Ceptor Docs

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added requireSubject

...

Property

Name starts with oauth2.token.xxxx

Value

.issuer

<Issuer name>

Name of issuer – e.g. https://www.portalprotect.dk

.validaudiences

<List of names, separated by comma or semicolon>

List of audience names that are valid for this token

.algorithm

<JWT signing algorithm name – default is RS256>

Must be a valid JWT signing algorithm name, supported algorithms are; HS256, HS384, HS512, RS256, Rs384, RS512, ES256, ES384, ES512, PS256, PS384, PS512

.keyid

<Key identifier>

Key ID – for the JWT header “kid” field.

.claims

<List of claims – default: “sub=userid;groups=groups;name=username” >

See the section about claim name/value paris below

.usernameAttributeName

<Claim name – default: “name”>

When parsing a claim issued by someone else – which attribute to look for the users name within.

.useridAttributeName

<Claim name – default: “sub”>

When parsing a claim issued by someone else – which attribute to look for the users id witin.

.roleAttributeName

<Claim name – default: “groups”>

When parsing a claim issued by someone else – which attribute to look for the list of user groups within.

.rolePattern

<Stringmatcher pattern – default: “*”>

Which roles/groups to include in the token when creating claims.

Example: “^admin*” to add all group names except those starting with admin.

.attributesToStoreInSession

<Stringmatcher pattern – default: “*”>

Which attributes to store within PPs session when parsing a token issued by others.

.relaxKeyChecks

<true | false – default: “false”>

Set to true to relax key checking, meaning to allow weak keys to be used for signing.

.openidconnect

<true | false – default: “false”>

Specifies if the token should be openid connect compliant or just a regular JWT token.

.expiresAtExactTime

<true | false – default: “false”>

If true, when parsing a JWT token, with an expiration time within it, the token will expire at that exact time/date and will no longer be valid. If false, the expiration time will only be used at authentication time, and the resulting session will expire using normal idle timeout settings.

.requireSubject

<true | false - default: "true">

When parsing tokens, normally they require a subject (the "sub" claim) - if you set this to false, tokens are accepted without a subject. (Requires Ceptor 6.2.7 or later)

.signerCertificates

<List of certificate filenames>

List of files containing valid certificates that can be used to verify the signature of this token.

.signerCertificatesURL

<URL>

Place to load additional signer certificates from – e.g. https://www.googleapis.com/oauth2/v1/certs

The certificates must be in a JSON object, with key/value pairs where the value is the certificate.

.signerCertificatesRefreshIntervalMinutes

.signerCertificatesRefreshIntervalHours

<Number of minutes / hours> - default: 60 minutes.

If number of minutes is not specified, number of hours is read - otherwise, only number of minutes is used.

Specifies the number of minutes to cache the certificates read from the authentication provider - set to 0 to re-read it every time.

.acceptedServerCertificates

<List of certificate files, separated by semicolon or comma>

If the default cacerts trusted CA/root certificates is not enough, you can add additional certificates here. This applies to the signerCertificatesURL

.verifyServerCert

<true or false, default: true>

Set to false to disable validation of the SSL server certificate for the signerCertificatesURL

.verifySSLHostname

<true or false, default: true>

Set to false to dsable hostname validation – when true, the hostname in the URL must match the hostname in the SSL server certificate.

.keystore.provider

<JCE provider name>

Name of the JCE provider to use when loading the keystore

.keystore.type

<JCE keystore type – default: “PKCS12”>

Specifies the format of the keystore, e.g. PKCS12 or JKS.

.keystore.file

<filename>

Specifies the filename of the keystore to load the keys from.

.keystore.password

<password>

Password for the keystore – can optionally be encrypted/obfuscated

.keystore.privalias

<alias name>

Alias of the private key within the keystore to use – if no alias, the first key found will be used.

.keystore.certalias

<alias name>

Alias of the certificate within the keystore to use – if no alias, uses the first found certificate.

.jceprovider

<JCE provider name>

Name of the JCE provider to use when signing or validating signature of the JWT token.

.secretkey

<Secret key>

For algorithms starting with HS, a secret shared key is used – this should be avoided in production environments, since anyone in possession of the shared key used to validate JWT tokens can also is the same key to issue new tokens.

.clockSkewSeconds

<Time difference in seconds> - Default: 0, Requires v5.61

Set the clock skew allowed when validating expiration / not-before timestamps in the token - allows adjusting for time difference between machines.

.expirationminutes

<Minutes> - Default: 10

When creating a token, this is the expiration time as minutes in the future.

.notBeforeMinutesInPast

<Minutes> - Default: 2

When creating a token, this is the number of minutes in the past to set nbf (not before) attribute to.

.customfieldmapper

<Name of custom mapper>

If specified, when tokens are parse, they are not just copied - instead, the fields in the custom mapper are constructed based upon the claims provided as input. Note that attributesToStoreInSession has no effect if custom field mapping is enabled.

...