In OAuth and OpenID Connect deployments, you can use mapping rules to customize your use
of Verify Identity Access features.
Verify Identity Access provides template mapping rules that you can use when configuring OAuth
and OpenID Connect deployments. For OIDC, the rules are automatically included when you create an
OIDC API Protection definition. One mapping rule is used pre-token generation. The other mapping
rule is used post-token generation.
Note: If you created API definitions in a prior release of
Verify Identity Access, and updated to
Version 9.0.4, you have the option to enable OIDC. However, enabling OIDC and saving the definition
does not update the mapping rules. You can manually update the mapping rules by following the
instructions in
Updating mapping rules when enabling OIDC.
Table 1. Mapping Rules
| Mapping Rule |
Supported Actions |
| oauth_20_pre_mapping.js |
- Use a user registry for verification of the username and password for the ROPC scenario.
Optionally, force sourcing the ROPC password validation config from ldap.conf.
- Show an example of the ROPC scenario using an external service for verification of the username
and password.
- Limit the number of tokens per user per client, and specify the algorithm to use.
- Customize ID Token
- Specify whether to only allow confidential clients to introspect or revoke tokens
- Discover the request_type and the grant type.
- Limit the number of grants per user per client.
- Enable a token lookup example.
- Enable custom tokens
- Enable assertion grants
- Calling additional STS chains
|
| oauth_20_post_mapping.js |
- Associate attributes
- Deletetokens
- Makean HTTP(S) callout
- Update a token
- Register an Authenticator for MFA
- Enforce that clients are only introspecting their own tokens
- UserInfo Customization
- Produce JWT UserInfo
- Call additional STS chains
- Return additional attributes to the user via response attributes.
|