OAuth2Provider.properties revision 3c4b36629c44834e885336cbcd885a28816d08ac
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# Copyright 2012-2015 ForgeRock AS.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# The contents of this file are subject to the terms
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# of the Common Development and Distribution License
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# (the License). You may not use this file except in
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# compliance with the License.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# You can obtain a copy of the License at
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# See the License for the specific language governing
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# permission and limitations under the License.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# When distributing Covered Code, include this CDDL
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# Header Notice in each file and include the License file
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# If applicable, add the following below the CDDL Header,
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# with the fields enclosed by brackets [] replaced by
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# your own identifying information:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# "Portions copyright [year] [name of copyright owner]"
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# Portions Copyrighted 2014-2015 Nomura Research Institute, Ltd.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorforgerock-oauth2-provider-description=OAuth2 Provider
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major# Global settings
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg101=OpenID Connect Claims extension Script Timeout
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg101.help=The maximum execution time any individual script should take on the server (in seconds).
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg101.help.txt=Scripts will be forcibly stopped after this amount of execution time.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg102=Core thread pool size
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg102.help=The core size of the thread pool from which scripts will operate.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg103=Maximum thread pool size
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg103.help=The maximum size of the thread pool from which scripts will operate.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg103.help.txt=New threads will be created up to this size once the task queue reaches capacity. Has no effect if the \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major queue is unbounded.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg104=Thread pool queue size
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg104.help=Size of queue to use for buffering script execution request when core pool is at capacity.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg104.help.txt=Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg105=Thread idle timeout (seconds)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg105.help=Length of time (in seconds) to wait before terminating threads.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg105.help.txt=Length of time (in seconds) to wait before terminating threads that were started when the queue reached \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major capacity. Only applies to threads beyond the core pool size (up to the maximum size).
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg106=Java class whitelist
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg106.help=List of patterns of allowed Java classes that may be loaded/accessed by scripts.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg106.help.txt=Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg107=Java class blacklist
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg107.help=List of patterns of Java classes that must not be accessed by a script.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg107.help.txt=This blacklist is applied after the whitelist to apply additional restrictions. For instance you may \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major specific whitelists where possible.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg108=Use system SecurityManager
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg108.help=Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorg108.help.txt=If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major SecurityManager is configured, then this has no effect.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora100=Authorization Code Lifetime (seconds)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora100.help=The time in seconds an authorization code is valid for
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora101=Refresh Token Lifetime (seconds)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora101.help=The time in seconds a refresh token is valid for
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora102=Access Token Lifetime (seconds)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora102.help=The time in seconds an access token is valid for
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora103=Issue Refresh Tokens
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora103.help=Check to enable generation of refresh tokens
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora103a=Issue Refresh Tokens on Refreshing Access Tokens
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora103a.help=Check to enable generation of refresh tokens when refreshing access tokens
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora104=Scope Implementation Class
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora104.help=The class that contains the required scope implementation
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora104aa=OIDC Claims Script.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora104aa.help=This is a script that will be run, when using an implementation of the \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major org.forgerock.openam.oauth2.OpenAMScopeValidator, when issuing an ID Token or making a request to the userinfo \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major endpoint that will gather and fill in all claims for the request. The script has access to the requested scopes, \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major the access token, the user's session (if available), the user's identity.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora104ab=OIDC Claims Script Type.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora104ab.help=This is the language of the OIDC claims script
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorscriptGroovyChoice=Groovy
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorscriptJavaScriptChoice=JavaScript
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora105=Response Type Plugins
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora105.help=Response types are input as such, code|name of plugin class. For example, code|org.forgerock.openam.oauth2.CodeClass. \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorIf there is no implementation class none should be used in place of the class name. For example id_token|none.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora106=User Profile Attribute(s) the Resource Owner is Authenticated On
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora106.help=If the attribute is mail and uid, then a search string of (|(mail=user)(uid=user)) will be used to get the \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majoruser profile, where user is the username entered during authentication.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora107=Saved Consent Attribute Name
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora107.help=To use saved consent a list attribute must be set up and the attribute name provided.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora108=Supported Scopes
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora108.help=A list of scopes this authorization server supports.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora109=Remote JSON Web Key URL
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora109.help=The Remote URL where the providers JSON Web Key can be retrieved.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora110=Subject Types supported
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora110.help=List of subject types supported. Valid values are pairwise and public.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora111=ID Token Signing Algorithms supported
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora111.help=Algorithms supported to sign id_tokens.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora112=Supported Claims
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora112.help=List of claims supported by the userinfo endpoint.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora113=OpenID Connect JWT Token Lifetime (seconds)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora113.help=The amount of time in seconds the JWT will be valid for.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora114=Alias of ID Token Signing Key
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora114.help=The name of the key put in the keystore used to sign the ID Tokens issued by OpenAM.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora115=Allow Open Dynamic Client Registration
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora115.help=Allow clients to register without an access token. If enabled, you should consider adding some form of rate \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major limiting. See <a href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration" \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major target="_blank">Client Registration</a> in the OpenID Connect specification for details.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora116=Generate Registration Access Tokens
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora116.help=Whether to generate Registration Access Tokens for clients that register via open dynamic client \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major registration. Such tokens allow the client to access the <a \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint" \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major target="_blank">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major no effect if open dynamic client registration is disabled.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora117=OpenID Connect acr_values to Auth Chain Mapping
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora117.help=Maps OpenID Connect ACR values to authentication chains. See <a \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">the acr_values parameter</a> \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major in the OpenID Connect authentication request specification for more details.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora118=OpenID Connect default acr claim
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora118.help=Default value to use as the 'acr' claim in an OpenID Connect ID Token when using the default authentication \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora119=OpenID Connect id_token amr values to Auth Module mappings
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora119.help=If you require <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>, you can \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major configure them here. Once authentication has completed, the authentication modules that were used from the \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major authentication service will be mapped to the <code>amr</code> values. If you do not require amr values, or are not \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major providing OpenID Connect tokens at all, this field can be left blank.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora120=Modified Timestamp attribute name
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora120.help=The attribute name of the modified timestamp in the identity repository (must also be added to the User \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major Attributes List on the Datastore Service page).
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora121=Created Timestamp attribute name
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora121.help=The attribute name of the created timestamp in the identity repository (must also be added to the User \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major Attributes List on the Datastore Service page).
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora122=Default Client Scopes
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora122.help=List of scopes a client will be granted if they request registration without specifying which scopes they \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major want. Default scopes are NOT auto-granted to clients created through the administrator interface.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora123=Enable "claims_parameter_supported"
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora123.help=If enabled, clients will be able to request individual claims using the "claims" Request Parameter \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major as per section 5.5 of the OpenID Connect specification.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora124=Subject identifier hash salt
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora124.help=If pairwise subject types are supported, it is STRONGLY RECOMMENDED to set this value. It is used in \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major the salting of hashes for returning specific sub claims to individuals using the same request_uri or \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major sector_identifier_uri.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora125=Always return claims in ID Tokens
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora125.help=All id_tokens will contain scope-derived claims. Warning: not strictly spec-compliant.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora125.help.txt=The <a href="http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims">OpenID Connect \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major specification</a> is ambiguous whether scope-derived claims should always be added to the ID Token. This is \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major disabled by default in order to guarantee compliance, but can be enabled for situations where calling the \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major userinfo endpoint is not practical, but an access token is still wanted.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majora126=Code verifier parameter required
a126.help=If enabled, Authorization Code requests will require a "code_challenge" attribute
.org/html/draft-ietf-oauth-spop-12">here</a>
a1075.help=The attribute for identities retrieved from the ID Repository that contains a displayable name for the user \