7.4.0

• Home

Table of Contents

• System Admin Guide
  • Alarms
    • Overview
      • Terminology
      • The Alarm Object
      • Sliding Window Alarms
      • Managing Alarms
      • Notifications
      • Clusters
    • Alarm Types
      • Expiry
      • Failed Authentication
      • Failed Communication
      • Failed Connection
      • Slow Connection
    • Alarm Handlers
      • Email Notifier
      • Webhook Notifier
      • Slack Notifier
      • PagerDuty Notifier
    • Testing Alarms
      • Testing Alarms using the Web UI
      • Testing Alarms using the CLI
      • Verifying the alarm
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL and CockroachDB
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
  • Logging
    • Log Levels
    • Configuration Overview
    • Appenders
      • Standard Out
      • Cluster Log
      • Request Log
      • Audit Log
      • Metrics
    • Loggers
    • Masking
    • Shipping Logs
    • Log4j Scripting Languages
    • Files Not Configurable by Log4j
      • Configuration Service Logs
  • Monitoring
    • JMX
    • Tracing
    • Zulu Flight Recorder
      • Starting a Recording Manually
      • Starting a Recording from the Command Line
      • Starting a Recording on Startup
    • Status Endpoint
      • Command line tool
    • Prometheus-compliant Metrics
      • Common Alerts
      • Configuration
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • Server Events
    • Event Listener Types
      • Script EventListeners
      • EventListener Plugins
    • Types of Events
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 4.0.X to 4.1.0
      • Changes Related to Claims Request Parameter Processing
      • Upgrading the XML Configuration
      • New Templates
      • New Message Files
      • Upgrading Assisted Token JavaScript
      • SDK Changes
    • Upgrading from 4.1.X to 4.2.0
      • SDK
      • Upgrading the XML Configuration
    • Upgrading from 4.2.X to 4.3.0
      • Upgrading the XML Configuration
      • Front-End Templates
      • New Messages
      • Changes Related to Invalid Mutual TLS Usage
    • Upgrading from 4.3.X to 4.4.0
      • Updating templates
    • Upgrading from 4.4.X to 4.5.0
      • Net iD Access authenticator
      • Axiomatics Authorization Manager
    • Upgrading from 4.5.X to 5.0.0
      • Upgrading the XML Configuration
      • SDK
      • Updating Databases
      • Other
    • Upgrading from 5.0.X to 5.1.0
      • SDK
      • SSO cookie Changes
    • Upgrading from 5.1.X to 5.2.0
      • SDK
    • Upgrading from 5.2.X to 5.3.0
      • HTML-Form Authenticator
      • Transaction Metadata API
      • SDK
    • Upgrading from 5.3.X to 5.4.0
      • Upgrading the XML Configuration
      • OpenID Connect Response Types and ID Tokens
      • Reset Password Links and Email Templates
      • Deprecated SDK methods
      • Robots.txt file in Webroot Directory
      • Client ID in Prometheus metrics
      • Debug Attribute Action Included
      • Changes to HAAPI representantions
      • Alarms
    • Upgrading from 5.4.X to 6.0.0
      • Upgrading the XML Configuration
      • Updating Templates
      • Umask Explicitly Set
      • Changes to HAAPI client configuration
      • Changes to the HAAPI attestation policies
      • Changes to the HAAPI SDK
      • Changes to the HAAPI Android SDK
      • Transaction Metadata API
      • REST API Removal
    • Upgrading from 6.0.X to 6.1.0
      • Apache Velocity Engine
    • Upgrading from 6.1.X to 6.2.0
      • Upgrading the XML Configuration
      • Logging of BankID messages
    • Upgrading from 6.2.X to 6.3.0
      • Upgrading the XML Configuration
      • Updating Templates
      • RESTCONF Conformance Updates
      • TLS 1.0 and 1.1 Disabled
      • SDK
    • Upgrading from 6.3.X to 6.4.0
      • Default Java Options Changed
      • Java Upgraded to Version 11
      • SDK
      • Changes to the HAAPI Web SDK
      • DPoP Proof Token Clock Skew
      • DN Certificate Validation
    • Upgrading from 6.4.X to 6.5.0
      • BankID Authenticator and Signing Consentor Messages
      • Logging Changes
    • Upgrading from 6.5.X to 6.6.0
      • Relaxation of DN Certificate Validation
      • Changed Default for Maximum Number of Request Threads
    • Upgrading from 6.6.X to 6.7.0
      • Updating Databases
      • Removal of OpenSSL dependency
      • Redirect URI validation
      • Template Updates
    • Upgrading from 6.7.X to 6.8.0
      • SDK Changes
      • Serialization
      • TLS
      • RESTCONF
      • Template Updates
      • Deprecation of the Net iD Authenticator
      • BankID authenticator
      • BankID Consentor
    • Upgrading from 6.8.X to 7.0.0
      • Upgrading the XML Configuration
      • SDK Changes
      • Java Upgraded to Version 17
      • Procedures API Changes
      • Log4j2 Changes
      • Database Changes
      • Prometheus Metrics
      • Validation for Endpoint URIs Changed
      • NetiD Access Authenticator
      • BankID Authenticator and Signing Consentor
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • Common Usecases
    • SITHS Authentication with attributes from Active Directory
      • 1. Windows Connector
      • 2. SITHS Authenticator
      • 3. Test App
      • 4. Test configuration
      • 5. Active Directory Data Source
      • 6. Attribute Transformer
      • 7. Add transformer to the authenticator
      • 8. Test the configuration
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Base Configuration
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Hyperlink
      • Inactive Accounts
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • Configuration
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML
      • Paths
      • Validation Scripts
      • Configuration
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
    • Json Web Key Set (JWKS)
    • Device Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
      • Claim mappers
      • Claim value providers
      • Configuring a claim
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customizing the Look and Feel
      • Creating Custom Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Sass to CSS
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Environment
      • Localization
      • White-listed-proxies
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
    • Profile
      • Authorization-server
      • Authentication-service
      • User-management-service
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

OpenID Connect

The Curity Security Token Server supports OpenID Connect. This is enabled by enabling openid configuration for the token profile that should support it. This enables the use of ID Tokens which represents user-authentications. When this mode is enabled, clients can also get more information about a user via the user info endpoint. Metadata can also be exposed when this option is enabled.

Fig. 148 Disabled OpenID Connect as shown in the GUI

OpenID Connect is disabled by default, but can be enabled for any OAuth profile. To do so using the admin GUI, go to OAuth ‣ $PROFILE_NAME ‣ General and then enable the Open ID Connect option as shown in Fig. 149

Fig. 149 Enabling OpenID Connect in the admin GUI

When OpenID Connect is enabled, the following options can also be configured:

id-token-ttl

Path :/profiles/profile{id, type}/settings/authorization-server/openid-connect/id-token-ttl

The amount of time that an ID token should be valid for

passthrough-unscoped-claims

Path :/profiles/profile{id, type}/settings/authorization-server/openid-connect/passthrough-unscoped-claims

When false, all non-standard attributes returned from the account data source will be removed unless there is a corresponding scope that the end user has authorized. Setting this value to true will cause such attributes to be included in the user info endpoint’s response.

Metadata

Aside from these settings, it is also possible to configure that OpenID Connect metadata should be exposed. This is disabled by default, but can be enabled by toggling the associating setting in the GUI or setting in the CLI. In order for OpenID Connect metadata to be exposed, certain conditions have to be met. The configuration will not validate if these conditions are not met. These include:

• The OAuth profile must have one and only one anonymous endpoint
• An authorize endpoint must be defined
• A token endpoint must be defined if the profile supports the client-credentials, code, resource-owner-password-credentials, or token-exchange capabilities
• If there are more then one of any of the following kinds of endpoints, then which one should be exposed in the metadata must be configured: oauth-authorize, oauth-token, oauth-userinfo, oauth-assisted-token, oauth-revoke, oauth-introspect.

If all of these conditions are met, then the metadata can be obtained by requesting the subroute /.well-known/openid-configuration under the anonymous endpoint. For example, if the anonymous endpoint is configured to be ~, then this would be at /~/.well-known/openid-configuration on the host that is serving the OAuth profile’s anonymous endpoint. If this endpoint were hosted on a service that used the HTTPS protocol, had a hostname of localhost and was listening on port 8443, then the metadata would be accessible at https://localhost:8443/~/.well-known/openid-configuration.

The metadata in this response is mostly defined by the OpenID Connect and OAuth metadata standards where applicable. The included metadata and its meaning is described in the following table:

OpenID Connect Metadata

OpenID Connect metadata fields that are returned depending on various configuration

Object Properties:  

• issuer (string) – The issuer ID. This will be the URL of the anonymous endpoint unless issuer-override has been set to some non-URL value.
• introspection_endpoint (url) – If there is only one introspection endpoint defined in the profile, then the URL of this endpoint. If there are multiple, the URL of the one that is configured to be exposed. If no introspection endpoint is defined in the profile, this value will not be included in the response.
• authorization_endpoint (url) – If there is only one authorization endpoint defined in the profile, then the URL of this endpoint. If there are multiple, the URL of the one that is configured to be exposed.
• token_endpoint (url) – If there is only one token endpoint defined in the profile, then the URL of this endpoint. If there are multiple, the URL of the one that is configured to be exposed. If there is no token endpoint defined in the profile and the profile does not support the client-credentials, code, resource-owner-password-credentials, nor the token-exchange capabilities, then this value will be not be included in the response.
• jwks_uri (url) – The URL of the JSON Web Key Set (JWKS). This will be the URL of the OAuth profile’s anonymous endpoint with jwks appended.
• revocation_endpoint (url) – If there is only one revocation endpoint defined in the profile, then the URL of this endpoint. If there are multiple, the URL of the one that is configured to be exposed. If there is no revocation endpoint defined in the profile, then this value will be not be included in the response.
• assisted_token_endpoint (url) – If there is only one assisted endpoint defined in the profile, then the URL of this endpoint. If there are multiple, the URL of the one that is configured to be exposed. If there is no assisted token endpoint defined in the profile and the profile does not support the assisted-token capabilities, then this value will be not be included in the response.
• scopes_supported (string[]) – The scopes that the OAuth profile supports which always includes openid.
• response_types_supported (string[]) –

  The response types that the OAuth profile supports. The elements of the array will be as summarized in the following table:

  Capability Enabled in the OAuth Profile	JSON Array Values
  code	code code id_token code id_token token id_token
  implicit	id_token id_token token token
  code and implicit	code token code token id_token
  client-credentials	token
  resource-owner-password-credentials	token

• response_modes_supported (string[]) – The response modes that the OAuth profile supports. If the code capability is enabled, the array will include query, and if the implicit capability is enabled, the array will also include fragment. If both of these capabilities are supported in the profile, this array will contain both of the associated values.
• grant_types_supported (string[]) –

  The grant types or “flows” that are supported by the OAuth profile. The elements of the array will be as summarized in the following table:

  Capability Enabled in the OAuth Profile	JSON Array Values
  code	authorization_code refresh_token
  implicit	implicit
  resource-owner-password-credentials	password refresh_token
  client-credentials	client_credentials
  token-exchange	https://curity.se/grant/accesstoken
  assisted-token	https://curity.se/grant/assisted-token
  backchannel-authentication	urn:openid:params:grant-type:ciba

• acr_values_supported (string[]) – The ACRs of all authenticators in the authentication profile associated with the profile.
• subject_types_supported (string[]) – An array containing the string value pairwise, and when pairwise subject identifiers are not required, will also contain the string value public.
• id_token_signing_alg_values_supported (string[]) – A singleton array containing the string RS256.
• token_endpoint_auth_methods_supported (string[]) – An array containing the strings client_secret_post and client_secret_basic which represents the authentication methods supported by the token endpoint.
• revocation_endpoint_auth_methods_supported (string[]) – An array containing the strings client_secret_post and client_secret_basic which represents the authentication methods supported by the revocation endpoint.
• claim_types_supported (string[]) – An array containing the single string value normal, meaning that only normal claims, as opposed to distributed claims, are supported. Distributed claims can be supported using token issuance procedures, but the Curity Security Token Server does not advertise support for this in the metadata.
• ui_locales_supported (string[]) – An array containing the BCP47 formatted names of the locals installed in the the Curity Identity Server. If a new locale is added to the $IDSVR_HOME/usr/share/messages/overrides directory, this new locale will be added to the published metadata.
• claims_locales_supported (string[]) – The same as ui_locales_supported. Claims may be localized into other languages using token issuance procedures, but these are not included in the metadata.
• code_challenge_methods_supported (string[]) – If the code capability is configured for the OAuth profile, then the array will contain the elements S256 and plain; otherwise, this property will be excluded from the metadata. These values are defined by Proof Key for Code Exchange by OAuth Public Clients (PKCE).
• service_documentation (url) – The URL where developers can find the documentation describing how to integrate with the service. This URL is the one set by the developer-documentation-url configuration setting.
• registration_endpoint (url) – The URL where dynamic clients can submit their registration information to obtain a new client ID and secret. If dynamic client registration is not enabled for the profile, this value will not be included in the response.
• registration_endpoint_auth_methods_supported (string[]) – The authentication methods that are supported by the dynamic client registration endpoint. The value will always be a singleton array containing the value Bearer, meaning a bearer access token that represents the user or client’s authorization of the caller. If dynamic client registration is not enabled for the profile, this value will not be included in the response.
• op_policy_uri (url) – The policy URL where developers of dynamically registered clients can obtain the policy by which registration is governed.
• op_tos_uri (url) – The URL of the terms of service that dynamic clients can show to users, so they are aware of the conditions under which they may use the OAuth server.
• end_session_endpoint (url) – the URL that the RP can redirect the user to to request Logout
• check_session_endpoint (url) – the URL that the RP can load in an IFrame to check the user’s SSO status with the OP, see Session Endpoint
• frontchannel_logout_supported (boolean) – indicates whether front channel logout notification is supported
• frontchannel_logout_session_supported (boolean) – indicates whether front channel logout notification from Curity can include the logged out sid as parameter to the logout uri
• backchannel_logout_supported (boolean) – indicates whether back channel logout notification is supported
• backchannel_logout_session_supported (boolean) – indicates whether back channel logout notification from Curity can include the logged out sid as claim in the Logout Token
• backchannel_authentication_endpoint (url) – the URL used for initiating backchannel authentication
• backchannel_token_delivery_modes_supported (string[]) – An array containing the string value poll
• backchannel_authentication_request_signing_alg_values_supported (string[]) – A singleton array containing the string RS256.
• id_token_encryption_alg_values_supported (string[]) – The key management algorithms for ID token encryption allowed by the OAuth profile. If encrypted ID tokens are not enabled this value will not be included in the response.
• id_token_encryption_enc_values_supported (string[]) – The content encryption algorithms for ID token encryption allowed by the OAuth profile. If encrypted ID tokens are not enabled this value will not be included in the response.

An example of the OpenID Connect metadata is shown in Listing 161.

Listing 161 Example OpenID Connect metadata

{
  "introspection_endpoint": "https://localhost:8443/introspection",
  "scopes_supported": [
    "read",
    "admin_read",
    "openid",
    "profile",
    "admin_write",
    "write",
    "email"
  ],
  "issuer": "https://spruce:8443/dev/oauth/anonymous",
  "acr_values_supported": [
    "urn:se:curity:authentication:google:google1",
    "urn:se:curity:authentication:sms:sms2fa",
    "urn:se:curity:authentication:sms:sms1",
    "urn:se:curity:authentication:html-form:html2fa",
    "loa1"
  ],
  "authorization_endpoint": "https://localhost:8443/dev/oauth/authorize",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "service_documentation": "https://localhost/developer-documentation-url",
  "claim_types_supported": [
    "normal"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "response_modes_supported": [
    "fragment",
    "query"
  ],
  "token_endpoint": "https://localhost:8443/dev/oauth/token",
  "response_types_supported": [
    "code",
    "id_token",
    "token"
  ],
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "grant_types_supported": [
    "refresh_token",
    "implicit",
    "client_credentials",
    "password",
    "https://curity.se/grant/accesstoken",
    "authorization_code",
    "urn:openid:params:grant-type:ciba",
    "https://curity.se/grant/assisted-token"
  ],
  "backchannel_authentication_endpoint": "https://localhost:8443/bc-auth",
  "backchannel_token_delivery_modes_supported": [
    "poll"
  ],
  "backchannel_authentication_request_signing_alg_values_supported": [
    "RS256"
  ],
  "ui_locales_supported": [
    "sv",
    "en"
  ],
  "revocation_endpoint": "https://localhost:8443/revoke",
  "userinfo_endpoint": "https://localhost:8443/dev/oauth/userinfo",
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "jwks_uri": "https://localhost:8443/dev/oauth/anonymous/jwks",
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "S256"
  ],
  "assisted_token_endpoint": "https://localhost:8443/assisted-token",
  "claims_locales_supported": [
    "sv",
    "en"
  ]
}

The “claims” request parameter

There are two ways to request profile data to be included in the ID-token or the response of the user info endpoint, which are by requesting scopes and by requesting individual claims through the claims request parameter. As specified by OpenID Connect, the claims parameter is a JSON document which has the option to request each claim individually, as opposed to the claim sets that are specified by the OpenID scopes.

Given that OpenID Connect is enabled on the profile, claims request parameter support is enabled by default. When more fine grained control over the requested claims is needed, it is possible to do so from the different token procedures for each flow that issues an ID token or returns a user info response. By default, the claims parameter is stored with the delegation, and as such it can be found like this:

• In the oauth-authorize-implicit and oauth-token-authorization-code procedures: context.getDefaultDelegationData().requestedClaims
• In the openid-userinfo procedure : context.presentedToken.getDelegationData().data.requestedClaims.

The parameter is the string with the JSON document. To use it, you need to parse it still. An example of how to process the parsed claims request parameter is included in the oidc/claims-parameter directory of the examples. Note that this string comes from an unverified and possible unsafe source (i.e. user input), and parsing it incorrectly could introduce a security vulnerability.

The claims request parameter is used to establish which claims from the profile data must be included in an ID token or in the user info response. If the authenticated account data contains non-standard attributes, there is no enforcement on whether these claims can be exposed. To allow these claims to be exposed, make sure to enable the Pass Through Unscoped Claims configuration option of the OpenID Connect settings on the Token Profile.

There is access control applied on the claims that can be requested by clients. This access control is based on the allowed scopes for the client, in particular the OpenID Connect scopes (profile, email, phone and address). These scopes represent a set of claims, and by these scopes to be requested by a client, this also allows the claims that they represent to be requested through the claims parameter. However, claims that are not OpenID Connect claims are always released when the Pass Through Unscoped Claims setting is enabled (see above).

For example, in case the client does not allow the profile claim to be requested, yet there is a request for the picture claim, this request will be rejected because it is not an OpenID Claim that is represented by an allowed OpenID Connect scope. If instead the request is for the big-picture (which is not an OpenID Connect claim), and Pass Through Unscoped Claims is enabled, then that account attribute would be released if it were available.

Note that requesting the acr claim with a specific value will result in requiring authentication to be performed with that particular acr.

Issuing pseudonymous subject identifiers

By default, when a user authenticates, the authenticated subject is passed along unmodified in tokens issued to the client. In environments where different clients should not be able to share properties that are bound to a subject amongst each other, it is possible to issue pseudonymous subject identifiers. These pseudonyms will be the same for one user to a client, but will be different for that same user to a different client. The intent is that different clients will not be able to link their databases with each other and create a bigger user profile than the user might expect.

The OpenID Connect specification describes a way to express how to issue pseudonymous subject identifiers. Pseudonyms are called Pairwise Pseudonymous Identifiers (PPIDs) because they are based on the pair of Subject Identifier and Sector Identifier. If a sector identifier is not explicitly set, it is derived for each client, based on its registered redirect URI’s: if all the redirect URI’s share the same host component, then this shared host component is used as the sector identifier. If there is no redirect URI or if there are multiple redirect URIs with different host components, then it is required to configure a sector identifier for the client explicitly.

Example A client does not configure a value for sector identifier, but it has registered redirect URI https://www.example.com/cb. In case a pairwise pseudonym is calculated, this is done by taking the host component (www.example.com) of this redirect URI and feeding it into the algorithm. When a user has authenticated as teddie, then the pseudonym to be issued is calculated like:

pseudonymize("teddie", "www.example.com")

In case the client has multiple redirect URIs registered, e.g. https://www.example.com/cb and https://another.example.com/cb, it is required for the client to also register a Sector Identifier. Say the Sector Identifier is registered as Sector Zort, then the pseudonym to be issued is calculated like:

pseudonymize("teddie", "Sector Zort")

Note

Mobile Connect requires a sector identifier to be a URL even for statically registered clients. To conform to this profile, an administrator should use a URL instead of some other value. Be aware that the configuration is not validated for such a case.

Client settings

A client will always be issued a non-pseudonym, unless it is enabled to issue Pairwise Pseudonyms for that client. Once enabled, no more unprocessed subject identifiers will be issued.

Different clients will be issued different pseudonyms for the same user, unless multiple clients share the same Sector Identifier, as explained in the previous paragraph. If this is desired, you can explicitly set the Sector Identifier that is used to calculate a pseudonym for the subject.

Caution

Be careful when changing a Sector Identifier on an existing client, as the result will be that all users will be assigned a new subject identifier; the client will not be able to find out which new subject identifier referred to which old subject identifier.

Profile settings

There is a setting on the profile that indicates whether it is required to issue pairwise pseudonyms to clients. This setting is particularly useful in case a profile is setup for Dynamic Client Registration: when the profile requires pairwise pseudonyms, a new non-templatized client must be registered with a subject_type=pairwise parameter, or it will be rejected upon registration.

To calculate the issued pseudonym, the same logic applies to configured clients as well as dynamically registered clients: by default the explicitly configured Sector Identifier value will be used in the pair of Subject Identifier and Subject Identifier. In case there is no configured sector identifier, the hostname of the configured redirect URI or URI’s will be used. If that fails because none or there are more than one different host names found in the redirect URI’s, an error will occur.

Sector Identifier for Dynamic Client Registration

When doing Dynamic Client Registration, a client can not just say which Sector Identifier it wants to use. The reason for that is to protect users from clients that want to join a sector, and thereby getting issued with the same pairwise pseudonyms as every other client in that sector, without anyone checking that! Instead, a mechanism is in place that will verify whether a sector identifier can be accepted, which is based on the sector_identifier_uri parameter.

Curity supports this approach, and will fetch the document from the location that is referred to in the sector_identifier_uri location. It will verify the document as specified in the OpenID Connect Dynamic Client Registration specification.

You can use the sector-identifier-lookup-http-client configuration option of Dynamic Client Registration settings to change the HTTP client that must be used to look up the sector_identifier_uri document.

When the request is accepted, the hostname component of the sector_identifier_uri will be used as Sector Identifier. For example, if a client registers with the parameters subject_type=pairwise and sector_identifier_uri=https://my.example.com/sector-info, pairwise pseudonyms are calculated as pseudonymize("teddie", "my.example.com")

Templatized Dynamic Client Registration

As Registration Based on a Template Client registers a client based on only a reference to the client template, it could lead to all registered clients using the same Sector Identifier, which effectively reduces a pairwise pseudonym into a regular pseudonym. In this case however, Curity will use the client’s ID of a dynamically registered template client as the sector identifier. Note that this is only the case when the client template is configured to issue pairwise pseudonyms.

Example A dynamically registered client based on a client template was issued the id 192-riw-1uc. In this case, the pairwise pseudonym for user teddie is calculated like this:

pseudonymize("teddie", "192-riw-1uc")