3412N/A# The contents of this file are subject to the terms of the Common Development and

3412N/A# Distribution License (the License). You may not use this file except in compliance with the

3412N/A# License.

3412N/A#

3412N/A# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the

3412N/A# specific language governing permission and limitations under the License.

3412N/A#

3412N/A# When distributing Covered Software, include this CDDL Header Notice in each file and include

3412N/A# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL

3412N/A# Header, with the fields enclosed by brackets [] replaced by your own identifying

3412N/A# information: "Portions copyright [year] [name of copyright owner]".

3412N/A#

3412N/A# Copyright 2011-2015 ForgeRock AS.

3412N/A#

3412N/A# Portions Copyrighted 2012 Open Source Solution Technology Corporation

3412N/A# Portions Copyrighted 2015 Nomura Research Institute, Ltd.

3412N/A

3412N/A# module descriptor (shows up on OpenAM Console)

3412N/Adescription = OAuth 2.0 / OpenID Connect

3412N/A

3412N/A# localization for module configuration

3412N/Aa101=Client Id

3412N/Aa101.help=OAuth client_id parameter

3412N/Aa101.help.txt=For more information on the OAuth client_id parameter refer to the \

3412N/A<a href="http://tools.ietf.org/html/rfc6749#section-2.3.1" target="_blank">RFC 6749</a>, section 2.3.1

3412N/Aa102=Client Secret

3412N/Aa102.help=OAuth client_secret parameter

3412N/Aa102.help.txt=For more information on the OAuth client_secret parameter refer to the \

3412N/A<a href="http://tools.ietf.org/html/rfc6749#section-2.3.1" target="_blank">RFC 6749</a>, section 2.3.1

3412N/Aa103=Authentication Endpoint URL

3412N/Aa103.help=OAuth authentication endpoint URL

3412N/Aa103.help.txt=This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider

3412N/Aa104=Access Token Endpoint URL

3412N/Aa104.help=OAuth access token endpoint URL

3412N/Aa104.help.txt=This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the \

3412N/A<a href="http://tools.ietf.org/html/rfc6749#section-3.2" target="_blank">RFC 6749</a>, section 3.2

3412N/Aa105=User Profile Service URL

3412N/Aa105.help=User profile information URL

3412N/Aa105.help.txt=This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/>\

3412N/A<i>NB </i>This URL should return JSON objects in response

3412N/Aa106=Scope

3412N/Aa106.help=OAuth scope; list of user profile properties

3412N/Aa106.help.txt=The OAuth scope is a list of values that define the type of information that can be retrieved from \

3412N/Athe user profile service. The values will depend on the type of permissions that the user has given to the user profile application \

3412N/Ain the OAuth 2.0 Provider.<br/><br/>Example: <code>email, read_stream</code>

3412N/Aa107 = OAuth2 Access Token Profile Service Parameter name

3412N/Aa107.help = The name of the parameter that will contain the access token value when accessing the profile service

3412N/Aa108=Proxy URL

3412N/Aa108.help=The URL to the OpenAM OAuth proxy JSP

3412N/Aa108.help.txt=This URL should only be changed from the default, if an external server is performing the GET to POST proxying. \

3412N/AThe default is <code>/openam/oauth2c/OAuthProxy.jsp</code>

3412N/Aa108a=Account Provider

3412N/Aa108a.help=Name of the class implementing the account provider.

3412N/Aa108a.help.txt=This class is used by the module to find the account from the attributes mapped by the Account Mapper \

3412N/A <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.\

3412N/A <br/>String constructor parameters can be provided by appending <code>|</code> separated values.

3412N/Aa109=Account Mapper

3412N/Aa109.help=Name of the class implementing the attribute mapping for the account search.

3412N/Aa109.help.txt=This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.\

3412N/A<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.\

3412N/A <br/>Provided implementations are:\

3412N/A <ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li>\

3412N/A <li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>\

3412N/A String constructor parameters can be provided by appending <code>|</code> separated values.

3412N/Aa110=Account Mapper Configuration

3412N/Aa110.help=Mapping of OAuth account to local OpenAM account

3412N/Aa110.help.txt=Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to \

3412N/Athe local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>

3412N/Aa111=Attribute Mapper

3412N/Aa111.help=Name of the class that implements the attribute mapping

3412N/Aa111.help.txt=This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/>\

3412N/A <br/>A custom attribute mapper must implement the \

3412N/A <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.\

3412N/A <br/>Provided implementations are:\

3412N/A <ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li>\

3412N/A <li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>\

3412N/A String constructor parameters can be provided by appending <code>|</code> separated values.

3412N/Aa112=Attribute Mapper Configuration

3412N/Aa112.help=Mapping of OAuth attributes to local OpenAM attributes

3412N/Aa112.help.txt=Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local \

3412N/Auser data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>

3412N/Aa115=Save attributes in the session

3412N/Aa115.help=If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session

3412N/Aa118=Email attribute in OAuth2 Response

3412N/Aa118.help=Attribute from the OAuth2 response used to send activation code emails.

3412N/Aa118.help.txt=The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of \

3412N/Athe authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created \

3412N/Adynamically.

3412N/Aa120=Create account if it does not exist

3412N/Aa120.help=If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.

3412N/Aa120.help.txt=If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before \

3412N/Acreating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter "Prompt \

3412N/Afor password setting and activation code" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/>\

3412N/A<ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li>\

3412N/A<li>The user does not have a user profile and the "Ignore Profile" is set in the Authentication Service of the realm.</li>\

3412N/A<li>The account is mapped to an anonymous account (see parameter "Map to anonymous user" and "Anonymous User")</li></ol>

3412N/Aa122=Prompt for password setting and activation code

3412N/Aa122.help=Users must set a password and complete the activation flow during dynamic profile creation.

3412N/Aa122.help.txt=If this is enabled, the user must set a password before the system creates an account dynamically and an activation \

3412N/Acode will be sent to the user's email address. The account will be created only if the password and activation code are properly set. \

3412N/A<br />If this is disabled, the account will be created transparently without prompting the user.

3412N/Aa124=Map to anonymous user

3412N/Aa124.help=Enabled anonymous user access to OpenAM for OAuth authenticated users

3412N/Aa124.help.txt=If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the \

3412N/Anext parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.\

3412N/A<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.

3412N/Aa126=Anonymous User

3412N/Aa126.help=Username of the OpenAM anonymous user

3412N/Aa126.help.txt=The username of the user that will represent the anonymous user. This user account must already exist in the realm.

3412N/Aa128=OAuth 2.0 Provider logout service

3412N/Aa128.help=The URL of the OAuth Identity Providers Logout service

3412N/Aa128.help.txt=OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of \

3412N/Athe Logout endpoint should configured here.

3412N/Aa130=Logout options

3412N/Aa130.help=Controls how Logout options will be presented to the user.

3412N/Aa130.help.txt=The OAuth module has the following logout options for the user:<br/><br/>\

3412N/A<ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li>\

3412N/A<li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li>\

3412N/A<li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>

3412N/Aa132=Mail Server Gateway implementation class

3412N/Aa132.help=The class used by the module to send email.

3412N/Aa132.help.txt=This class is used by the module to send email. A custom implementation can be provided.<br/><br/>\

3412N/AThe custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>

3412N/Aa134=SMTP host

3412N/Aa134.help=The mail host that will be used by the Email Gateway implementation

3412N/Aa136=SMTP port

3412N/Aa136.help=The TCP port that will be used by the SMTP gateway

3412N/Aa138=SMTP User Name

3412N/Aa138.help=If the SMTP Service requires authentication, configure the user name here

3412N/Aa140=SMTP User Password

3412N/Aa140.help=The Password of the SMTP User Name

3412N/Aa142=SMTP SSL Enabled

3412N/Aa142.help=Tick this option if the SMTP Server provides SSL

3412N/Aa144=SMTP From address

3412N/Aa144.help=The email address on behalf of whom the messages will be sent

3412N/Aa500 = Authentication Level

3412N/Aa500.help=The authentication level associated with this module.

3412N/Aa500.help.txt=Each authentication module has an authentication level that can be used to indicate the level of security \

3412N/Aassociated with the module; 0 is the lowest (and the default).

3412N/A#

3412N/A# error messages

3412N/A#

3412N/AauthFailed = Authentication failed due to unknown reason

3412N/Ajson = Authentication failed with a json exception

3412N/Assoe = Authentication failed with a Single Sign On Exception

3412N/Aire = Authentication failed with an Identity Repo Exception

3412N/AunknownState = Authentication failed because the state was not valid

3412N/Aioe = Authentication failed with an Input/Output exception while trying to get content

3412N/AhttpErrorCode = Authentication failed because the remote server responded with an HTTP error code {0}

3412N/AmalformedURL = Malformed URL when trying to access the profile service

3412N/AinvalidField = The input field {0} contains invalid data: {1}

3412N/Aaudience = OpenID Connect ID token is not for this audience.

3412N/AnoState=Authorization request failed because there was no state parameter

3412N/AincorrectState=Authorization request failed because the state parameter contained an unexpected value

3412N/A#

3412N/A# Mail parameters

3412N/A#

3412N/AmessageSubject = Activation code

3412N/AmessageBody = Thanks for registering with us.\n\nA username will be created for you once you provide the activation code.\n\nPlease click the following link to create and activate your account:\n\n#ACTIVATION_LINK#\n\nIf you encounter an error message, you can also copy the activation code and paste it in the screen that is asking for it.\n\n\Your activation code is: #ACTIVATION_CODE#\n\nBest Regards,\n\nForgeRock

3412N/A#

3412N/A# Buttons in the Authentication Srevice Configuration

3412N/A#

3412N/Adonotlogout = Do not logout

3412N/Alogout = Log out

3412N/Aprompt = Prompt

3412N/Ai18nTrue = true

3412N/Ai18nFalse = false

3412N/A#

3412N/A# JSP messages

3412N/A#

3412N/A# Activation page

3412N/AactivationTitle = Activation Code Page

3412N/AactivationLabel = Activation Code

3412N/AactivationCodeMsg = You were sent an activation code to the email address configured in your profile.Please check your mail and click the link provided. If you have a problem when clicking the link, then copy and paste the activation code here and hit Enter. Thanks

3412N/AemptyCode = The activation code can not be empty

3412N/AerrInvalidCode = The code introduced is not valid

3412N/Asubmit = Submit

3412N/Acancel = Cancel

3412N/A#

3412N/A# Password setting page

3412N/AnewPassLabel = New Password

3412N/AconfirmPassLabel = Confirm your password

3412N/AtermsAndCondsLabel = terms and conditions of service

3412N/ApasswordSetMsg = Please provide a password for your account.

3412N/ApasswordRules = The password must have at least 8characters<br/>At least one uppercase and one lowercase character<br/>At least one number<br/>It can also contain the characters + = _

3412N/AerrLength = Error. Password must contain at least eight characters

3412N/AerrNumbers = Error. password must contain at least one number. 0-9

3412N/AerrLowercase = Error. password must contain at least one lowercase letter. a-z

3412N/AerrUppercase = Error. password must contain at least one uppercase letter. A-Z

3412N/AerrNoMatch = Error. The password and confirmation password do not match

3412N/AerrEmptyPass = Please enter a password and confirm it

3412N/AerrTandC = Please accept terms and conditions

3412N/AerrInvalidPass = The password provided contains invalid characters

3412N/A#

3412N/A# Logout Page

3412N/A# #IDP# will be replaced by the name of the IdP during the presentation of the page

3412N/AdoYouWantToLogout = Do you also want to logout from #IDP# ?

3412N/AloggingYouOut = Logging you out from the IdP

3412N/AyouVeBeenLogedOut = You have been loggedout from the OAuth 2.0 IdP

3412N/AnoSupportIFrames = Your browser does not support iframes

3412N/Alogmeout=Yes

3412N/Adonot=No

3412N/AenableScripts=Please enable java scripts in your browser

3412N/A

3412N/A# OpenID Connect validation settings

3412N/Aoidc.issuer_name=Name of OpenID Connect ID Token Issuer

3412N/Aoidc.issuer_name.help= Required when the 'openid' scope is included. Value must match the iss field in issued ID Token\

3412N/A <br/>e.g. accounts.google.com

3412N/Aoidc.crypto_context_type=OpenID Connect validation configuration type

3412N/Aoidc.crypto_context_type.help=Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, \

3412N/A 2. the issuer jwk url, or 3. the client_secret.

3412N/Aoidc.crypto_context_value=OpenID Connect validation configuration value

3412N/Aoidc.crypto_context_value.help=Required when the 'openid' scope is included. The discovery url, or jwk url, or the \

3412N/A client_secret, corresponding to the selection above.

3412N/Aoidc.crypto_context_value.help.txt=If discovery or jwk url entered, entry must be in valid url format, <br/>\

3412N/A e.g. https://accounts.google.com/.well-known/openid-configuration

3412N/A