Open ID Connect

This should be the URI from witch the .well-known/openid-configuration can be fetched. For example, https://accounts.google.com/, when using the Google OIDC server, or https://xx.yy.com/oauth/v2/oauth-anonymous when using Curity IO. The base URL or the full URL including the .well-known/openid-configuration part.

One or more root certificates in PEM format.

CA certificates, in PEM format, to use when validating TLS connection to discovery-url. Multiple certs may be added as one string.

Use root CA certificate bundle when validating certificate of discovery url.

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

This field can be used to disable server cert validation when talking to the discovery-url. It should only be set to false in test setups and never in production.

The Client ID is provided by the OIDC server. Usually some non-guessable value such as 6779ef20e75817b79602 or 292085223830.apps.googleusercontent.com

The Secret ID is a non-public that is only known by the client and the OIDC server. Usually some 256-bit hex value.

• query
• form-post

• code
• id-token

Only code is supported at this point.

If no role is specified when invoking a oidc-login, then this role is used.

An alternative way of letting the OIDC server control which policies and token properties are given to different users is to select oidc service role based on a claim provided by the OIDC server. In order to do this certain role specific parameters needs to be provided here. They will be ignored in the selected role.

This should be the URI from witch the .well-known/openid-configuration can be fetched. For example, https://accounts.google.com/, when using the Google OIDC server, or https://xx.yy.com/oauth/v2/oauth-anonymous when using Curity IO. The base URL or the full URL including the .well-known/openid-configuration part.

One or more root certificates in PEM format.

CA certificates, in PEM format, to use when validating TLS connection to discovery-url. Multiple certs may be added as one string.

Use root CA certificate bundle when validating certificate of discovery url.

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

This field can be used to disable server cert validation when talking to the discovery-url. It should only be set to false in test setups and never in production.

The Client ID is provided by the OIDC server. Usually some non-guessable value such as 6779ef20e75817b79602 or 292085223830.apps.googleusercontent.com

The Secret ID is a non-public that is only known by the client and the OIDC server. Usually some 256-bit hex value.

• query
• form-post

• code
• id-token

Only code is supported at this point.

If no role is specified when invoking a oidc-login, then this role is used.

An alternative way of letting the OIDC server control which policies and token properties are given to different users is to select oidc service role based on a claim provided by the OIDC server. In order to do this certain role specific parameters needs to be provided here. They will be ignored in the selected role.

This should be the URI from witch the .well-known/openid-configuration can be fetched. For example, https://accounts.google.com/, when using the Google OIDC server, or https://xx.yy.com/oauth/v2/oauth-anonymous when using Curity IO. The base URL or the full URL including the .well-known/openid-configuration part.

One or more root certificates in PEM format.

CA certificates, in PEM format, to use when validating TLS connection to discovery-url. Multiple certs may be added as one string.

Use root CA certificate bundle when validating certificate of discovery url.

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

This field can be used to disable server cert validation when talking to the discovery-url. It should only be set to false in test setups and never in production.

The Client ID is provided by the OIDC server. Usually some non-guessable value such as 6779ef20e75817b79602 or 292085223830.apps.googleusercontent.com

The Secret ID is a non-public that is only known by the client and the OIDC server. Usually some 256-bit hex value.

• query
• form-post

• code
• id-token

Only code is supported at this point.

If no role is specified when invoking a oidc-login, then this role is used.

An alternative way of letting the OIDC server control which policies and token properties are given to different users is to select oidc service role based on a claim provided by the OIDC server. In order to do this certain role specific parameters needs to be provided here. They will be ignored in the selected role.

Optionally configured list of aud claims. If configured, at least one entry must match.

Claim to use as unique user identifier.

If configured the sub claim must match this value.

All entries must be present in the claim and their values must match.

Map that describes how claims are mapped into meta attributes in the token.

Name of claim as returned by OIDC server.

Name of custom claim to use for assigning policies. The claim is expected to contain an array of policies.

Name of custom claim to tenant mapping. Only available for system level authentication configured by the sys tenant.

Nonce can be used to ensure that replay attacks cannot be used. However, not all OIDC backend servers support nonce.

Add this string to the state parameter. It can be read from the state by base64 decoding the state and splitting the string at the colon. The second half will be this string.

Scopes to request from OIDC server. The openid scope is always added.

List of allowed redirect URIs during login. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

List of allowed redirect URIs after logout. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

If the backend Openid Connect service does not have the end_session_endpont capability, then an explicit logout uri can be configured. It will be used when the oidc-logout RPC is invoked.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL for outstanding login requests.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

• enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

• ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
• ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

Do not add the default policy to the token if this is set to true.

Limit the number of times the token can be used.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

• service
• default

Should the refresh operation be allowed for this token or not.

Optionally configured list of aud claims. If configured, at least one entry must match.

Claim to use as unique user identifier.

If configured the sub claim must match this value.

All entries must be present in the claim and their values must match.

Map that describes how claims are mapped into meta attributes in the token.

Name of claim as returned by OIDC server.

Name of custom claim to use for assigning policies. The claim is expected to contain an array of policies.

Name of custom claim to tenant mapping. Only available for system level authentication configured by the sys tenant.

Nonce can be used to ensure that replay attacks cannot be used. However, not all OIDC backend servers support nonce.

Add this string to the state parameter. It can be read from the state by base64 decoding the state and splitting the string at the colon. The second half will be this string.

Scopes to request from OIDC server. The openid scope is always added.

List of allowed redirect URIs during login. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

List of allowed redirect URIs after logout. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

If the backend Openid Connect service does not have the end_session_endpont capability, then an explicit logout uri can be configured. It will be used when the oidc-logout RPC is invoked.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL for outstanding login requests.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

• enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

• ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
• ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

Do not add the default policy to the token if this is set to true.

Limit the number of times the token can be used.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

• service
• default

Should the refresh operation be allowed for this token or not.

Optionally configured list of aud claims. If configured, at least one entry must match.

Claim to use as unique user identifier.

If configured the sub claim must match this value.

All entries must be present in the claim and their values must match.

Map that describes how claims are mapped into meta attributes in the token.

Name of claim as returned by OIDC server.

Name of custom claim to use for assigning policies. The claim is expected to contain an array of policies.

Name of custom claim to tenant mapping. Only available for system level authentication configured by the sys tenant.

Nonce can be used to ensure that replay attacks cannot be used. However, not all OIDC backend servers support nonce.

Add this string to the state parameter. It can be read from the state by base64 decoding the state and splitting the string at the colon. The second half will be this string.

Scopes to request from OIDC server. The openid scope is always added.

List of allowed redirect URIs during login. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

List of allowed redirect URIs after logout. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

If the backend Openid Connect service does not have the end_session_endpont capability, then an explicit logout uri can be configured. It will be used when the oidc-logout RPC is invoked.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL for outstanding login requests.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

• enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

• ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
• ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

Do not add the default policy to the token if this is set to true.

Limit the number of times the token can be used.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

• service
• default

Should the refresh operation be allowed for this token or not.

Name of oidc service to use if no service is provided to the oidc-login action.

Maximum number of concurrent pending oidc login sessions.

Name of oidc service to use if no service is provided to the oidc-login action.

Maximum number of concurrent pending oidc login sessions.