OAuth2Provider.properties revision 0671cf336699cf9cd573e3ff1b7c141cf3728115
1589N/Ag101.help=The maximum execution time any individual script should take on the server (in seconds).
1589N/Ag101.help.txt=Scripts will be forcibly stopped after this amount of execution time.
1589N/Ag103.help.txt=New threads will be created up to this size once the task queue reaches capacity. Has no effect if the \
1741N/Ag104.help=Size of queue to use for buffering script execution request when core pool is at capacity.
1589N/Ag104.help.txt=Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound \
1589N/A scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider \
1589N/A a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.
1589N/Ag105.help.txt=Length of time (in seconds) to wait before terminating threads that were started when the queue reached \
1589N/Ag106.help.txt=Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, \
1589N/Ag107.help.txt=This blacklist is applied after the whitelist to apply additional restrictions. For instance you may \
1589N/A whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer \
1589N/Ag108.help=Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.
1703N/Ag108.help.txt=If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no \
1589N/Aa099.help=Enable to issue stateless access & refresh tokens that can be introspected by resource servers.
1589N/Aa103a.help=Check to enable generation of refresh tokens when refreshing access tokens
1589N/Aa103b.help=A Freemarker template which will create a custom URL for the login page to authenticate the resource owner. \
1589N/A The following values are available to the Freemarker template: gotoUrl - the URL to redirect back to the OAuth2 \
1589N/A authorization process, acrValues - the acr values for the OAuth2 authorization request, realm - the OpenAM realm \
1703N/A the OAuth2 authorization request was made on, module - the name of the OpenAM authentication module requested to \
1703N/A perform resource owner authentication, service - the name of the OpenAM authentication chain requested to perform \
1703N/A resource owner authentication, locale - a space separated list of locales ordered by preference.
1703N/Aa104aa.help=This is a script that will be run, when using an implementation of the \
1589N/A org.forgerock.openam.oauth2.OpenAMScopeValidator, when issuing an ID Token or making a request to the userinfo \
1703N/A endpoint that will gather and fill in all claims for the request. The script has access to the requested scopes, \
1589N/Aa104ab.help=This is the language of the OIDC claims script
1589N/Aa105.help=Response types are input as such, code|name of plugin class. For example, code|org.forgerock.oauth2.core.TokenResponseTypeHandler. \
1589N/AIf there is no implementation class none should be used in place of the class name. For example id_token|none.
1589N/Aa106.help=If the attribute is mail and uid, then a search string of (|(mail=user)(uid=user)) will be used to get the \
1589N/Aa107.help=To use saved consent a list attribute must be set up and the attribute name provided.
1703N/Aa1075.help=The attribute for identities retrieved from the ID Repository that contains a displayable name for the user \
3311N/Aa108.help.txt=Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, \
1589N/A locale, and localized description; e.g. "read|en|Permission to view email messages in your account". Locale strings \
1589N/A are in the format <code>language + "_" + country + "_" + variant</code>, e.g. en, en_GB, en_US_WIN. \
1589N/A If the locale and pipe is omitted, the description is displayed to all users having undefined locales. \
1703N/A <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying "read|" would allow \
1703N/A the scope "read" to be used by the client, but would not display it to the user when it was requested.
1703N/Aa111a.help=Algorithm supported to encrypt OpenID Connect ID tokens in order to hide its contents.
1703N/Aa111a.help.txt=RSA1_5 is the only currently supported encryption algorithm.
1589N/Aa111b.help=Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.
1703N/Aa111b.help.txt=Available encryption methods are: A128CBC-HS256 and A256CBC-HS512.
1703N/Aa112.help.txt=Claims may be entered as simple strings or pipe separated strings representing the internal claim name, \
1703N/A locale, and localized description; e.g. "read|en|Permission to view email messages in your account". Locale strings \
1703N/A are in the format <code>language + "_" + country + "_" + variant</code>, e.g. en, en_GB, en_US_WIN. \
1589N/A If the locale and pipe is omitted, the description is displayed to all users having undefined locales. \
1589N/A <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying "name|" would allow \
1589N/A the claim "name" to be used by the client, but would not display it to the user when it was requested.
1589N/Aa113a.help=Algorithm used to sign stateless OAuth2 tokens in order to detect tampering.
1703N/Aa113a.help.txt=NONE - No signature.<br/>\
1589N/Aa113b.help=Base64 encoded key used by HS256, HS384 and HS512.
1589N/Aa114=Token Signing RSA public/private key pair
1589N/Aa114.help.txt=The public/private key pair will be retrieved from the keystore referenced by the property \
1589N/Aa114a=Token Signing ECDSA public/private key pair alias
1589N/Aa114a.help=The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). \
1741N/A Add an entry to specify an alias for a specific elliptic curve algorithm, e.g. "ES256|es256Alias
1703N/Aa114a.help.txt=Each of the public/private key pairs will be retrieved from the keystore referenced by the property \
1741N/Aa115.help=Allow clients to register without an access token. If enabled, you should consider adding some form of rate \
1703N/A limiting. See <a href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration" \
1703N/Aa116.help=Whether to generate Registration Access Tokens for clients that register via open dynamic client \
1589N/A href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint" \
1589N/A target="_blank">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has \
1589N/A href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">the acr_values parameter</a> \
1703N/Aa118.help=Default value to use as the 'acr' claim in an OpenID Connect ID Token when using the default authentication \
1741N/Aa119.help=If you require <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>, you can \
1589N/A configure them here. Once authentication has completed, the authentication modules that were used from the \
1589N/A authentication service will be mapped to the <code>amr</code> values. If you do not require amr values, or are not \
1703N/Aa120.help=The attribute name of the modified timestamp in the identity repository (must also be added to the User \
1741N/Aa121.help=The attribute name of the created timestamp in the identity repository (must also be added to the User \
1703N/Aa122.help=List of scopes a client will be granted if they request registration without specifying which scopes they \
1741N/A want. Default scopes are NOT auto-granted to clients created through the administrator interface.
1703N/Aa123.help=If enabled, clients will be able to request individual claims using the "claims" Request Parameter \
1589N/Aa124.help=If pairwise subject types are supported, it is STRONGLY RECOMMENDED to set this value. It is used in \
1589N/A the salting of hashes for returning specific sub claims to individuals using the same request_uri or \
1741N/Aa125.help=All id_tokens will contain scope-derived claims. Warning: not strictly spec-compliant.
1589N/Aa125.help.txt=The <a href="http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims">OpenID Connect \
1589N/A specification</a> is ambiguous whether scope-derived claims should always be added to the ID Token. This is \
1589N/A disabled by default in order to guarantee compliance, but can be enabled for situations where calling the \
1741N/A .org/html/draft-ietf-oauth-spop-12">here</a>
1741N/Aa127.help=The URL that the user will be instructed to visit to complete their OAuth 2 login and consent when using \
1741N/Aa128.help=The URL that the user will be sent to on completion of their OAuth 2 login and consent when using \
1741N/Aa130.help=The polling frequency for devices waiting for tokens when using the device code flow.
1741N/Aa131.help=When this setting is enabled OpenAM will store the ops tokens corresponding to OIDC sessions in the CTS \
1589N/A store. Note that session management related endpoints will not work when this setting is disabled.
1589N/Aa132.help=If enabled, clients may be configured so that the resource owner will not be asked for consent during \
1741N/Aa133.help=If enabled then tokens will be blacklisted on the server on delete until the token expires.
1589N/Aa133.help.txt=It is recommended to enable this setting if the maximum token expiry time is high. State is stored in \
1589N/A the core token store (CTS) until the token expires in order to ensure that tokens cannot continue to \
1589N/Aa134.help=Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.
1589N/Aa135.help.txt=How often each server will poll the CTS for token blacklist changes from other servers. This is used \
1589N/A to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number\
1589N/A will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set \
1589N/Aa136.help.txt=Allows additional time to account for clock skew to ensure that a token has expired before it is \