OAuth2Provider.properties revision eecacd7d5dccfdf1b55e7555b2339d9aecba678a
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# Copyright 2012-2015 ForgeRock AS.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# The contents of this file are subject to the terms
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# of the Common Development and Distribution License
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# (the License). You may not use this file except in
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# compliance with the License.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# You can obtain a copy of the License at
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# See the License for the specific language governing
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# permission and limitations under the License.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# When distributing Covered Code, include this CDDL
d10b594ea1bfbfb3dbd7132080ab860abe618cb4vboxsync# Header Notice in each file and include the License file
d10b594ea1bfbfb3dbd7132080ab860abe618cb4vboxsync# If applicable, add the following below the CDDL Header,
d10b594ea1bfbfb3dbd7132080ab860abe618cb4vboxsync# with the fields enclosed by brackets [] replaced by
d10b594ea1bfbfb3dbd7132080ab860abe618cb4vboxsync# your own identifying information:
d10b594ea1bfbfb3dbd7132080ab860abe618cb4vboxsync# "Portions copyright [year] [name of copyright owner]"
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# Portions Copyrighted 2014-2015 Nomura Research Institute, Ltd.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncforgerock-oauth2-provider-description=OAuth2 Provider
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync# Global settings
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg101=OpenID Connect Claims extension Script Timeout
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg101.help=The maximum execution time any individual script should take on the server (in seconds).
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg101.help.txt=Scripts will be forcibly stopped after this amount of execution time.
35396ee506ef68dd1c161f1ef2c3c0b68a146ff2vboxsyncg102=Core thread pool size
35396ee506ef68dd1c161f1ef2c3c0b68a146ff2vboxsyncg102.help=The core size of the thread pool from which scripts will operate.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg103=Maximum thread pool size
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg103.help=The maximum size of the thread pool from which scripts will operate.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg103.help.txt=New threads will be created up to this size once the task queue reaches capacity. Has no effect if the \
2d5ac59d51273f70a05a112ea103ebf0bee1a6e4vboxsync queue is unbounded.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg104=Thread pool queue size
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg104.help=Size of queue to use for buffering script execution request when core pool is at capacity.
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsyncg104.help.txt=Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound \
3c3a5ab35783f4d31cb5d3a15db9daadeb804daavboxsync scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg105=Thread idle timeout (seconds)
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg105.help=Length of time (in seconds) to wait before terminating threads.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg105.help.txt=Length of time (in seconds) to wait before terminating threads that were started when the queue reached \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync capacity. Only applies to threads beyond the core pool size (up to the maximum size).
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg106=Java class whitelist
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg106.help=List of patterns of allowed Java classes that may be loaded/accessed by scripts.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg106.help.txt=Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg107=Java class blacklist
54ae7b69a9aa4256e14122eaf595699d312cf901vboxsyncg107.help=List of patterns of Java classes that must not be accessed by a script.
54ae7b69a9aa4256e14122eaf595699d312cf901vboxsyncg107.help.txt=This blacklist is applied after the whitelist to apply additional restrictions. For instance you may \
d134558e26d3744503b2dbe50a75bcd3fa678432vboxsync whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer \
d134558e26d3744503b2dbe50a75bcd3fa678432vboxsync specific whitelists where possible.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg108=Use system SecurityManager
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg108.help=Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsyncg108.help.txt=If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync SecurityManager is configured, then this has no effect.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca100=Authorization Code Lifetime (seconds)
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca100.help=The time in seconds an authorization code is valid for
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca101=Refresh Token Lifetime (seconds)
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca101.help=The time in seconds a refresh token is valid for
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca102=Access Token Lifetime (seconds)
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca102.help=The time in seconds an access token is valid for
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca103=Issue Refresh Tokens
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca103.help=Check to enable generation of refresh tokens
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca103a=Issue Refresh Tokens on Refreshing Access Tokens
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca103a.help=Check to enable generation of refresh tokens when refreshing access tokens
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca104=Scope Implementation Class
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca104.help=The class that contains the required scope implementation
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca104aa=OIDC Claims Script.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca104aa.help=This is a script that will be run, when using an implementation of the \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync org.forgerock.openam.oauth2.OpenAMScopeValidator, when issuing an ID Token or making a request to the userinfo \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsync endpoint that will gather and fill in all claims for the request. The script has access to the requested scopes, \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync the access token, the user's session (if available), the user's identity.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca104ab=OIDC Claims Script Type.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca104ab.help=This is the language of the OIDC claims script
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsyncscriptGroovyChoice=Groovy
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsyncscriptJavaScriptChoice=JavaScript
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca105=Response Type Plugins
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca105.help=Response types are input as such, code|name of plugin class. For example, code|org.forgerock.openam.oauth2.CodeClass. \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsyncIf there is no implementation class none should be used in place of the class name. For example id_token|none.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca106=User Profile Attribute(s) the Resource Owner is Authenticated On
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca106.help=If the attribute is mail and uid, then a search string of (|(mail=user)(uid=user)) will be used to get the \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsyncuser profile, where user is the username entered during authentication.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca107=Saved Consent Attribute Name
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca107.help=To use saved consent a list attribute must be set up and the attribute name provided.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca108=Supported Scoped
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca108.help=A list of scopes this authorization server supports.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca109=Remote JSON Web Key URL
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca109.help=The Remote URL where the providers JSON Web Key can be retrieved.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca110=Subject Types supported
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca110.help=List of subject types supported. Values are pairwise and public. Pairwise is the same as confidential.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca111=ID Token Signing Algorithms supported
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca111.help=Algorithms supported to sign id_tokens.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca112=Supported Claims
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca112.help=List of claims supported by the userinfo endpoint.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca113=OpenID Connect JWT Token Lifetime (seconds)
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca113.help=The amount of time in seconds the JWT will be valid for.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca114=Alias of ID Token Signing Key
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca114.help=The name of the key put in the keystore used to sign the ID Tokens issued by OpenAM.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca115=Allow Open Dynamic Client Registration
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca115.help=Allow clients to register without an access token. If enabled, you should consider adding some form of rate \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsync limiting. See <a href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration" \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsync target="_blank">Client Registration</a> in the OpenID Connect specification for details.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca116=Generate Registration Access Tokens
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca116.help=Whether to generate Registration Access Tokens for clients that register via open dynamic client \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync registration. Such tokens allow the client to access the <a \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint" \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsync target="_blank">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsync no effect if open dynamic client registration is disabled.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca117=OpenID Connect acr_values to Auth Chain Mapping
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca117.help=Maps OpenID Connect ACR values to authentication chains. See <a \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">the acr_values parameter</a> \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync in the OpenID Connect authentication request specification for more details.
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca118=OpenID Connect default acr claim
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca118.help=Default value to use as the 'acr' claim in an OpenID Connect ID Token when using the default authentication \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca119=OpenID Connect id_token amr values to Auth Module mappings
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca119.help=If you require <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>, you can \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync configure them here. Once authentication has completed, the authentication modules that were used from the \
2d5ac59d51273f70a05a112ea103ebf0bee1a6e4vboxsync authentication service will be mapped to the <code>amr</code> values. If you do not require amr values, or are not \
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsync providing OpenID Connect tokens at all, this field can be left blank.
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca120=Modified Timestamp attribute name
ba5dd00fabaa3475fa5da200d134c73f1c961b49vboxsynca120.help=The attribute name of the modified timestamp in the identity repository (must also be added to the User \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync Attributes List on the Datastore Service page).
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca121=Created Timestamp attribute name
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsynca121.help=The attribute name of the created timestamp in the identity repository (must also be added to the User \
2f46a509fa35214396aedb4012d33b73fb4d6ec0vboxsync Attributes List on the Datastore Service page).