Troubleshooting
Problem
This document contains troubleshooting information for OpenID Connect (OIDC) Trust Association Interceptor (TAI) problems in the WebSphere® Application Server. Using this document can help address common issues with this component before you call IBM support and save you time.
Resolving The Problem
Component: Topic:
Overview
This topic contains the custom properties that are available for use in the most recent version of the OpenID Connect TAI. To find the most recent OpenID Connect run time, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version, or click the 'Get the Latest OIDC TAI' tab.
The OpenID Connect TAI custom properties are documented in the IBM Documentation, for example: WebSphere OpenID Connect Relying Party custom properties for v9.0.5. These custom properties pages are updated when fix packs are published. Since the OpenID Connect TAI is published more frequently than WebSphere Application Server fix packs, the custom property pages tend to become out of date. This page remains in sync with the most recent version of the OpenID Connect TAI that is published as an interim fix.
Additional information
- How to display properties from command line
In case you aren't running the latest OIDC runtime, you can emit the custom properties that are supported by your installed OIDC runtime by running the following commands:
cd (was_home)/plugins
java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Usage
- How to set the provider_<id>.filter property
To see how to set the provider_<id>.filter property, go to the Examples section at the end of the SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties topic in the IBM Documentation.
- Avoid Trouble when you use an outbound proxy
Avoid Trouble: When you're using an outbound proxy, the OpenId Connect RP does not provide a means to route requests through a proxy host automatically: - When you must use a proxy to access the OpenId Connect Provider (OP), the value that you enter for any OP-related URL property must contain the proxy host and port, not the external OP host and port.
- In most cases, you replace the OP host and port with the proxy host and port.
- The URL that you enter must be visible to both the RP and the client (browser or application).
- For further guidance on how to determine the correct URL to use, contact your proxy administrator.
Properties Required for the OpenID Connect Relying Party
Note: The properties in this table are not required when a provider entry is used only with JWT authentication. See the table titled Properties Required for a JWT Authentication Only Provider Entry for a list of the properties that are required when a provider entry is restricted to JWT authentication.
Property name
|
Values
|
Description
|
provider_<id>.identifier |
Specifies a unique name for each OpenID connect provider identified by the <id> in the provider_<id> prefix. This identifier is created by you and is used to build the redirect URL that is registered with the OP.
Examples:
provider_1.identifier=abc
Redirect URL:https://(host):(port)/oidcclient/abc provider_2.identifier=test
Redirect URL:https://(host):(port)/oidcclient/test
|
|
provider_<id>.clientId | Specifies the ID used to identify the OpenID Connect RP instance to the OpenID connect Provider server. It must be unique among all the RP clients registered to the provider. | |
provider_<id>.clientSecret |
Specifies the secret used by the OpenID Connect Provider to secure messages sent to this RP client in callback requests. It must match the OpenID Connect Provider's secret that is registered for this client.
The clientSecret parameter is not required if your OP is not expecting it, such as when your token requests are using OAuth 2.0 Mutual-TLS Client Authentication as described in RFC8705.
|
|
Either discoveryEndpointUrl or both authorizeEndpointUrl and tokenEndpointUrl are required. | ||
provider_<id>.discoveryEndpointUrl | When useDiscovery is set to true, the default value for this property is (issuerIdentifier)/.well-known/openid-configuration. | Specifies the OpenID Connect Provider's discovery endpoint URL. When this property is specified, the following properties are obtained from the discovery result:
A request is sent to the discovery endpoint and the data that is returned is processed when the OIDC TAI is initialized. When the discovery endpoint is not accessible at the time that the TAI is initialized, then the OIDC TAI configuration entries associated with the discovery endpoint are not active and its requests are not intercepted. The OIDC TAI does not refresh the data received from the discovery endpoint. When the OP changes information in its discovery, then the application server must be restarted. When useDiscovery is set to true, the default value for this property is (issuerIdentifier)/.well-known/openid-configuration. When the useDiscovery property is set to false, the value for this property is ignored. |
provider_<id>.authorizeEndpointUrl | Specifies the endpoint URL for redirecting authorization requests to the OpenID Connect Provider. If an acr_values parameter is present in the value of this property, the TAI verifies that the IDToken contains an 'acr' claim when an IDToken is returned from the OP. The TAI also verifies that the value of the claim matches the value of the acr_values parameter. |
|
provider_<id>.tokenEndpointUrl | Specifies the endpoint URL for redirecting token requests to the OpenID Connect Provider. |
Optional Properties
Property name
|
Values
|
Description
|
provider_<id>.filter | Specifies a condition for the TAI to protect a request. The format for this property is the same as for the SAML sso_<id>.sp.filter property. | |
provider_<id>.interceptedPathFilter | A comma-separated list of URI patterns. |
Specifies a comma-separated list of regular expression URI patterns for the TAI to protect a request. To intercept ALL requests use /.*. For example: /abcCompanyApps.*, /snoop.
This property can be used in combination with the provider_<id>.filter property. The interceptedPathFilter and excludedPathFilter properties are applied to a request first. If the request does not match to those filters, then the filter property is applied.
The callback URI from the OP, /callbackServletContext/identifier, is automatically intercepted by the TAI. You do not need to account for the callback in your filter. An example of a callback URL is https://myrp.com:9443/oidcclient/RP1
|
provider_<id>.excludedPathFilter | A comma-separated list of URI patterns. | Specifies a comma-separated list of regular expression URI patterns for the TAI to not protect a request. This property can be used to provide exceptions to the interceptedPathFilter. |
provider_<id>.endSessionEndpoint |
Set this property to the value for the OP's end session endpoint.
When this property is set to a value and the provider_<id>.endSessionEndpointEnabled property is set to true, the TAI redirects logout requests to the configured end session endpoint. An id_token_hint parameter is added to the end session request.
If the provider_<id>.discoveryEndpointUrl property is specified, the value for this property is overridden. The value for this property can be retrieved with the OidcClientHelper.getEndSessionEndpoint() method.
|
|
provider_<id>.
endSessionEndpointEnabled
|
Default: false | Set this property to false if you want to ignore the setting for the provider_<id>.endSessionEndpoint property. This applies if the endpoint was obtained either from a TAI property or discovery. |
provider_<id>.endSessionRedirectUrl | Set this property to the value for the post_logout_redirect_uri parameter on the request to the end session endpoint on the OP. The OP redirects to this URL after logout is complete. | |
provider_<id>.endSessionUseLogoutExitPage | Default: false | Set this property to true if you want to use the value for the logoutExitPage parameter on an ibm_security_logout request as the value for the post_logout_redirect_uri parameter on the end session request to the OP. This feature requires fix packs 8.5.5.23 or 9.0.5.14. |
provider_<id>.introspectEndpointUrl | Specifies the endpoint URL for calling the OpenID Connect Provider's introspection endpoint. | |
provider_<id>.jwkEndpointUrl |
Specifies the URL of the OPs JSON Web Key (JWK) set document that contains the signing key the RP uses to validate the signature from the OP.
This property must be set unless the signatureAlgorithm custom property is set to HS256 and you do not set the signVerifyAlias custom property to obtain the OP's signing certificate from the default truststore or jsonWebKeyFile.
|
|
provider_<id>.jsonWebKeyFile | The file name of a JSON Web Key file that contains the public keys for signature verification. | |
provider_<id>.loginErrorUrl | Specifies the URL to which the RP is to redirect when a login error is received from an OP. | |
provider_<id>. sendOpErrorParamsToLoginErrorUrl |
Default: false | When this property is set to true, the RP forwards to the error URL, the error, error_description, and error_uri parameters that were received from the OP. |
provider_<id>.revokeEndpointUrl | Specifies the endpoint URL for calling the OpenID Connect Provider's token revocation endpoint. This URL is invoked upon logout. | |
provider_<id>.revokeEndpointEnabled | Default: true | Set this property to false if you want to ignore the setting for the provider_<id>.revokeEndpointUrl property. This applies if the endpoint was obtained either from a TAI property or discovery. |
provider_<id>.revokeAccessToken | Default: false | By default, when a user logs out, a revocation request is only made for the refresh token. The OP might revoke both the refresh token and its associated access token with this request. When this property is set to true, a separate revocation request is made for the access token. |
provider_<id>. revokeTokensOnCacheEviction |
Default: false | When this property is set to true and the provider_<id>.revokeEndpointUrl property is set to a value, when a session is evicted from the cache for any reason, the tokens in the session is revoked. |
provider_<id>.userinfoEndpointUrl | Specifies the URL for the UserInfo endpoint on the OpenID Connect Provider. The login process does not fail when an error occurs when the RP calls the UserInfo endpoint. The response received from the UserInfo endpoint is placed on the WebSphere Subject with the [user_info] key. When the call to the endpoint was successful, the value is the JSON string. Otherwise, the value placed on the Subject contains information about the error, such as the response code and error message from the OP or the exception text. The UserInfo endpoint is called each time the OIDC RP receives an access token from the OP. |
|
provider_<id>. userinfoEndpointEnabled |
Default: true | Set this property to false when you want to ignore the setting for the userinfoEndpointUrl property. This property applies when the endpoint was obtained either from a TAI property or discovery. When a userinfoEndpointUrl is available and the userinfoEndpointEnabled property is set to false, you can still use the OidcClientHelper.getUserInfoFromServer() method to obtain the UserInfo from the server in an application. |
provider_<id>.accessTokenIsJwt | Default: false | If the access token that is returned from the OP is a JWT and you want the RP to validate the JWT, set this property to true. |
provider_<id>. allowImplicitClientFlow |
Default: false | true, the TAI authenticates the Basic Auth token and the LTPA token with implicit flow. When the property is set to false, the TAI authenticates the Basic Auth token and the LTPA token with the authorization code flow. |
provider_<id>.allowJwtIssuerSelection | Default: false |
Set this property to true if want to allow the runtime to filter requests based the `iss` claim in the JWT in the Authorization header of the HTTP request. The filter will match if the `iss` claim in the JWT matches this provider's issuer. If there is more than one provider entry with the same issuer name, only one of the provider entries can have this property set to true, otherwise this property is set to false for all matching issuers.
When this property is set to true, it will override the value of the provider_<id>.useIssuer property and set it to true.
When the provider_<id>.useJwtFromRequest property is set to no, this property has no effect. This filter is applied after the provider_<id>.filter and provider_<id>.interceptedPathFilter filters.
|
provider_<id>.audiences | You can specify any comma-separated audience string or ALL_AUDIENCES | This property specifies a comma-separated list of trusted audiences to be verified against the aud claim in the JWT. When ALL_AUDIENCES is specified, then all are trusted. An aud claim must exist in the JWT when this property is set to a value. |
provider_<id>.callbackServletContext | Default: /oidcclient | Specifies the context root that is configured for the OpenID Connect RP callback servlet. The property is used by the TAI to filter callback requests from the OpenID Connect Provider. |
provider_<id>. includePortInDefaultRedirectUrl |
Set this property to false when you do not want the RP to include the port number in the redirectUri that is sent to the OP. This property affects only the default redirect URI that is determined by the RP. When the redirectToRPHostAndPort property is set to a value that includes a port number, the port is included in the request to the OP. | |
provider_<id>. redirectToRPHostAndPort |
This RP registers its redirect URL with the OP as https://<hostname>:<ssl port> /oidcclient/signin_cb, where both the hostname and SSL port are automatically resolved. When there is a proxy in front of the RP, you can override the hostname and port with the attribute redirectToRPHostAndPort, and you can set redirectToRPHostAndPort to https://<hostname>:<ssl port>. | |
provider_<id>.clockSkew | Default: 180 | Clock skew, in seconds, to use the ID token is verified. |
provider_<id>.contentSecurityPolicy | When you want to add a Content-Security-Policy header to the initial login HTTP request, set this property to the string required. When a nonce is required, you can use the %NONCE% keyword to indicate where the nonce is to be placed in the text; for example, \"script-src 'self' 'nonce-%NONCE%' ; object-src 'self'; frame-src 'self'\" | |
provider_<id>.contentType | Default: text/html; charset=UTF-8 | Use this property to change the default value of contentType text or html that is set on the response. |
provider_<id>.createSession | Default: false | Set this property to true when you want the runtime to create a new HTTP session for each client request. This property is required when the TAI runs in a cluster environment and you need the JSESSIONID cookie to maintain session affinity. |
provider_<id>.encodeNewline | Default: true | When this property is set to false, the new line characters that exist in POST parameters are not transformed into encoded br tags. |
`provider_<id>.decryptAlias | Specifies the alias of the keyEntry in the keystore that is used to decrypt an encrypted JWT or ID token. This property is required if the TAI receives encrypted JWTs. Providing a value for this property does not make the TAI reject unencrypted JWTs. | |
provider_<id>.decryptKeyPassword | You can specify a plain text or XOR encoded value. | Specifies the password for the decrypting key that is specified on the provider_<id>.decryptAlias property. This property can be specified in plain text or it can be XOR encoded, for example `{xor}CDo9Hgw=` |
provider_<id>.defaultRealmName | The realm name to use when one is not obtained from the token. | |
provider_<id>.encodeParameters | Default: false | Specifies to URL encode the client_id and client_secret before the RP sends them to the IdP. |
provider_<id>.grantType |
Default: there is no default value
Values:
|
Set this property when you want to enable the provider entry to be used to obtain an access token from the OpenID Provider's token endpoint using the OauthClientHelper APIs.
|
provider_<id>.httpOnly | When this property is set to true, the httpOnly flag is set on the cookie. | |
provider_<id>.httpsRequired | When this property is set to true, the OpenID Connect RP establishes a connection with only OPs that support https communication. When this property is set to true, but the scheme of the authorizeEndpointUrl, tokenEndpoint or introspectEndpoint is http, then the TAI fails to initialize. | |
provider_<id>.introspectClientId | Default: clientId value | Specifies the client_id to include in the requests to the OpenId Provider's introspection endpoint. |
provider_<id>.introspectClientSecret | Default: clientSecret value | Specifies the client_secret to include in the requests to the OpenId Provider's introspection endpoint. |
provider_<id>. introspectEndpointMethod |
Default: post | To be spec-compliant, the HTTP method to use with the introspect endpoint must be POST. To use GET, set this property to anything other than POST. Previous to APAR PI80549, the OIDC runtime always used GET. |
provider_<id>.issuerIdentifier | By default, this property is set to the value that is derived from the authorizedEndpointUrl. | Specifies the issuer of the IDToken. When this property is not set, it is derived from the authorizedEndpointUrl value. |
provider_<id>.jwkClientId | Specifies the client identifier to include in the basic authentication scheme of the JWK request. | |
provider_<id>.jwkClientSecret | Specifies the client password to include in the basic authentication scheme of the JWK request. | |
provider_<id>.keyStore | When this property is not specified, the default keystore is used. On a single server, the default keystore is NodeDefaultKeyStore. Otherwise, it is CellDefaultKeyStore | Specifies the keystore from which to obtain the decrypting key specified on the provider_<id>.decryptAlias property. Example values for this property are:
|
provider_<id>. mapIdentityToRegistryUser |
Default: false | When this property is set to false, the WebSphere subject is populated with the user and groups from the OpenID Connect Provider's realm. The users and groups do not need to exist in the WebSphere Application Server user registry. When this property is set to true, the OpenID Connect RP maps the OpenID Connect authenticated user to the same user (by shortname) in the WebSphere Application Server user registry. All users must be maintained in the WebSphere Application Server user registry. When OpenID Connect authenticates a user that is not in the local WebSphere Application Server user registry, an error occurs. |
provider_<id>.nonceEnabled | Default: false | When this property is set to true, a nonce parameter is sent to the OpenID Connect provider on the authentication request. When the responseType property is set to [code], this parameter defaults to false. When the responseType property set to anything other than [code], this property is set to [true] and cannot be altered. |
provider_<id>. postParameterCookieSize |
Default: 4093 Minimum: 500 Maximum: 4093 |
Maximum session cookie size that the run time creates. At run time, when the data to be written is larger than the value for this property, the request is rejected. This property overrides the value set for maxCookieSize for session cookies. |
provider_<id>. refreshExpiredAccessToken |
By default, when an access token expires, the runtime attempts to refresh it. Set this property to false when you do not want to refresh access tokens. | |
provider_<id>. refreshBeforeAccessTokenExpiresTime |
Default: 0 | You can use this property to adjust the time when the access token expires. Set this property to the number of seconds before the time set in the token you want the token to expire. |
provider_<id>.responseType | Default: code Values: code, id_token, id_token token, id_token+token |
This property defines the value for the [response_type] parameter that is sent to the OpenID Connect provider on authentication requests. When code is specified, the OpenID connect code login flow is used. When the value is set to anything other than [code]:
|
provider_<id>.scope | Default: openid profile | Specifies the scope of the token requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general. |
provider_<id>. sessionCacheTimeoutMinutes |
Default: 120
Minimum: 0
Maximum: 43200
|
The time, in minutes, that a session that is associated with an ID token might remain in the session cache. By default, a session is removed from the cache based on at least the following conditions, in priority order:
When you set this property, it overrides the value for the ID token expiration for session caching purposes. If you set this property to [0], the ID token expiration condition is not used to remove sessions from the session cache, but the other three conditions are. The expiration of the ID token is provided on the exp claim. If this property is not set to a value in the configuration and no expiration value is in the ID token, the default timeout value is used.
When the DynaCache service is not available, the setting for this property is ignored if set to [0] because the local cache has no eviction policy. |
provider_<id>.setLtpaCookie |
Defaults:
|
Set this property to true when you want the runtime to set an LTPA Cookie on the response after successful authentication. |
provider_<id>.signatureAlgorithm | Default: HEADER Values: none, HS256, RS256, RS512, HEADER |
Specifies the algorithm that is used to secure messages from the OpenID Connect provider.
When this property is set to HEADER, the value is obtained from the header of each inbound token. The signature algorithms that are supported when the value is set to HEADER include any value that is supported by the jose4j open source project, version 0.6.5. See https://bitbucket.org/b_c/jose4j/wiki/Home
|
provider_<id>.signatureAllowList | You can specify a comma-separated list of signature algorithms. This property does not have a default value. |
Specifies a comma-separated list of signature algorithms that are allowed to secure messages from the OpenID Connect provider. If the provider_<id>.signatureAlgorithm property is set to a value other than HEADER, this property is ignored.
This list can include any value that is supported by the jose4j open source project, version 0.6.5, except HS256. See https://bitbucket.org/b_c/jose4j/wiki/Home Besides ensuring that the HS256 signature algorithm is not in the list, the values for this property are not validated by the OIDC TAI.
A value cannot be provided for both this property and the provider_<id>.signatureDenyList property.
|
provider_<id>.signatureDenyList | You can specify a comma-separated list of signature algorithms. See the description for the default value. |
Specifies a comma-separated list of signature algorithms that are not allowed to secure messages from the OpenID Connect provider. If the provider_<id>.signatureAlgorithm property is set to a value other than HEADER, this property is ignored.
This list can include any value that is supported by the jose4j open source project, version 0.6.5, and the values are not validated by the OIDC TAI. See https://bitbucket.org/b_c/jose4j/wiki/Home.
A value cannot be provided for both this property and the provider_<id>.signatureAllowList property.
If the configured list does not include HS256, HS256 is added to the list if any of the following conditions are true:
|
provider_<id>.signVerifyAlias | Specifies the alias of the certificate in the truststore that might be used to verify the signature from the OP. This property must be set when the signatureAlgorithm custom property is set to RS256 and you do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK). | |
provider_<id>. tokenEndpointAuthMethod |
Default: post | When this property is set to 'basic', a BasicAuth header is sent when the RP sends a request to the token endpoint. |
provider_<id>.trustStore | When this property is not specified, the default truststore is used. On a single server, the default truststore is NodeDefaultTrustStore. Otherwise, it is CellDefaultTrustStore | Specifies the truststore from which to obtain the certificate specified on the provider_<id>.signVerifyAlias property. Example values for this property are:
|
provider_<id>.tokenReuse | Default: true | Set this property to false when you want the runtime to reject any request that uses a JWT containing a jti claim that was already used in another JWT on a previous request. |
provider_<id>.useDiscovery | When this property is set to true, but a value is not specified for the discoveryEndpointUrl property, the default value for the discoveryEndpointUrl property is used. When this property is set to false, the value for the discoveryEndpointUrl property is ignored. | |
provider_<id>.useIssuer | Default: true |
Set this property to false if do not want the runtime to use this provider entry to service JWT verification requests by API for JWTs that have an `iss` claim that that matches this provider's issuer.
If there is more than one provider entry with the same issuer name, only one of the provider entries can have this property set to true, otherwise this property is set to false for all matching issuers.
When the provider_<id>.allowJwtIssuerSelection property is set to true, it will override the value of this property and set it to true.
|
provider_<id>.useJwtFromRequest | Default: no Values: no, required, ifPresent |
This property controls processing when a JWT is found in the request authorization header. The allowed values are:
|
provider_<id>.useJavaScript | Default: true |
Set this property to false when you do not want to use JavaScript when the RP redirects to the OP for the initial authentication request. When you do not use JavaScript, any fragments that are present on the original inbound request are lost.
To preserve URI fragments, in addition to setting this property to true, you must also set the useUrlCookies property to true.
|
provider_<id>.usePkce | Default: false | Set this property to true if you want the TAI to use Proof Key for Code Exchange (PKCE) when authenticating by using the code authorization flow. The OIDC TAI always sets the code_challenge_method to S256 when it uses PKCE. For more information, see Proof Key for Code Exchange by OAuth Public Clients. |
provider_<id>.useRealm |
This property specifies a realm name and is used to override the realm name specified in the ID token. This property also overrides the defaultRealmName property.
Set this property to WAS_DEFAULT to use the default WebSphere realm name.
|
|
provider_<id>.userIdentifier | Default: sub | |
provider_<id>.uniqueUserIdentifier | Default: uniqueSecurityName | |
provider_<id>.groupIdentifier | Default: groupIds | Specifies the groups attribute name set by the OpenID Connect Provider in the IDToken. For example: groupIds. |
provider_<id>.realmIdentifier | Default: realmName | Specifies the realm attribute name set by the OpenID Connect Provider in the IDToken. |
provider_<id>. useDefaultIdentifierFirst |
Default: false | Specifies that, when a custom identifier is specified for the user (userIdentifier), unique user (uniqueUserIdentifier), group (groupIdentifier), or realm (realmIdentifier), the custom value is only used when the default value does not exist in the token. |
provider_<id>.verifyIssuerInIat | Default: false (otherwise) |
When JWT authentication is used:
|
Global Properties (connection timeouts, session, and state caching)
Property name
|
Values
|
Description
|
opServerConnectionTimeout | Default: 20000 | Specifies the time in milliseconds to wait for the OpenID Connect Provider to respond to an introspection request. |
sessionCacheSize | Default values: -1/10000 Minimum value: 1 Alternative value: -1 (use active DynaCache default maximum) |
Specifies the size of the cache the OpenID Connect RP uses for session data. When DynaCache is enabled on the server:
When DynaCache is not enabled on the server:
|
sessionCacheCleanupFrequency | Default: 1800 | The value of this property is in seconds, and is the frequency at which the stale value of the session cache is purged. This property is only used when the dynamic cache service is not in use. |
includeCustomCacheKeyInSubject | Default: true | When this property is set to true, the cache key for the Subject in the auth cache is set to (username)(session-cookie-name)(access-token-string), otherwise the cache key is left up to base security. The OIDC RP relies on the custom cache key to refresh the access token in the Subject. Therefore, when you want the Subject to contain the new access token after a refresh, this property must be set to true. |
jndiCacheName | When you want to use an object cache instance with properties that are different from the default, use this property to specify a custom object cache instance that is managed by the dynamic cache service. Read Using object cache instances for information about how to set up a custom object cache instance. The dynamic cache service must be enabled to use an object cache instance or DistributedObjectCache. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for sessionCacheCleanupFrequency and clusterCaching are ignored. | |
clusterCaching | Default: true | Set this property to false when you want each cluster member to maintain their own session cache. When DynaCache is enabled on the application server, it is always be used for cache management, but when this property is set to false, session data is not shared among cluster members. When DynaCache is enabled on the server, the OIDC TAI allows DynaCache to default the maximum number of entries in the cache. When cluster caching is turned on, the number of cache entries is shared among all cluster members. When cluster caching is turned off, each cluster member can store up to the DynaCache default maximum number of entries. |
stateIdTimeoutSeconds | Default: 600 Minimum: 60 |
The time, in seconds, that a login request to the OP is allowed to remain outstanding. |
useStateCookies | Default: true | By default, the run time uses both local storage and browser cookies to store request data when a request is redirected to the OP. When this property is false, the OIDC TAI does not use browser cookies; only local storage is used. |
useUniqueStateCookies | Default: false | When this property is set to true, instead of using a single OIDCSTATE cookie for all requests, each request uses a new OIDCSTATE cookie. |
useUrlCookies | Default: true |
During the initial login phase, the OIDC TAI writes a browser cookie called OIDCREQURL_(nnn). The value for this cookie is the original request URL. This cookie is deleted when the login is complete or after the login timeout expires (stateIdTimeoutSeconds), whichever comes first. If you want to maintain this information in other OIDC objects, set this property to false.
If your URL contains fragments or if the inbound URL is encoded and must remain encoded when it reaches the protected resource, both this property and the provider_<id>.useJavaScript property must be set to true.
|
maxStateCacheSize | Default value: 10000 minimum value: 25 alternative value: -1 (Use active DynaCache default maximum) alternative value: 0 (off) |
Maximum number of state objects that can be in the local state cache. Setting the value to 0 (zero) turns off the local state cache. Setting the value to -1 makes the OIDC TAI inherit the active DynaCache default maximum cache size. When DynaCache is not enabled on the application server, when -1 is specified, this property reverts to its default. |
maxCookieSize | Default: 4093 Minimum: 500 Maximum: 4093 |
Maximum cookie size that the run time creates. At run time, when the data to be written is larger than the value for this property, the request is rejected. This property applies to, and can be overridden by both maxStateCookieSize and provider.<id>.postParameterCookieSize. |
maxStateCookieSize | Default: 4093 Minimum: 500 Maximum: 4093 |
Maximum state cookie size that the run time creates. At run time, when the data to be written is larger than the value for this property, the request is rejected. This property overrides the value set for maxCookieSize for state cookies. |
alwaysInvalidateAccessTokenOnLogout | Default: false | By default, when a user logs out, if an OIDC session cookie is present on a request, the logout uses only the information associated with the OIDC session cookie. When there is no OIDC session cookie, then the logout uses the access token in the Authorization header of the request. When this property is set to true, the logout uses information from both the OIDC session cookie and the Authorization header of the request, when they exist. |
Properties Required for a JWT Authentication Only Provider Entry
To find the definition of the properties listed in these two tables, see the previous properties tables.
Property name
|
Comments
|
provider_<id>.useJwtFromRequest | Must be set to required |
provider_<id>.identifier provider_<id>.issuerIdentifier |
Both of these properties are required. |
provider_<id>.jwkEndpointUrl provider_<id>.signVerifyAlias |
One of these properties must be configured to obtain the JWT signer certificate. |
provider_<id>.interceptedPathFilter provider_<id>.filter |
One of these properties must be configured to enable the OIDC TAI to intercept requests. |
provider_<id>.tokenReuse provider_<id>.audiences |
These properties are for use only with JWT authentication. They are optional, but you might want to use them in your configuration. |
Note:
This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2023
UID
swg22002749