10.1.0 10.0.210.0.110.0.09.7.19.7.09.6.09.5.09.4.09.3.09.2.29.2.19.2.09.1.19.1.09.0.29.0.19.0.08.7.18.7.08.6.38.6.28.6.18.6.08.5.48.5.38.5.28.5.18.5.08.4.28.4.18.4.08.3.38.3.28.3.18.3.08.2.28.2.18.2.08.1.38.1.28.1.18.1.08.0.18.0.07.6.17.6.07.5.27.5.17.5.07.4.47.4.37.4.27.4.17.4.07.3.47.3.37.3.27.3.17.3.07.2.37.2.27.2.17.2.07.1.27.1.17.1.07.0.47.0.47.0.37.0.27.0.17.0.0

• Home

Table of Contents

• System Admin Guide
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
      • Batching Log Messages for performance
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • account-deleted
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
    • User Account Credentials
    • Credential Policies
      • Managing Credential Rules State
      • Data source requirements
    • Credential Migration
    • Credential Rehashing
    • Maximum Credential Length (system-wide)
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • Credential Data Access
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Credential Data Access
      • Configuration
    • MongoDB
      • Collections management
      • Multi-Tenancy
      • Database maintenance
      • Credential Data Access
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Distributed Service
      • Node Communication
      • Security
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
      • Embedded Content
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
    • Metrics
  • Observability
    • Alarms
      • Overview
      • Alarm Types
      • Alarm Handlers
      • Testing Alarms
    • Logging
      • Log Levels
      • Configuration Overview
      • Appenders
      • Loggers
      • Logging Incorrect Cookies
      • Masking
      • Shipping Logs
      • Log4j Scripting Languages
      • Files Not Configurable by Log4j
    • Monitoring
      • JMX
      • Tracing
      • Java Flight Recorder
      • Status Endpoint
      • Prometheus-compliant Metrics
    • OpenTelemetry
      • Configuration
      • Note about unstable components
    • Server Events
      • Event Listener Types
      • Types of Events
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 10.0.X to 10.1.0
      • Passkeys and WebAuthn Authenticators
      • HTTP Server Header Size Limit
      • OAuth Client Basic HTTP Authentication - URL decoding of client secret
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • Upgrading from 7.4.X to 7.5.0
      • HTTP Client Default Timeouts
    • Upgrading from 7.5.X to 7.6.0
      • Systemd config file update
      • New SAML Authenticator
    • Upgrading from 7.6.X to 8.0.0
      • Upgrading the XML Configuration
      • Authorization custom token procedures update
      • DynamoDB schema changes
      • WebAuthn authenticator
      • HAAPI capability and use of legacy DPOP
      • Microsoft SQL Server JDBC driver
      • Changes to HAAPI responses
      • Password-based PBES2 JWE algorithms
      • Windows Connector Failover Update
    • Upgrading from 8.0.X to 8.1.0
      • Database Changes
      • Custom Token Issuers
      • Email Authenticator
    • Upgrading from 8.1.X to 8.2.0
      • User consent template
      • SDK Changes
      • Token Procedure Plugin Configuration
      • Claims
    • Upgrading from 8.2.X to 8.3.0
    • Upgrading from 8.3.X to 8.4.0
      • SDK
      • Database Changes
      • Deprecation notice
      • Logging Incorrect Cookies
    • Upgrading from 8.4.X to 8.5.0
      • Template Changes
      • Deprecation notice
    • Upgrading from 8.5.X to 8.6.0
      • Deprecation notice
    • Upgrading from 8.6.X to 8.7.0
      • Hypermedia API external browser flow
      • HAAPI authorization code and refresh token binding
    • Upgrading from 8.7.X to 9.0.0
      • JDBC data source - database schema changes
      • User management
      • Service name
      • Attribute Authorization Manager
      • Updates on Docker images
      • SDK changes
      • Events and audit data
      • Token Issuers Data Sources
      • Custom Claims
      • Database client change
      • HTML Forms authenticator
      • Logging Incorrect Cookies
      • SAML Authenticator removal
    • Upgrading from 9.0.X to 9.1.0
      • JDBC data source
      • HTML Forms authenticator
      • SDK changes
    • Upgrading from 9.1.X to 9.2.0
      • JDBC data source - database schema changes
      • Template Changes
      • SDK changes
    • Upgrading from 9.2.X to 9.3.0
      • JDBC data source: multi-tenancy and discoverable credentials support
      • DynamoDB Database changes
      • SDK changes
      • Token Handler Applications
    • Upgrading from 9.3.X to 9.4.0
      • JDBC data source: multi-tenancy support for delegations
      • Template Changes
      • Token Handler Applications
      • SDK
    • Upgrading from 9.4.X to 9.5.0
      • Passkeys Authenticator
    • Upgrading from 9.5.X to 9.6.0
      • SDK
      • Template Changes
      • DynamoDB data source: credential data access
    • Upgrading from 9.6.X to 9.7.0
      • Maximum length of inputs used for secret/password validation
      • User Info claims
    • Upgrading from 9.7.X to 10.0.0
      • Token Handler Applications
      • OpenID Connect Authenticator - Signed UserInfo Responses
      • Email Authenticator
      • BankID Authenticator
      • JDBC Data Source - Deprecation of old credential storage schema and related credential modes
      • User Management - Username updates and account deletion with legacy credential data sources
      • OAuth Client Authentication
      • SDK
      • Original Query parameter encoding
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Application Service Admin Guide
  • Overview
    • Token Handler Application
      • Creating a Token Handler Application
      • Configuring a Token Handler Application
      • Token Handler Application API
      • SPA Integration
  • Defining an Application Service Profile
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Multi-Tenancy
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • Risk Assessment
      • IP address check on same device
      • BankID on the Phone
      • BankID Backchannel Authenticator
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
      • Launch behavior
      • Change specific browser behavior
      • Disable autostart
      • Debugging the templates
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • Hyperlink
      • One Time Password (OTP) Code
      • Inactive Accounts
      • Email Throttling
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • The Data Deletion Request Callback URL
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Binding Message
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • JWKS Endpoint
      • Returned attributes
      • Parameter Mappings
      • Configuration
    • OpenID Wallet
      • Configuring OpenID Wallet Authenticator
      • Anonymous JWKS Endpoint
      • Further Reading
    • Passkeys
      • Configuring a Passkeys authenticator
      • Registering devices
      • Hypermedia Authentication API
      • Discoverable Credentials
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML2
      • Paths
      • Validation Scripts
      • Configuration
      • SAML2 dynamic authenticator
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Multiple Device registration
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
      • Actions prompts and backwards navigation
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
      • User Confirmation
    • Bundle Action
      • Configuration
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
      • Subject Check
      • Use SSO on second factor
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Account
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Single Sign-On of second factors
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Registered Passkey
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Request Acknowledgement
      • Localization
      • Configuration
    • Require Active Account
      • Configuration
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Restart Action
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Sign-In Selector
      • Configuration
    • Signup
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Multi-Tenancy
    • Requirements to Multi-Tenancy
    • Configuring Multi-Tenancy
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • OAuth 2.0 Token Exchange
      • Default OAuth 2.0 Token Exchange Behaviour
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
      • Introspect with application/jwt as accept header
    • Json Web Key Set (JWKS)
    • Device Authorization Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
    • Claim configuration
      • Claim mappers
      • Claim value providers
      • Configuring a claim
      • Claim Type
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • OAuth Metadata
  • OpenID Connect Metadata
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • Database Client Management
    • Database Client VS DCR
    • Enabling Database Clients
    • Configuring a Data Source
    • Create a Database Client Endpoint
    • Authorization Access
    • Managing Database Clients in the DevOps Dashboard
    • Configuring Clients
    • Warnings
    • Database Client Limitations
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
    • User Info
    • Dynamic Client Registration
    • Database Client Management
    • Device Authorization
    • OpenID Connect Sessions
    • Backchannel Authentication
    • Verifiable Credentials
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
    • Database Clients upload client certificate PEM
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
  • Token Procedure Plugins
    • Configuring and using Token Procedure Plugins
    • Developing Token Procedure Plugins
      • Using Custom Token Issuers
      • Using Custom Token Introspecters
  • Verifiable Credential Issuance
    • Pre-authorized Code Flow
      • Pre-authorized Code and User PIN Issuance
    • Rich Authorization Requests (RAR) support
    • Formats and data models
      • W3C data model
      • SD-JWT VC data model
    • Endpoints
      • Token procedures
    • Credential Request Handling
      • jwt_vc_json format - W3C data model
      • vc+sd-jwt format - SD-JWT VC data model
      • Token Issuers
      • Authorization Requests
    • Configuration Model Summary
    • Configuration Example
  • Granted Authorization GraphQL API
    • Endpoint
    • Access Control
    • Licensing
    • Limitations
      • Granted Authorization Queries
      • Granted Authorization Mutations
      • GraphQLObligation.CanDeleteAttributes obligation
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
      • Sorting
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • Data Sources
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
    • User Credentials
      • Password validation
    • Username updates
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
    • OAuth 2.0 Token Exchange Customization
      • Introspection of provided tokens
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Authentication Service Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with Velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customize branding per Application
    • Customizing the Look and Feel
      • Creating Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Assets
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Right-to-left languages
      • How Curity supports Right-to-left languages
      • Set up the language
      • Default RTL Languages
      • Message Files
      • CSS Logical Properties
      • Custom Styling
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Plugin Services
      • Service Restrictions by Plugin Type
      • Service Restrictions in ManagedObject
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
      • Attestation fallback and dynamically registered clients
    • Authorization code and refresh token binding
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
    • Mutation Errors
    • DynamoDB limitations
      • User Management service limitations
      • Dynamic Client Registration service limitations
      • Database Client limitations
    • MongoDB limitations
      • Starts With Filter Type
    • GraphQL error for unsupported features
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • Curity Admin Web UI
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Invoking YANG Actions Using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
      • Re-encrypting custom Plugin configuration
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Environment
      • Localization
      • White-listed-proxies
      • Distributed-service
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
      • Telemetry
    • Profile
      • User-management-service
      • Apps-service
      • Authentication-service
      • Authorization-server
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
      • Credential-policies
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

OAuth Client Configuration

An OAuth client can be configured statically through the Web UI, the Command Line Interface or through the RESTCONF API. The client is identified by a client_id, the value that is used throughout performing the different OAuth (RFC 6749) and OpenId Connect (OpenId Connect Core Specification) flows.

Tip

To store clients in a Data Source instead of in configuration, see Database Client Management.

When choosing a value for client_id, the whitespace character is prohibited. Other than that, all printable ASCII-characters are allowed. The client_id value has no technical limitations on its length. While the Web UI treats special characters differently, it is always possible to set a client_id-value through the CLI or through REST CONF.

Client Capabilities

Client capabilities define the capabilities that should be allowed for a given client. The capabilities can be broadly divided into two types, grant types to allow what “flows” a client is allowed, and token types that define what a client is allowed to do with obtained tokens, such as introspecting them.

Capability	Type	Description
authorization-code	Grant type	Allows Authorization Code Grant
implicit	Grant type	Allows Implicit Grant
resource-owner-password-credentials	Grant type	Allows Resource Owner Password Credentials Grant
client_credentials	Grant type	Allows Client Credentials Grant
assisted-token	Grant type	Allows Assisted Token Grant
ciba	Grant type	Allows Backchannel Authentication Grant
introspection	Token	Allows Token Introspection
token-exchange	Token	Allows Token Exchange
device-flow	Token	Allows Device Flow.

Hybrid Capabilities

OpenID Connect defines a set of flows referred to as hybrid flows. These are not entirely new flows but rather, as the name suggests, combinations of available flows such as authorization code and implicit. These are not defined as separate capabilities in Curity, but will automatically be allowed if OpenID Connect is enabled and the capabilities involved are allowed separately. To continue with the example, if both authorization code and implicit are configured to be allowed capabilities for a client, OpenID Connect is allowed on the profile and the client is granted the openid scope, then hybrid flows such as token code id_token will be allowed automatically.

User Authentication

OAuth clients that require user authentication may be configured with the following properties:

Parameter Name	Mandatory	Description
allowed-authenticators	No	the authenticators to be used by this client (reference by ID). If not set, all authenticators are allowed.
authenticator-filters	No	any Authenticator Filters to be used by this client.
template-area	No	allows specifying The Template Override System to override some (or all) templates being used.
required-claim	No	a mandatory claim
context-info	No	a message that can be shown to users during authentication.
force-authn	No	whether user authentication is forced at all times.
freshness	No	maximum age in seconds after which re-authentication must take place.
allowed-origins	No	list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe or be a trusted source. See Framable User Interface for details.

Client Authentication

Client authentication is the process of a client providing credentials such that the OAuth Profile can confirm the identity of that client (i.e. client_id). The simplest way to do it is to use a Client Secret. More advanced authentication methods are also available in the form of Client Assertion’s, which is JWT’s signed by the client with a signature recognizable by the server.

Note that in configuration (client-authentication), client secret authentication (named basic-and-form-post) is enabled by default, while asymmetric algorithms needs to be enabled before client assertion tokens can be used for client authentication. See section on Client Assertion for more info on configuration and setup of that.

Client Secret

Client authentication using Client Secret can be done either through the “Authorization” request header, or through form-encoded parameters. Note that if both mechanisms are providing credentials, the “Authorization” header credentials are preferred and the credentials from the POST-body data are ignored.

Authorization Request Header

To authenticate a client through the Authorization request header, the client_id and client_secret need to be encoded and provided as the value of the Authorization header. Encoding is the process of URL-encoding the client_id and the client_secret, then concatenating the results with a “:” character between them, and finally base64-encode the result.

Example:

When the client_id is ‘client-one’ and the client_secret is ‘nobodyknows’, then first the values need to be URL-encoded and concatenated with “:” character:

client-one:nobodyknows

Copy

Now the base64 encoded string of that becomes:

bXktY2xpZW50Om5vYm9keWtub3dz

Copy

In the request header, this translates the following header:

POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: example.curity.se
Authorization: Basic bXktY2xpZW50Om5vYm9keWtub3dz

Copy

Note

Since version 10.0, the Curity Identity Server performs URL-decoding of the userid and the password components of the Authorization header value to establish the client ID and secret. This aligns with OAuth 2.0, which states that clients should encode their ID/secret in this context. To avoid blocking server upgrades in cases where client secrets contain encoding sequences (e.g. +) but clients are not URL-encoding them in the Authorization header, the se.curity:identity-server:authorize:allow-unencoded-client-secret-on-basic-auth system property can be set to true. In this case, the server also checks the client secret without decoding it, as a fallback. Note that this property is meant to allow a transition period on edge-case scenarios and it will be removed in a future major release. Clients should be updated to URL-encode the ID and secret for the Authorization header value or use values without unsafe characters.

Post-body

If passing client credentials through the Authorize-header is not an option, the post-body can also be used to do so. To support this, the HTTP Request must be a POST-request with a correctly encoded content type (“application/x-www-form-urlencoded”). The body must then contain the plain client_id and client_secret parameters.

Example:

POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: example.curity.se

client_id=client-one&client_secret=nobodyknows

Copy

Client Assertion

Instead of authenticating with a client ID and secret, a client can be configured to authenticate with JWT, signed with an asymmetric key (a private RSA key, where the public key is stored in a keystore known to Curity). In the following example, an asymmetric key will be used for signing the JWT.

Server configuration

Ensure that at least one signature-algorithm is selected for client-authentication in the configuration to allow for asymmetric algorithms like RS256 to be used for client authentication. When allowing JWT’s to be used for client authentication, two options for configuration emerge under the node aptly named using-jwt. If enforce-unique-jti-values is set the jti (JWT ID) value of each JWT sent will be checked and authentication denied if Curity has seen the same jti being used before. This ensures that client assertion JWT’s must be used as one off tokens. While a very good practice, as this might be quite cumbersome for the client this setting is disabled by default. Setting the clock-skew allows for some difference in time between the signing client and Curity. The default of 10 seconds should be enough for most cases, but adjust if needed.

Client configuration

Using the asymmetric-key setting on our client, we can point to a public key (signature verification key) stored by Curity. The private key used for signing does not have to be available to anyone but the client. Note that the algorithm used must correspond with the one defined in the JWT header (see example below).

Example client assertion JWT

Both the sub (subject) and the iss (issuer) claim must correspond to the client ID of the authenticating client. The aud (audience) claim is the receiver of the token and should be that of a configured token endpoint in Curity or the Curity server issuer. The jti is the ID of the token and should preferably be unique (see Server configuration above for how to enforce this), but could be any value. Last, the exp (expires) claim defines when the token should no longer be considered valid (seconds since epoch).

JWT header

{
    "alg": "RS256",
    "typ": "JWT"
}

Copy

JWT body

{
    "sub": "client-one",
    "iss": "client-one",
    "aud": "https://curity.example.org/oauth/v2/token",
    "jti": "958af185-2bb8-4a08-be87-3f89138c0b6e",
    "exp": 1511801974
}

Copy

The JWT is now signed with a private key for which Curity has the corresponding public key stored in its keystore and referenced by the client (which in the example above would be client-one).

The client assertion JWT is now ready to be used at an endpoint that would normally accept client credentials, such as the token, introspection or revocation endpoints. An example request could look something like this:

POST /oauth/v2/token HTTP/1.1
Host: curity.example.org
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.
eyJpc3Mi[...omitted for brevity...].
cC4hiUPo[...omitted for brevity...]

Copy

More information on client assertion JWT’s can be found in the OpenID Connect specification on Client Authentication as well as RFC 7253 (note however that Curity does not implement the latter specification in it’s entirety).

Workload Identity Support

The Curity Identity Server supports client authentication using workload identities. When a platform where workloads run issues a client assertion JWT, it usually conforms to RFC 7253. The body of such a JWT could look similar to this:

{
  "aud": [
    "https://login.examplecluster.com/oauth/v2/oauth-anonymous"
  ],
  "exp": 1701463685,
  "iat": 1701456485,
  "iss": "https://kubernetes.default.svc.cluster.local",
  "nbf": 1701456485,
  "sub": "system:serviceaccount:applications:mywebworkload"
}

Copy

Note that:

• it has no jti claim
• the iss claim contains the platform issuer string (instead of client ID)
• the sub claim contains the string identifying the workload identity

The JWT assertion signature should be verified with a key obtained from a JWKS URI, which is provided by the platform, such as https://kubernetes.default.svc.cluster.local/openid/v1/jwks.

When the Curity Identity Server validates JWT assertions used for client authentication, by default it requires that the jti claim is present; and sub and iss claims have to both contain the client ID. To make platform-issued JWT assertions pass the Curity Identity Server validation, a client could have the jwks-uri client authentication configured with the uri pointing the the JWKS URI provided by the platform. Additionally, the assertion-jwt-validation settings (a sibling to the jwks-uri configuration) has to be configured. These settings are comprised of:

• issuer, which has to be set to the platform issuer string
• jti-required, which has to be set to false in case the platform issues JWTs assertions with no jti claim.

The Curity Identity Server will use the sub claim to identify the client which should be authenticated with the received assertion JWT. This claim will contain a string identifying the workload, which can be a string like spiffe://examplecluster.internal.com/ns/applications/sa/mywebworkload. It can be undesired to have clients with such complicated names, therefore the Curity Identity Server provides an option to configure a mapping from the value in the sub claim to a client ID. The mapping configuration option is called client-id-mappings and it can be found in the client-authentication’s using-jwt container. To map a sub claim value of spiffe://examplecluster.internal.com/ns/applications/sa/mywebworkload to a client ID of my-client, use a configuration like this:

...
    <client-authentication>
      <using-jwt>
        <client-id-mappings>
          <client-id-mapping>
            <sub>spiffe://examplecluster.internal.com/ns/applications/sa/mywebworkload</sub>
            <client-id>my-client</client-id>
          </client-id-mapping>
        </client-id-mappings>
      </using-jwt>
    </client-authentication>
...

Copy

This mapping will be used for all JWT assertions used for client authentication.

Secondary authentication

It is also possible to define an optional secondary client authentication method, used only if the request failed client authentication using the primary method. This secondary method is useful for achieving high availability even during client credential rotations or authentication method upgrades.

• Example: update client secret from S1 to S2.
  1. Configuration administrator changes secret from S1 to S2 on the primary method and creates a secondary method using the S1 secret. This ensures that both S1 and S2 will be usable simultaneously.
  2. Client stops using S1 and starts using S2.
  3. Configuration administrator removes the secondary method.
• Example: update client from using secret S1 to use client assertions with key K1.
  1. Configuration administrator changes primary authentication from secret S1 to client assertion susing key K1. In the same configuration change, she also creates a secondary method using the S1 secret, allowing both methods to be used simultaneously.
  2. Client stops using S1 secret and starts using client assertions with key K1.
  3. Configuration administrator removes the secondary method.

When defining a secondary method it is also possible to define an associated expiry date, after which the secondary method will not be usable.

Client Framability

To integrate the OAuth token issuance process, the Token Service offers specific capabilities to allow its user screens to be embedded through IFRAMEs. While the default behaviour of HTML-pages is to not be allowed to be framed (due to security reasons, i.e. clickjacking prevention), it is however possible to allow framing on a per-client base.

The configuration and use of framability controls for OAuth clients is the same as for Service Providers. Please see Framable User Interface of Service Providers for further instructions.

Examples

To configure an OAuth-client to be framable from https://outer.example.com/main, ensure that the client’s allowed-origins contains at least this value, i.e.

...
      <client-store>
        <config-backed>
          <client>
            <id>client-one</id>
            ...
            <allowed-origins>https://outer.example.com</allowed-origins>
            ...
          </client>
        </config-backed>
      </client-store>
...

Copy

Redirect URI validation

The flows that use the front channel rely on browser redirects to report a result from Curity Identity Server back to the client, for example the code flow uses a redirect to return the authorization code, and the implicit or hybrid flows return tokens through the redirect URI. For this, a client is configured with one or more allowed redirect URI’s that Curity Identity Server can use. A client can, or sometimes _must_, provide the redirect URI in a request.

When a redirect URI is received, it is validated against a client’s preconfigured (or a dynamically registered client’s pre-registered) allowed redirect URIs. An exact match is always accepted, but some validation rules may be explicitly circumvented under specific conditions.

Validation policies

Redirect URI validation policies define a set of rules that are used to determine whether a provided redirect URI is acceptable with respect to what is allowed by configuration.

A policy can specify some validation rules to be omitted or loosened up. A number of rules are only applicable to authenticated requests, where it is possible to authenticate the client or the authenticity and integrity of the request parameters. This is the case for Pushed Authorization Requests and JWT Secured Authorization Request (JAR).

Multiple Redirect URI validation policies can be configured for an OAuth profile, where one policy is set as default. The default policy is used to validate the redirect URI that a client uses, unless the client is configured to use another redirect URI validation policy. For dynamically registered clients, either the profile’s default validation policy is used, or the one validation policy that is configured for non-templatized DCR settings is used for all non-templatized DCR clients.

Note

Redirect URI validation policies will only be available when validate-port-on-loopback-interfaces is enabled and allow-per-request-redirect-uris are disabled, which is the case by default.

Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)

By default, the port on loopback interfaces (e.g. localhost or 127.0.0.1) is part of the validation rules. This can be overridden on a per-client basis, such that the client is allowed to vary the port whenever the redirection takes place to an address that is resolved on the loopback interface.

When using Pushed Authorization Requests, there is an option to allow redirect URIs for the same origin, i.e. a client is allowed to provide a redirect URI that matches a configured allowed URI’s scheme and host part only.

Important

The options to configure validate-port-on-loopback-interfaces and allow-per-request-redirect-uris are deprecated in favour of Redirect URI validation policies. Until they are removed from Curity, it is not possible to use these two settings at the same time with Redirect URI validation policies. In order to use Redirect URI validation policies, the validate-port-on-loopback-interfaces option must be _enabled_ and the allow-per-request-redirect-uris option must be _disabled_, on the profile, DCR and client settings.