API Protection OpenID Connect Provider properties
When you configure API Protection for OAuth and OpenID Connect, and you enable OpenID Connect , you must specify properties for the OIDC Provider.
The local management interface (LMI) page OpenID Connect and API Protection has a section that prompts for settings for OpenID Connect Provider. Refer to the following list of properties to determine the appropriate value for each property.
For configuration task instructions, see Creating an API protection definition.
- Issuer Identifier
- This entry identifies the issuing entity. It must be a valid URL with the protocol prefix https://. For example, https://ibm.com or https://accounts.google.com. It must not include fragment or query portions. The Issuer Identifier is defined by the OIDC specification. See http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier
- Point of Contact Prefix
- The Point of Contact Prefix is used to correctly populate the URLs on the metadata page. It must include the host, port, and path information of the reverse proxy junction to the runtime. For example: https://isam.myidp.ibm.com:443/mga/ . Note that is not a field from the OIDC standard.
- Metadata URI
- A location where you can view your metadata. Metadata is useful to discover the capabilities of an OP. The metadata includes all other URIs. This field is read-only.
- id_token Lifetime
- Time in seconds for which the id_token is valid. The value is the difference between the values
in the iat and exp claims of the issued JSON Web Token (JWT). You
can use a pre-token mapping rule to overload this value at runtime.
Default: 3600 seconds.
- Signing Algorithm
- The algorithm that is used to sign the JWT. This setting is the alg claim in
the JWT. Use the menu to select the appropriate value. You can use a pre-token mapping rule to
overload this value at runtime.
Default: RS256.
- Key Database for Signing
- The Key database that is used to source the private key for signing the ES/RS signature
algorithms. You can use a pre-token mapping rule to overload this value at runtime.
Default: rt_profile_keys
- Certificate Label for Signing
- The label of the key in the selected keystore that is used as the private key for ES/RS signing.
You can use a pre-token mapping rule to overload this value at runtime.
Default: server
- Encrypt ID token
- Boolean value to indicate whether this JWT must be encrypted. Select the check box to encrypt
the token and configure encryption settings. You can use a pre-token mapping rule to overload this
value at runtime.
- Key Agreement Algorithm
- The encryption algorithm that is used for JWT key agreement. This setting is the
alg claim in the encrypted JWT. You can use a pre-token mapping rule to overload
this value at runtime.
Default: RSA-OAEP-256
- Encryption Algorithm
- The encryption algorithm that is used for JWT payload encryption. This setting is the
enc claim in the encrypted JWT. You can use a pre-token mapping rule to overload
this value.
Default: A128CBC-HS256
- Attribute Mapping
You can use the Attribute Mapping section to define attributes that can be used to customize claims from attribute sources. Attribute sources can be: Fixed, Credential, or LDAP.
When you select Enable OpenID Connect, the New and Delete icons are activated for attribute mapping. To create, select New and enter Attribute Name. Select Attribute Source type.
To remove an existing Attribute Name, select the attribute and click Delete.
If you do not select Enable OpenID Connect, you cannot create new attribute mappings.
- Enable client registration
- Check this check box to allow users to register dynamic clients.
- Issue Client Secret
- If dynamic clients are enabled, check this check box if you want them to be confidential clients.