      • Profile configuration
      • Client configuration
      • Consentor selection
      • Consentor templates
      • Consentor result
    • Mutual TLS Authentication
      • TLS termination
      • Binding certificates to tokens
      • Trusted certificates
        • Trust by PKI
        • Trust by a pinned certificate
      • DN comparison
      • Subject Alternative Name
      • Configuring Mutual TLS
        • Proxy terminated Mutual TLS
        • Direct terminated Mutual TLS
        • Configuring trust
      • Reverse Proxy Server Setup
        • Generic Reverse Proxy Server Setup
        • Setting Up NGINX As a Reverse Proxy Server
        • Setting Up HAProxy As a Reverse Proxy Server
        • Setting Up Apache HTTPD 2.x As a Reverse Proxy
      • Non-Templatized Dynamic Client Registration using Mutual TLS
        • OrganizationIdentifier
        • Match only organizationIdentifier
      • Database Clients upload client certificate PEM
    • OpenID Connect Issuer Discovery
    • Financial-grade Security
      • JWT Secured Authorization Request (JAR)
      • Pushed Authorization Requests
      • Request Object Handling
      • JWT Security Authorization Response Mode (JARM)
      • Encrypted ID Tokens
    • Session Management and Logout
      • Session Endpoint
      • Logout
        • Logout Notification
      • OpenId Connect specifications for Session Management and Logout
    • Token Procedure Plugins
      • Configuring and using Token Procedure Plugins
      • Developing Token Procedure Plugins
        • Using Custom Token Issuers
        • Using Custom Token Introspecters
    • Verifiable Credential Issuance
      • Pre-authorized Code Flow
        • Pre-authorized Code and User PIN Issuance
      • Rich Authorization Requests (RAR) support
      • Formats and data models
        • W3C data model
        • SD-JWT VC data model
      • Endpoints
        • Token procedures
      • Credential Request Handling
        • jwt_vc_json format - W3C data model
        • vc+sd-jwt format - SD-JWT VC data model
        • Token Issuers
        • Authorization Requests
      • Configuration Model Summary
      • Configuration Example
    • Granted Authorization GraphQL API
      • Endpoint
      • Access Control
      • Licensing
      • Limitations
        • Granted Authorization Queries
        • Granted Authorization Mutations
        • GraphQLObligation.CanDeleteAttributes obligation
  • User Management Admin Guide
    • Overview
      • SCIM 2.0
        • Users
        • Devices
        • Delegations
        • External ID
        • Custom claims
        • Custom data
        • Sorting
      • GraphQL
        • Queries and Mutations
        • Introspection
        • Authorization
        • Custom Attributes
        • Data Sources
        • More Details
      • OAuth Protected
    • Defining a User Management Service Profile
      • Preparing the User Management Service
        • Pre-requisite configuration
      • Step by step guide to setup a User Management Service
        • 1. Add the profile
        • 2. Select OAuth Service
        • 3. Select User Account Data Source
        • 4. Select OAuth Delegations Data Source
        • 5. Setting up the endpoints
        • 6. Exposing the Endpoints on a Service (node)
        • 7. Commit the changes
      • User Credentials
        • Password validation
      • Username updates
  • Developer Guide
    • Authentication Service
      • Authenticators
        • Authenticators
      • Endpoints
        • Authentication Endpoint
        • Registration Endpoint
        • Anonymous endpoint
        • Authenticators
    • OAuth Service
      • Web Clients
        • Assisted Token JavaScript API
      • CORS on the OAuth Server
        • Default CORS Enabled Endpoints
        • Endpoints that Can be CORS Enabled
      • OAuth 2.0 Token Exchange Customization
        • Introspection of provided tokens
    • Data Sources
      • Using SCIM v1.1 as Data Source
        • Client Authentication
        • Required SCIM operations
      • JSON Data Source
        • Credential verification
        • Attribute Provider
        • Bucket Access
        • Authentication
    • SMS REST Client
      • Sending a message
      • Response and Errors
      • Authentication
    • Email Provider Plugin
      • SMTP Plugin’s message contents rendering
    • Front-End Development
      • Introduction
      • Understanding the Templating System
        • The Template Override System
        • Overrides
        • Template Areas
        • Serving templates via the anonymous endpoint
        • Error templates
        • Common Template Variables
        • Authentication Service Template Variables
        • Never Remove CSP
      • Using the UI Builder
        • Setting up the environment
        • Running the previewer
        • Working with Velocity variables
        • Overriding templates
        • Working with template areas
        • Working with translations
        • Building
      • Customize branding per Application
      • Customizing the Look and Feel
        • Creating Themes in the Admin UI
        • How to create your custom theme in UI Builder
        • How to work with Sass
        • Themes
        • Using External Web Fonts
        • Compiling Assets
        • How to work with the settings file
      • Localizing Resources
        • About Locales
        • Using localized messages in templates
        • Message keys
        • Message lookup
        • Message Files Format
        • Using plugin-specific messages in re-usable templates
      • Right-to-left languages
        • How Curity supports Right-to-left languages
        • Set up the language
        • Default RTL Languages
        • Message Files
        • CSS Logical Properties
        • Custom Styling
      • Secure Iframing
        • Pre-requisites
      • API Driven UI
    • Scripting Guide
      • Credential Transformation Procedures
        • Function
        • Examples
      • EventListener procedures
        • Configuring EventListener Procedures
        • Common API
        • EventListener functions
      • Filter procedures
        • Function
        • Common API
        • API
      • Global Scripts
        • Common API
        • Global Constants
      • Token procedures
        • Issuing tokens
        • Token Procedure Function Signature
        • Including Request Parameters Values
      • Token Procedure API
        • Context
      • Token Procedure Examples
        • Overview
        • Assisted Token Endpoint
        • Authorize Endpoint
        • Introspection Endpoint
        • Token Endpoint
        • UserInfo Endpoint
      • Transformation Procedures
        • Common API
        • Function
        • Return Value
        • Examples
      • Userinfo procedures
        • Common API
        • Claims
        • Common API
        • Function
        • Return Value
        • Examples
      • Validation procedures
        • Common API
        • Function
        • Return Value
        • Examples
      • Pre-Processing Procedures
        • Function
        • Return Value
        • Examples
      • Post-Processing Procedures
        • Function
        • Return Value
        • Examples
      • Common Procedure API
        • Common Procedure Objects
        • Procedure Context object
        • Common Operations Examples
      • Developing Procedures
        • Logging
        • Exceptions
    • Plugins
      • Access to the Curity Release Repository
      • Plugin Installation
        • Classpath considerations
      • Basic structure of a plugin
        • SmsSender Plugin Example
      • Managed Objects
      • Plugin Services
        • Service Restrictions by Plugin Type
        • Service Restrictions in ManagedObject
      • Cross-site Plugin Handlers
      • Java Version
      • Server-Provided Dependencies
        • SLF4J Logging API
        • Bean Validation API
        • Hibernate Validator Engine
        • Kotlin Standard Library
      • Serialization
    • Hypermedia Authentication API
      • Introduction
      • Access control
        • Client attestation
        • Android client attestation configuration
        • iOS client attestation configuration
        • Browser (Web) client attestation configuration
        • Disabling attestation for testing purposes
        • Debugging Web CAT problems
        • Attestation fallback and dynamically registered clients
      • Authorization code and refresh token binding
      • Flow state management
      • API Driven UI
      • Examples
        • Example - Username and password based authentication
        • Example - Encap authentication with device registration
        • Example - Using an external browser
      • SDK
        • HAAPI Android SDK
        • HAAPI iOS SDK
        • HAAPI Web SDK
    • Curity SDKs
      • Java Plugin SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
    • GraphQL APIs
      • Using Access Tokens
      • Introspecting the Schema
      • Using Queries
      • Mutation Errors
      • DynamoDB limitations
        • User Management service limitations
        • Dynamic Client Registration service limitations
        • Database Client limitations
      • MongoDB limitations
        • Starts With Filter Type
      • GraphQL error for unsupported features
  • Configuration Guide
    • Overview
      • Transactional configuration
      • Rollbacks and history
      • Factory default
      • Mandatory, optional and default parameters
      • Configuration interfaces
        • Service Roles
        • Profiles
        • Endpoints
        • Using Endpoints in Service Roles
      • Commit Hooks
    • Curity Admin Web UI
    • RESTCONF API
      • General Concepts
      • RESTCONF Endpoint
        • URIs
      • RESTCONF Operations
      • Querying Data
      • Rollback using RESTCONF
      • Invoking YANG Actions Using RESTCONF
      • Message Encoding
      • Authentication
    • Command Line Interface
      • Connect to the CLI
      • Modes in the CLI
        • View mode
        • Configuration mode
      • Basic Usage
        • Viewing the configuration
        • Changing the configuration
        • Applying the configuration
        • Rollback changes
      • Advanced Usage
        • Moving through the configuration using Edit
        • Showing selected values only
        • Exporting configuration
        • Loading configuration
        • Multiline Edit Mode
      • Scripting and automation
    • Commit Hooks
      • Commit Hook CLI Scripts
      • Commit Hook Scripts
    • Encrypted Configuration
      • Setup Encryption
        • Defining a key during installation
      • Defining Encryption Key on Startup
      • Change Encryption Key
        • Re-encrypting custom Plugin configuration
    • Backing Up the Configuration
      • Using the idsvr Command
      • Using the idsh Command
      • Using the Web UI
      • Using the RESTCONF API
    • Restoring a Saved Configuration
      • Using the idsvr Command
    • Restoring the Initial Configuration
      • Preserving the Configuration Database
      • Deleting the Configuration Database
        • 1. Stop the admin node
        • 2. Remove the running datastore
        • 3. Check the min-conf.xml and key-conf.xml
        • 4. Making sure the default procedures are in place
        • 5. Make sure the appropriate certificates are initialized
        • 6. Start the admin node
    • Parameterized XML Configuration
      • Example:
      • Default Values
      • Using startup.properties
    • Access Control
      • Defining Rules in the Admin UI
        • Rules for the DevOps Dashboard
      • Enforcement of Access Control Rules
    • Configuration Reference
      • Environment
        • Localization
        • White-listed-proxies
        • Distributed-service
        • Cluster
        • Admin-service
        • Themes
        • Zones
        • Service-role
        • Runtime-service
        • Reporting
        • Alarms
        • Telemetry
      • Profile
        • User-management-service
        • Authentication-service
        • Apps-service
        • Authorization-server
        • Endpoints
        • Token-issuers
      • Facilities
        • Cache
        • Client
        • Data-source
        • Email-provider
        • Sms-provider
        • Crypto
        • Caching-services
        • Client-attestation
      • Processing
        • Token-procedure
        • Global-script
        • Validation-procedure
        • Transformation-procedure
        • Filter-procedure
        • Event-listener-procedure
        • Claims-provider-procedure
        • Credential-transformation-procedure
        • Pre-processing-procedure
        • Post-processing-procedure
        • Authorization-manager
        • Event-listener
        • Account-manager
        • Credential-manager
        • Credential-policies
      • Alarms
        • Control
        • Alarm-inventory
        • Summary
        • Alarm-list
        • Shelved-alarms
        • Alarm-profile
      • Base Types
      • Type Reference
        • Types
        • Identities
  • Glossary
  • Docs /
  • Developer Guide /
  • Front-End Development

Front-End Development¶

  • Introduction
  • Understanding the Templating System
    • The Template Override System
    • Overrides
    • Template Areas
    • Serving templates via the anonymous endpoint
    • Error templates
    • Common Template Variables
    • Authentication Service Template Variables
    • Never Remove CSP
  • Using the UI Builder
    • Setting up the environment
    • Running the previewer
    • Working with Velocity variables
    • Overriding templates
    • Working with template areas
    • Working with translations
    • Building
  • Customize branding per Application
  • Customizing the Look and Feel
    • Creating Themes in the Admin UI
    • How to create your custom theme in UI Builder
    • How to work with Sass
    • Themes
    • Using External Web Fonts
    • Compiling Assets
    • How to work with the settings file
  • Localizing Resources
    • About Locales
    • Using localized messages in templates
    • Message keys
    • Message lookup
    • Message Files Format
    • Using plugin-specific messages in re-usable templates
  • Right-to-left languages
    • How Curity supports Right-to-left languages
    • Set up the language
    • Default RTL Languages
    • Message Files
    • CSS Logical Properties
    • Custom Styling
  • Secure Iframing
    • Pre-requisites
  • API Driven UI
Table of Contents
Copyright © 2015-2025 Curity AB. All rights reserved.