OpenID Connect Relying Party custom properties

Custom properties for the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) help determine the behavior of the OpenID Connect Relying Party (RP). You can define these properties in the Custom Properties window for the OIDC TAI by using the administrative console.

The custom properties are used to determine the behavior of the OpenID Connect RP, and to communicate with an OpenID Connect Provider (OP). You can configure custom properties for multiple OpenID Connect providers.

Avoid trouble: If you are using an outbound proxy, the OpenID Connect RP does not provide a means to route requests through a proxy host automatically.

If you must use a proxy to access the OpenID Connect Provider (OP), the value that you enter for any OP-related URL property must contain the proxy host and port, not the external OP host and port.

In most cases, you can replace the OP host and port with the proxy host and port. The URL that you enter must be visible to both the RP and client (browser or application). For further guidance on how to determine the correct URL to use, contact your proxy administrator.

To assign unique property names that identify each OpenID Connect provider, a provider_<id> is embedded in the property name and used to group the properties that are associated with each OP. The provider_<id>s are numbered sequentially for each OP, where <id> is a number. Properties that are not prefixed with provider_<id> are custom properties that apply to all providers.

Avoid Trouble: The OIDC TAI uses filters to choose the provider configuration to process a request. The properties that define the filters are provider_<id>.filter, provider_<id>.interceptedPathFilter, and provider_<id>.excludedPathFilter. If a request matches the filter conditions for more than one provider, the provider configuration that the TAI chooses is indeterminate.

The properties are grouped into two categories:

Required properties: If these properties are not defined, the RP cannot initialize. Functionally, if the properties are not defined, it is equivalent to no RP installed.
Optional properties: These properties have a default value as documented. They are used to fine-tune the behavior of the RP.

Tip: The properties in the following table are not required for authentication with a JSON Web Token. See Properties Required for a JWT Authentication Only Provider Entry for a list of the properties that are required when a provider entry is only used for JWT authentication.

Table 1. Required custom properties for the OpenID Connect Relying Party
Property name	Values	Description
`provider_<id>.identifier`	You can specify any string value. The property does not have a default value.	Specifies a unique name for each OpenID connect provider that is identified by the `<id>` in the `provider_<id>` prefix. The identifier is created by you and is used to build the redirect URL that is registered with the OP. Example: `provider_1.identifier=abc Redirect URL:https://myrp.com:9443/oidcclient/abc provider_2.identifier=test Redirect URL:https://myrp.com:9443/oidcclient/test`
`provider_<id>.clientId`	You can specify any string value. The property does not have a default value.	Specifies the ID that is used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients that are registered to the provider.
`provider_<id>.clientSecret`	You can specify plain text or `XOR` encoded value. The property does not have a default value.	Specifies the secret that is used by the OpenID Connect Provider to secure messages that are sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret that is registered for this client. Example: `app_a_secret {xor}Pi8vAD4ALDo8LTor` The clientSecret parameter is not needed if your OpenID Provider is not expecting it, such as when your token requests use OAuth 2.0 Mutual-TLS Client Authentication as described in RFC8705.
`provider_<id>.discoveryEndpointUrl`	When useDiscovery is set to `true`, the default value for this property is `(issuerIdentifier)/.well-known/openid-configuration`. Note: REQUIRED if EITHER `provider_<id>.authorizeEndpointUrl` OR `provider_<id>.tokenEndpointUrl` is NOT specified.	Specifies the OpenID Connect Provider's discovery endpoint URL. When this property is specified, the following properties are obtained from the discovery result: authorizeEndpointUrl tokenEndpointUrl introspectEndpointUrl userinfoEndpointUrl revokeEndpointUrl endSessionEndpoint jwkEndpointUrl tokenEndpointAuthMethod issuerIdentifier signatureAlgorithm Before version 8.5.5.23, the signatureAlgorithm property was overridden. When the discoveryEndpointUrl property is included in the OIDC TAI configuration, if any of these properties are also included in the configuration, their settings are ignored. A request is sent to the discovery endpoint and the data that is returned is processed when the OIDC TAI is initialized. When the discovery endpoint is not accessible at the time that the TAI is initialized, then the OIDC TAI configuration entries that are associated with the discovery endpoint are not active and its requests are not intercepted. The OIDC TAI does not refresh the data that is received from the discovery endpoint. When the OP changes information in its discovery, then the application server must be restarted. When useDiscovery is set to `true`, the default value for this property is `(issuerIdentifier)/.well-known/openid-configuration`. When the useDiscovery property is set to `false`, the value for this property is ignored.
`provider_<id>.authorizeEndpointUrl`	You can specify any URL value. The property does not have a default value. Note: REQUIRED if `provider_<id>.discoveryEndpointUrl` is NOT specified.	Specifies the endpoint URL for redirecting authorization requests to the OpenID Connect Provider. Example: `https://myoidcop.abc.com:8020/oidc/endpoint/OP/authorize`. If an `acr_values` parameter is present in the value of this property, the TAI verifies that the `IDToken` contains an `'acr'` claim when an `IDToken` is returned from the OP. The TAI also verifies that the value of the claim matches the value of the `acr_values` parameter.
`provider_<id>.tokenEndpointUrl`	You can specify any URL value. The property does not have a default value. Note: REQUIRED if `provider_<id>.discoveryEndpointUrl` is NOT specified.	Specifies the endpoint URL for redirecting token requests to the OpenID Connect Provider. Example: `https://myoidcop.abc.com:8020/oidc/endpoint/OP/endpointe`.

Table 2. Optional custom properties for the OpenID Connect Relying Party TAI
Property name	Values	Description
`provider_<id>.filter`	For information about defining this property, see the SAML TAI filter property section in the documentation about SAML single sign-on (SSO) TAI custom properties.	The property is used to specify a condition that is checked against the request to see whether the TAI protects this request. The format for this property is the same as for the SAML `sso_<id>.sp.filter` property. Unless the provider_<id>.grantType parameter is specified, at least one of the provider_<id>.filter or provider_<id>.interceptedPathFilter properties must be included in the OIDC TAI configuration. The callback URI from the OP, /`callbackServletContext`/`identifier`, is automatically intercepted by the TAI. You do not need to account for the callback in your filter. An example of a callback URL is `https://myrp.com:9443/oidcclient/RP1`.
`provider_<id>.interceptedPathFilter`	You can specify a comma-separated list of URI patterns. The property does not have a default value.	Specifies a comma-separated list of regular expression patterns that are compared against the request URI to see whether the TAI will intercept the request. To intercept ALL requests use "/.". Example: /abcCompanyApps., /snoop Unless the provider_<id>.grantType parameter is specified, at least one of the provider_<id>.filter or provider_<id>.interceptedPathFilter properties must be included in the OIDC TAI configuration. The callback URI from the OP, /`callbackServletContext`/`identifier`, is automatically intercepted by the TAI. You do not need to account for the callback in your filter. An example of a callback URL is `https://myrp.com:9443/oidcclient/RP1`.
`provider_<id>.excludedPathFilter`	You can specify comma-separated list of URI patterns. The property does not have a default value.	The property specifies a comma-separated list of regular expression patterns that are compared against the request URI to determine whether the TAI must not protect the request. It can be used to provide exceptions to the `interceptedPathFilter`. Example: `/abcCompanyApps/admin., /abcCompanyApps/public.`
`provider_<id>.accessTokenIsJwt` 0	You can specify one of the following values: `true` `false` (default)	Set this property to the `true` value if the access token that is returned from the OP is a JWT and you want the TAI to validate the JWT.
`provider_<id>.endSessionEndpoint`	The property does not have a default value.	Before version 8.5.5.23, set this property to the value of the session endpoint for the Open ID provider. The value for the end session endpoint of the Open ID provider can then be accessed with an API. If the `provider_<id>. discoveryEndpointUrl` property is specified, the value for this property is overridden. Set this property to the value of the end session endpoint for the Open ID provider. When this property is set to a value and the `provider_<id>.endSessionEndpointEnabled` property is set to true, the TAI redirects logout requests to the configured end session endpoint. An `id_token_hint` parameter is added to the end session request. If the `provider_<id>.discoveryEndpointUrl` property is specified, the value for this property is overridden. The value for this property can be retrieved with the `OidcClientHelper.getEndSessionEndpoint()` method.
`provider_<id>.endSessionEndpointEnabled`	You can specify one of the following values: `true` `false (default)`	Set this property to `true` to enable RP-Initiated Logout with the URL specified on the `provider_<id>.endSessionEndpoint` property. This process applies if the endpoint was obtained either from a TAI property or discovery. If an end session endpoint is available and the `endSessionEndpointEnabled` property is set to `false`, the `OidcClientHelper.getEndSessionEndpoint()` method can be used to retrieve the configured end session endpoint.
`provider_<id>.endSessionRedirectUrl`	The property does not have a default value.	Set this property to the endpoint to which you want the OP to redirect after logout is complete. The value for this property is passed as the value for the `post_logout_redirect_uri` parameter in the logout request to the OP. Configure your OP to be aware of the endpoint if you provide a value for this property. OPs must redirect to `post_logout_redirect_uri` values that they recognize. Consult your OP documentation for what happens when the `post_logout_redirect_uri` parameter is not included in the logout request.
`provider_<id>.endSessionUseLogoutExitPage`	You can specify one of the following values: `true` `false (default)`	Set this property to `true` to use the value for the `logoutExitPage` parameter as the value for the `post_logout_redirect_uri` parameter. The value for the `logoutExitPage` parameter is on the `ibm_security_logout` request. The value for the `post_logout_redirect_uri` parameter is on the end session request to the OP.
`provider_<id>.introspectClientId`	By default, this property is set to the value provided for the `provider_<id>.clientId` property.	Specifies the clientId to include in the requests to the introspection endpoint of the OpenID Provider.
`provider_<id>.introspectClientSecret`	By default, this property is set to the value provided for the `provider_<id>.clientSecret` property.	Specifies the client password to include in the requests to the introspection point of the OpenID Provider. The property can be specified in plain text or it can be XOR encoded, for example `{xor}CDo9Hgw=`.
`provider_<id>.jwkClientSecret`	You can specify a plain text or XOR-encoded value. The property does not have a default value.	Specifies the client password to include in the basic authentication scheme of the JWK request. The property can be specified in plain text or it can be XOR encoded, for example `{xor}CDo9Hgw=`.
`provider_<id>.jwkClientId`	The property does not have a default value.	Specifies the client identifier to include in the basic authentication scheme of the JWK request.
`alwaysInvalidateAccessTokenOnLogout`	You can specify one of the following values: `true` `false` (default)	By default, if an OIDC session cookie is present on a request when a logout is performed, the logout uses only the information that is associated with the OIDC session cookie. If no OIDC session cookie exists, then the logout uses the access token in the Authorization header of the request. If this property is set to `true`, the logout is performed by using information from both the OIDC session cookie and the Authorization header of the request, if they exist.
`provider_<id>.defaultRealmName`	The property does not have a default value.	The realm name to use if one is not obtained from the token.
`provider_<id>.encodeNewline`	You can specify one of the following values: `true` (default) `false`	When this property is set to false, the new line characters that exist in POST parameters are not encoded into encoded <br> tags.
`provider_<id>.introspectEndpointUrl`	You can specify any URL value. The property does not have a default value.	Specifies the endpoint URL for calling the OpenID Connect Provider's introspection endpoint. Example: `https://myoidcop.abc.com:8020/oidc/endpoint/OP/introspect`
`callbackServletContext`	You can specify any context root value, but it must match the context root that is configured for the OpenID connect RP callback servlet. By default, this property is set to the value of /oidcclient.	Specifies the context root that is configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. Normally, this property must be set to /oidcclient. The value of this property must match the context root that is configured for deploying the `com_ibm_ws_security_oidc_servlet_war` into the local WebSphere®. It must also match the registered callback for the start of the URIs in the URLs registered for this client to the OpenID Connect Provider. Example: /oidcclient.
`provider_<id>.signatureAlgorithm`	You can specify one of the following values: `none` `HS256` `RS256` `RS512` `HEADER`(default) Before version 8.5.5.23, `RS256` was the default value.	Specifies the algorithm that is used to secure messages from the OpenID Connect provider. When this property is set to `HEADER`, the value is obtained from the header of each inbound token. The signature algorithms that are supported when the value is set to HEADER include any value that is supported by the jose4j open source project, version 0.6.5. See the jose4j open source project for more information.
`provider_<id>.signatureAllowList`	You can specify a comma-separated list of signature algorithms. The property does not have a default value.	Specifies a comma-separated list of signature algorithms that are allowed to secure messages from the OpenID Connect provider. If the `provider_<id>.signatureAlgorithm` property is set to a value other than `HEADER`, this property is ignored. A value cannot be provided for both this property and the `provider_<id>.signatureDenyList` property. The list can include any value that is supported by the jose4j open source project, version 0.6.5, except `HS256`. See the jose4j open source project for more information. In addition to ensuring that the `HS256` signature algorithm is not in the list, the values for this property are also not validated by the `OIDC TAI`.
`provider_<id>.signatureDenyList`	You can specify a comma-separated list of signature algorithms. See the description for the default value.	Specifies a comma-separated list of signature algorithms that are not allowed to secure messages from the OpenID Connect provider. If the `provider_<id>.signatureAlgorithm` property is set to a value other than `HEADER`, this property is ignored. A value cannot be provided for both this property and the `provider_<id>.signatureAllowList` property. The list can include any value that is supported by the jose4j open source project, version 0.6.5. See the jose4j open source project for more information. If the configured list does not include the `HS256` value, the value is added to the list if any of the following conditions are true: The `provider_<id>.useJwtFromRequest` property is set to required. The `provider_<id>.signatureAlgorithm` property is set to `HEADER`. Discovery is in use and `HS256` is not the only value for the `id_token_signing_alg_values_supported` property to claim in the discovery result of the OP.
`provider_<id>.jwkEndpointUrl`	You can specify any URL value. The property does not have a default value.	Specifies the URL of the OP's JSON Web Key (JWK) set document that contains the signing key the RP uses to validate the signature from the OP. The property must be set if the `signatureAlgorithm` custom property is set to `RS256` and you do not set the `signVerifyAlias` custom property to obtain the OP's signing certificate from the default truststore.
`provider_<id>.userIdentifier`	By default, this property is set to the value of `sub`.	The property is set to a claim name used by the vendor's ID Token that represents a user's unique identifier. For example, you can set `userIdentifier = email` if you are using Google's OP. The value for the claim that this property references in the JWT must be a `String`.
`provider_<id>.useDefaultIdentifierFirst`	You can specify one of the following values: `true` `false` (default)	If a custom identifier is specified for the user (`userIdentifier`), unique user (`uniqueUserIdentifier`), group (`groupIdentifier`), or realm (`realmIdentifier`), then the custom value is used only if the default value does not exist in the token.
`provider_<id>.usePkce`	You can specify one of the following values: `true` `false` (default)	Set this property to `true` if you want the TAI to use Proof Key for Code Exchange (PKCE) when authenticating by using the code authorization flow. The OIDC TAI always sets the `code_challenge_method` to `S256` when it uses PKCE. For more information, see Proof Key for Code Exchange by OAuth Public Clients.
`provider_<id>.scope`	By default, this property is set to the value of `openid profile`.	Specifies the scope of the token that is requested from the OpenID Connect Provider. The property determines the level of authorization the issued token would have. Example: `openid general`.
`provider_<id>.issuerIdentifier`	By default, this property is set to the value that is derived from the `authorizedEndpointUrl`.	A comma-separated list of the values allowed for `iss` claim in the `IDToken` or JWT. When `useJwtFromRequest` is not set to `required`, the default value for this property is derived from the `authorizedEndpointUrl` value. For example: `https://myoidcop.abc.com:8020/oidc/v10/endpoint/OP1` The `iss` claim in the `IDToken` or JWT is checked against the `issuerIdentifier` list when the `provider<id>_.verifyIssuerInIat` property is set to `true`. When the configuration is obtained with discovery, the `issuerIdentifier` property is overridden by the value received from the OpenID Provider. The value for the claim that this property references in the JWT must be a `String`.
`provider_<id>.groupIdentifier`	By default, this property is set to a value of `groupIds`.	Specifies the groups attribute name set by the OpenID Connect Provider in the `IDToken`. Example: `groupIds`.
`provider_<id>.mapIdentityToRegistryUser`	You can specify one of the following values: `true` `false` (default)	When this property is set to `false`, which is the default, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider realm. The users and groups do not need to exist in the WebSphere Application Server user registry. When this property is set to `true`, the short name of the authenticated user must be in the WebSphere registry and group memberships are applied to the user.
`provider_<id>.revokeTokensOnCacheEviction`	You can specify one of the following values: `true` `false` (default)	When this property is set to true and the revokeEndpointUrl property is set to a value, when a session is evicted from DynaCache for any reason, the tokens in the session data are revoked. The access token is revoked only if `revokeAccessToken` is set to true.
`provider_<id>.revokeEndpointEnabled`	`true` (default) `false`	Set this property to `false` if you want to ignore the setting for the `provider_<id>.revokeEndpointUrl` property. The setting applies if the endpoint was obtained either from a TAI property or discovery.
`provider_<id>.redirectToRPHostAndPort`	The custom property does not have a default value.	The RP registers its redirect URL with the OP as `https://<host name>:<ssl port> /oidcclient/signin_cb`, where both the hostname and SSL port are automatically resolved. If there is a proxy in front of the RP, you can override the host and port with the attribute `redirectToRPHostAndPort`, and you can set `redirectToRPHostAndPort` to `https://<hostname>:<ssl port>`. Example: `https://myrs.abc.com:9443`
`provider_<id>.allowImplicitClientFlow`	You can specify one of the following values: `true` `false` (default)	The property determines how the OpenID Connect RP authenticates BasicAuth tokens. When this property is set to `true`, the TAI authenticates the Basic Auth token and the LTPA token by using implicit flow. When the property is set to `false`, the TAI authenticates the Basic Auth token and the LTPA token by using the authorization code flow.
`provider_<id>.signVerifyAlias`	The custom property does not have a default value.	Specifies the alias of the certificate in the default truststore that might be used to verify the signature from the OP. On a single server, the default truststore is `NodeDefaultTrustStore`. Otherwise, the truststore is `CellDefaultTrustStore`. This property must be set if the `signatureAlgorithm` custom property is set to `RS256` and you do not set the `jwkEndpointUrl` custom property to obtain the OP's JSON Web Key (JWK).
`jndiCacheName`	When a dynamic cache service is enabled, `DistributedObjectCache` named `OIDCRPDistributedCacheMap` with `KEY_ENABLE_CACHE_REPLICATION=true` and `KEY_REPLICATION_DOMAIN=DynaCacheCluster` is used. Only the size of the JNDI cache can be customized with the `sessionCacheSize` property. All other attributes of this `DistributedMap` cannot be changed.	If you want to use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance that is managed by the dynamic cache service. Read Using object cache instances for information about how to set up a custom object cache instance. The dynamic cache service must be enabled to use an object cache instance or `DistributedObjectCache`. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for `sessionCacheSize` and `sessionCacheCleanupFrequency` are ignored. Example: `services/cache/myOpenidRpCache` Avoid trouble: The size that you specify for your custom JNDI cache must be double the number of sessions that you want the OpenID Connect RP to store in the cache.
`sessionCacheSize`	You can specify `-1` and any integer value greater than `0`. When DynaCache is enabled on the server, the default value is `-1`. When DynaCache is not enabled on the server, the default value is `10000`.	Specifies the number of sessions the OpenID Connect RP can keep in its cache. When DynaCache is enabled on the server: The default value is `-1`. When the value is `-1`, the OIDC TAI inherits the active DynaCache default maximum cache size. When the cache limit is reached, entries are evicted from the cache by DynaCache with the least recently used (LRU) method. When DynaCache is not enabled on the server: The default value is `10000`. If `-1` is specified, the value reverts to the non-DynaCache default: `10000`. When the cache limit is reached, all subsequent requests to the RP are rejected with an HTTP response code 503 (service unavailable), and the application server cannot take new requests until timed out sessions are removed from the cache.
`sessionCacheCleanupFrequency`	You can specify any integer value. By default, this property is set to the value of `1800`.	The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. The property is only used when the dynamic cache service is not in use.
`provider_<id>.sessionCacheTimeoutMinutes`	Specify an integer between 0 and 43200, inclusive. The default is 120. These values are in minutes.	Specifies the time, in minutes, that a session that is associated with an ID token can remain in the session cache. By default, a session is removed from the cache based on at least the following conditions, in priority order: Logout ID token expiration Failure to refresh an access token Cache eviction policy When you set this property, it overrides the value for the ID token expiration for session caching purposes. If you set this property to 0, the ID token expiration condition is not used to remove sessions from the session cache, but the other three conditions are. The expiry of the ID token is provided on the exp claim. If this property is not set to a value in the configuration and no expiration value is in the ID token, the default timeout value is used.
`opServerConnectionTimeout`	Specify any integer value. By default, this property is set to the value of `20000` (20 seconds).	Specifies the time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request.
`provider_<id>.httpOnly`	You can specify one of the following values: `true` (default) `false`	When this property is set to `true`, the `httpOnly` flag is set on the cookie. When this property is set to `true`, the `httpOnly` flag is set on all the OIDC cookies except `OIDCREQURL_*.`
`provider_<id>.httpsRequired`	You can specify one of the following values: `true` (default) `false`	When this property is set to `true`, the OpenID Connect RP establishes only a connection with an OP that supports https communication. If this property is set to `true`, but the scheme of the `authorizeEndpointUrl`, `tokenEndpoint` or `introspectEndpointURL` is http, then the TAI fails to initialize. When this property is set to `true`, the `secure` flag is set on the OIDC cookies.
`provider_<id>.encodeParameters`	You can specify one of the following values: `true` `false` (default)	Specifies that the `client_id` and `client_secret` must be URL encoded prior to sending them to the IdP.
`provider_<id>.contentType`	The custom property has a default value of `text/html; charset=UTF-8`.	Use this property to change the default value of `contentType` text or html that is set on the response.
`provider_<id>.postParameterCookieSize`	You can set this property to any integer value. By default, this property is set to `16384`.	Maximum session cookie size that the run time creates. At run time, the value must be between the minimum cookie size and maximum cookie size. If the data to be written is larger than the value for this property, the request is rejected. The property overrides the value set for `maxCookieSize` for session cookies.
`maxCookieSize`	You can set this property to any integer value greater than the minimum of `500`. By default, this property is set to `16384`.	Maximum cookie size that the run time creates. At run time, if the data to be written is larger than the value for this property, the request is rejected. The property applies to and can be overridden by both `maxStateCookieSize` and `provider_.<id>postParameterCookieSize`.
`clusterCaching`	You can specify one of the following values: `true` (default) `false`	Set this property to `false` if you want each cluster member to maintain its own caches. When this property is set to `false` and you are operating in a cluster, session affinity is required for proper operation. When this property is set to `false`, the default for `useStateCookies` changes to `false`.
`stateIdTimeoutSeconds`	You can set this property to any integer value greater than the minimum value, which is `60`. By default, this property is set to `600`.	The time, in seconds, that a login request to the OP is allowed to remain outstanding.
`useStateCookies`	You can specify one of the following values: `true` (default) `false`	When this property is `true`, the run time uses browser cookies to store request data when a request is redirected to the OP. When this property is `false`, local storage is used. When this property is set to `false` and you are operating in a cluster, session affinity is required for proper operation.
`useUniqueStateCookies`	You can specify one of the following values: `true` `false` (default)	When this property is set to true, instead of using a single OIDCSTATE cookie for all requests, each request uses a new OIDCSTATE cookie.
`useUrlCookies`	You can specify one of the following values: `true` (default) `false`	During the initial login phase, the OpenID Connect TAI writes a browser cookie. The value for the cookie is the original request URL. The cookie is deleted when the login is complete or after the login timeout expires, whichever comes first. The login timeout is configured on the `stateIdTimeoutSeconds` property. If you want to maintain this information in other OIDC objects, set this property to `false`. If your URL contains fragments or if the inbound URL is encoded and must remain encoded when it reaches the protected resource, both this property and the `provider_<id>.useJavaScript` property must be set to `true`.
`maxStateCacheSize`	You can specify `-1` and any integer value greater than `25`. When DynaCache is enabled on the server, the default value is `-1`. When DynaCache is not enabled on the server, the default value is `10000`.	Maximum number of state objects that can be in the local state cache. The minimum value is `25`. Setting the value to `0` turns off the local state cache. Setting the value to `-1` makes the OIDC TAI inherit the active DynaCache default cache size. If DynaCache is not enabled on the application server when `-1` is specified, this property reverts to its default.
`maxStateCookieSize`	You can set this property to any integer value greater than the minimum of `500` and less than the value for `maxCookieSize`. By default, this property is set to the value of `maxCookieSize`.	Maximum state cookie size that the run time creates. At run time, if the data to be written is larger than the value for this property, the request is rejected. The property overrides the value set for `maxCookieSize` for state cookies.
`includeCustomCacheKeyInSubject`	You can specify one of the following values: `true` (default) `false`	When this property is set to `true`, the cache key for the `Subject` in the auth cache is set to (username)(session-cookie-name)(access-token-string). When this property is set to `false`, the cache key is defined by base security. The OpenID Connect Relying Party relies on the custom cache key to refresh the access token in the Subject. Therefore, if you want the Subject to contain the new access token after a refresh, this property must be set to true.
`provider_<id>.includePortInDefaultRedirectUrl`	You can specify one of the following values: `true` (default) `false`	Set this property to `false` if you do not want the OpenID Connect Relying Party (RP) to include the port number in the redirectUri parameter that is sent to the OpenID Provider (OP). The property affects only the default redirectUri parameter that is determined by the RP. If the `provider_<id>.redirectToRPHostAndPort` property is set to a value that includes a port number, then the port is included in the request to the OP.
`provider_<id>.clockSkew`	You can set this property to any integer value. By default, this property is set to `180`.	Clock skew, in seconds, used during ID token verification.
`provider_<id>.tokenEndpointAuthMethod`	You can specify one of the following values: `post` (default) `basic`	When this property is set to `basic`, a `BasicAuth` header is sent when making a request to the token endpoint.
`provider_<id>.jsonWebKeyFile`	The custom property does not have a default value.	The file name of a JSON Web Key file that contains the public keys for signature verification.
`provider_<id>.uniqueUserIdentifier`	By default, this property is set to `uniqueSecurityName`.	The property is set to a claim name used by the vendor's ID Token that represents a user's unique security name. The value for the claim that this property references in the JWT must be a `String`.
`provider_<id>.useRealm`	The custom property does not have a default value.	When you specify a value for this property, the user and groups in the ID token or JWT are designated to the specified realm name. This property overrides both the realm name in the token and the `defaultRealmName` property. When this property is set to `WAS_DEFAULT`, the default WebSphere realm name is used and you are not required to add the OP's realm as a external trusted realm, or to map the trusted realms to your applications.
`provider_<id>.realmIdentifier`	By default, this property is set to `realmName`	Specifies the realm attribute name set by the OpenID Connect Provider in the IDToken. The value for the claim that this property references in the JWT must be a `String`.
`provider_<id>.refreshBeforeAccessTokenExpiresTime`	You can set this property to any integer value. By default, this property is set to `0`.	You can use this property to adjust the time when the access token expires. Set this property to the number of seconds before the time set in the token that you want the token to expire.
`provider_<id>.refreshExpiredAccessToken`	You can specify one of the following values: `true` (default) `false`	By default, when an access token expires, the runtime attempts to refresh it. Set this property to `false` if you do not want to refresh access tokens.
`provider_<id>.revokeAccessToken`	You can specify one of the following values: `true` `false` (default)	By default, when a user logs out, a revocation request is sent only with the refresh token. The OpenID Connect provider revokes both the refresh token and its associated access token with this request. When this property is set to `true`, a separate revocation request is made for the access token.
`provider_<id>.revokeEndpointUrl`	You can specify any URL value. The property does not have a default value.	Specifies the endpoint URL for calling the OpenID Connect Provider token revocation endpoint.
`provider_<id>.createSession`	You can specify one of the following values: `true` `false` (default)	Set this property to `true` if you want the runtime to create a new HTTP session for each client request. The property is required when you run in a cluster environment and you need the JSESSIONID cookie to maintain session affinity.
`provider_<id>.responseType`	You can specify one of the following values: code (default) id_token id_token token id_token+token	The property defines the `responseType` parameter that is used when sending the authentication request to the OpenID provider. When `code` is specified, the OpenID connect code login flow is used. When this property is set to any of the other values, the implicit login flow is used. If this property is set to anything other than `code`, the following conditions apply: The RP runs in implicit mode. The OP server must support the `response_mode=form_post` parameter. The OP responds with an HTTP POST method instead of an HTTP GET method.
`provider_<id>.nonceEnabled`	When the responseType property is set to code, this parameter defaults to false. If the responseType property is set to anything other than code, this property is set to true, and cannot be altered.	When this property is set to true, a nonce parameter is sent to the OpenID Connect provider on the authentication request.
`provider_<id>.trustStore`	If this property is not specified, the default truststore is used. On a single server, the default truststore is NodeDefaultTrustStore. Otherwise, it is CellDefaultTrustStore. The property has, for example, the following values: myKeyStoreRef name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode	Specifies the truststore from which to obtain the certificate that is specified on the `provider_<id>.signVerifyAlias` property.
`provider_<id>.userinfoEndpointUrl`	You can specify any URL value. The property does not have a default value.	Specifies the URL for the UserInfo endpoint on the OpenID Connect Provider. The login process does not fail if an error occurs when making a call to the UserInfo endpoint. The response that is received from the UserInfo endpoint is placed on the WebSphere Subject with the [user_info] key. If the call to the endpoint is successful, the value for the [user_info] entry on the Subject is the JSON string. Otherwise, the value contains information about the error, such as the response code and error message from the OP or the exception text. The UserInfo endpoint is invoked each time the OIDC RP receives an access token from the OP.
`provider_<id>.userinfoEndpointEnabled`	The property can be set to the `true` value or the `false` value. The default value is `true`.	If this property is set to the `true` value and the userinfoEndpointUrl property is set, you can get the user information during login. You can set the userinfoEndpointUrl property from the OpenID Connect property or from discovery. If this property is set to the `false` value, the setting for the userinfoEndpointUrl property is ignored. You cannot get user information during login. However, irrespective of the setting is for this property, you can get user information from the server through an API. When you call the OidcClientHelper.getUserInfoFromServer() method from your application, the user information is retrieved from the userinfoEndpointUrl property on the server.
`provider_<id>.verifyIssuerInIat`	You can specify one of the following values: `true`(default when `useJwtFromRequest` is set to `required`) `false` (default otherwise)	The property controls the validation of claims against the `provIDer_<id>.issuerIdentifier` property value in the OIDC configuration. When JWT authentication is performed: When this property is set to `true`, the issuer (iss) claim in the JWT is validated against the `provider_<id>.itsuerIdentifier` property value. When this property is set to `false`, the iss claim must not exist in the JWT. When JWT authentication is not performed: When this property is set to `true` and an introspection response is processed, the iss claim in the response from the introspection endpoint is validated against the `provider_<id>.issuerIdentifier` property value. The iss claim in an ID token is always validated against the `provider_<id>.issuerIdentifier` property value.
`provider_<id>.useJwtFromRequest`	You can specify one of the following values: `no` Do not use a JWT for authentication. If an OpenID Connect provider is configured, introspection of the JWT with the provider is attempted. `required` Use the JWT from the request. An OpenID Connect provider is not used. `ifPresent` Use a JWT if one is present. If a JWT is missing or invalid, fall back to using the OpenID Connect provider for authentication, if one is configured.	The property controls processing if a JWT is found in the request authorization header.
`provider_<id>.tokenReuse`	You can specify one of the following values: `true` (default) `false`	Set this property to false if you want the runtime to reject any request that uses a JWT containing a `jti` claim that was already used in another JWT on a previous request.
`provider_<id>.audiences`	You can specify any comma-separated audience string or `ALL_AUDIENCES`.	The property specifies a comma-separated list of trusted audiences to be verified against the `aud` claim in the JWT. If `ALL_AUDIENCES` is specified, then all are trusted. An `aud` claim must exist in the JWT if this property is set to a value.
`provider_<id>.setLtpaCookie`	You can specify one of the following values: `true` `false` The default value varies based on the following situations: Before Version 8.5.5.19, the default value was `false`. The default value is `true` when the useJwtFromRequest OIDC property is set to the `required` value. The default value is `false` when the useJwtFromRequest OIDC property is set to the `ifPresent` value or the `no` value.	Set this property to `true` if you want the runtime to set an LTPA Cookie on the response after successful authentication with the inbound JWT is complete. Before Version 8.5.5.19 this property is supported only when the `useJwtFromRequest` OIDC property is set to either the `required` value or the `ifPresent` value.
`provider_<id>.headerName`	Name of an HTTP header The name, Authentication, is the default name value.	The name of the HTTP header that carries the JWT token in the inbound request for JWT authentication (The name, Authentication, is the default name value.)
`provider_<id>.loginErrorUrl`	The property does not have a default value.	The property specifies the URL to which the Relying Party redirects when a login error is received from an OpenID Connect Provider.
`provider_<id>.sendOpErrorParamsToLoginErrorUrl`	You can specify one of the following values: `true` `false` (default)	When this property is set to `true`, the Relying Party forwards the error, error description, and error URI parameters that were received from the OpenID Connect Provider to the error URL.
`provider_<id>.contentSecurityPolicy`	The custom property does not have a default value.	If you want a Content-Security-Policy HTTP header to be included in the initial login request that is sent to your OP, set the `provider_<id>.contentSecurityPolicy` property to the value that you want to use for the Content-Security-Policy HTTP header. If your Content-Security-Policy value requires a `nonce`, you can use the `%NONCE%` keyword to indicate where to place `nonce` in the text as shown in the following example: `script-src 'self' 'nonce-%NONCE%' ; object-src 'self'; frame-src 'self'`
`provider_<id>.useDiscovery`	The property defaults to `true` if a value is specified for the `discoveryEndpointUrl` property, otherwise, it defaults to `false`.	If this property is set to true, and no value is specified for the `discoveryEndpointUrl` property, the default value for the `discoveryEndpointUrl` property is used. If this property is set to false, the value for the `discoveryEndpointUrl` property is ignored.
`provider_<id>.useJavaScript`	The default value is `true`.	Set this property to `false` if you do not want to use JavaScript when you redirect to the OP for the initial authentication request. When you do not use JavaScript, any URI fragments that are present on the original inbound request are lost. To preserve URI fragments, in addition to setting this property to `true`, you must also set the `useUrlCookies` property to `true`.
`provider_<id>.resource`	The custom property has no default value.	The value for the resource parameter to include in the authentication request to the OP. See RFC8707 for more information about using the resource parameter.
`provider_<id>.useIssuer`	Valid values for this property are `true` or `false`. The default value is `true`.	When this property is set to `true`, this provider entry can service JWT verification requests by API. However, the provider entry services only requests that include an `iss` claim that matches the value for the `issuerIdentifier` property. The default value for the `useIssuer` property is `true`. If more than one provider entry exists with the same value for the `issuerIdentifier` property, only one of those entries can set the `useIssuer` property to `true`. For any other provider entry with the same value for the `issuerIdentifier` property, you must set the `useIssuer` property to `false`. When the `provider_<id>.allowJwtIssuerSelection` property is set to `true`, it overrides the value of this property and sets it to `true`.
`provider_<id>.allowJwtIssuerSelection`	Valid values for this property are `true` or `false`. The default value is `false`.	When this property is set to `true`, the runtime filter requests based on the `iss` claim in the JWT in the Authorization header of the HTTP request. The filter matches if the `iss` claim in the JWT matches the issuer for this provider. If more than one provider entry exists with the same issuer name, you can set this property to `true` for only one of the provider entries. For any other provider entries with the same issuer, this property must be set to `false`, which is the default. When this property is set to `true`, it overrides the value of the `provider_<id>.useIssuer` property and sets it to `true`. When the `provider_<id>.useJwtFromRequest` property is set to `no`, this property has no effect. The filter is applied after the `provider_<id>.filter` and `provider_<id>.interceptedPathFilter` filters.
`provider_<id>.keyStore`	If this property is not specified, the default keystore is used. On a single server, the default keystore is `NodeDefaultKeyStore`. Otherwise, it is `CellDefaultKeyStore`. The property has, for example, the following values: `myKeyStoreRef` `name=myKeyStoreRef managmentScope=(cell):myCell:(node):myNode`	Specifies the keystore from which to obtain the decrypting key that is specified on the `provider_<id>.decryptAlias` property.
`provider_<id>.decryptAlias`	The property does not have a default value.	Specifies the alias of the `keyEntry` in the keystore that is used to decrypt an encrypted JWT or ID token. Use this property if the TAI receives an encrypted JWT. Providing a value for this property does not make the TAI reject an unencrypted JWT.
`provider_<id>.decryptKeyPassword`	You can specify plain text or XOR encoded value. The property does not have a default value.	Specifies the password for the decrypting key that is specified on the `provider_<id>.decryptAlias` property. The property can be specified in plain text or it can be XOR encoded, for example `{xor}CDo9Hgw=`.
`provider_<id>.grantType`	Default: There is no default value Values: all client credentials password	Set this property to enable the provider entry that is to be used to obtain an access token from the OpenID provider's token endpoint using the OauthClientHelper APIs. When the grantType parameter is specified on a configuration entry, that entry is not used for OIDC or JWT authentication. There can only be one entry each for grantType=`client_credentials` and grantType=`password`. An entry with grantType=`all`, overrides all other grantType entries. When a provider entry includes the grantType parameter, the`tokenEndpointUrl` and `clientId` properties are required and the `clientSecret` and `scope` properties are optional. You can use a discovery endpoint to populate desired Oauth configuration data. When `getClientCredentialsGrantAccessToken` is invoked, the configuration associated with the grantType=`client_credentials` (or `all`) is used. When `getPasswordGrantAccessToken` is invoked, the configuration associated with the grantType=`password` (or `all`) is used.

Table 3. Properties Required for a JWT Authentication Only Provider Entry .
To find the definition of the properties listed in these two tables, see the preceding properties tables.
Property name	Comments
`provider_<id>.useJwtFromRequest`	Must be set to `required`
`provider_<id>.identifier` `provider_<id>.issuerIdentifier`	Both of these properties are required.
`provider_<id>.jwkEndpointUrl` `provider_<id>.signVerifyAlias`	One of these properties must be configured to obtain the JWT signer certificate.
`provider_<id>.interceptedPathFilter` `provider_<id>.filter`	One of these properties must be configured to enable the OIDC TAI to intercept requests.
`provider_<id>.tokenReuse` `provider_<id>.audiences`	These properties are for use only with JWT authentication. They are optional, but you might want to use them in your configuration.
`provider_<id>.headerName`	The name of the HTTP header that carries the JWT token in the inbound request for JWT authentication.