config-oidc
Configures authentication using OpenID Connect.
config-oidc
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
[-e <true|false> | --enabled=<true|false>]
[-s | --set-provider]
[-r | --remove-provider]
[-n value | --provider-name=value]
[--provider-enabled=<true|false>]
[--provider-discovery-url=value]
[--provider-client-id=value]
[--provider-client-secret=value]
[--provider-domain-name=value]
[--provider-username-claim=value]
[--provider-id-token-signing-alg=value]
[--provider-id-token-signature-verification-disabled=<true|false>]
[--provider-token-endpoint-auth-method=value]
{-Svalue}
[--provider-auth-request-prompt-value=value]
[--provider-bg-color=value]
Overview
Use this command to configure authentication against one or more external providers using OpenID Connect. Authentication using OpenID Connect may be combined with username/password-based authentication and/or custom web authentication.
Options
| Option | Optional or Required | Default Value | Description |
|---|---|---|---|
-c value --configuration=value |
Optional | configuration.xml | The path to the server configuration file. |
-b value --bootstrap-config=value |
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
-e <true|false> --enabled=<true|false> |
Optional | true | Specifies whether OpenID Connect should be enabled. |
-s --set-provider |
Optional | none | Indicates that a provider configuration should be set (will replace the configuration for any existing provider with the same name). Cannot be specified together with --remove-provider. |
-r --remove-provider |
Optional | none | Indicates that a provider configuration should be removed. Cannot be specified together with --set-provider. |
-n value --provider-name=value |
This argument is optional unless either --set-provider or --remove-provider has been specified. | none | The name of the provider to set or remove. Normally displayed to end users on the login page. |
--provider-enabled=<true|false> |
This argument is optional unless --set-provider has been specified. | true | Specifies whether the provider should be enabled. |
--provider-discovery-url=value |
This argument is optional unless --set-provider has been specified. | none | The URL to the provider's OpenID Connect Discovery document. |
--provider-client-id=value |
This argument is optional unless --set-provider has been specified. | false | The client ID given by the provider during registration. |
--provider-client-secret=value |
This argument is optional unless --set-provider has been specified. | none | The client secret given by the provider during registration. |
--provider-domain-name=value |
Optional | By default the value of the 'issuer' claim is used. | The domain name to assign to the authenticated users. |
--provider-username-claim=value |
Optional | sub | The name of the claim to use as username for the authenticated users. May for example be 'email', but note that only 'sub' is guaranteed to be a unique and stable identifier. |
--provider-id-token-signing-alg=value |
Optional | By default all algorithms listed as supported in the Discovery Document will be accepted. | The ID token signature algorithm to expect. |
--provider-id-token-signature-verification-disabled=<true|false> |
Optional | false | Indicates that signature verification of ID tokens should be disabled. This should normally only be specified if the provider does not sign the ID tokens. |
--provider-token-endpoint-auth-method=value |
Optional | By default one of the algorithms listed as supported in the Discovery Document will be used. | The authentication method to use when communicating with the provider's Token Endpoint. May be one of 'client_secret_basic', 'client_secret_post' and 'client_secret_jwt' ('private_key_jwt' is not supported). |
-Svalue |
Optional | openid, profile, email | A scope to include in the authentication request (besides 'openid' that will always be included). This argument may be specified multiple times with different values. |
--provider-auth-request-prompt-value=value |
Optional | By default the parameter will be omitted from the request. | The value to give the 'prompt' request parameter when making the authentication request. Controls how the provider prompts the end user. May be one of 'none', 'login', 'consent', or 'select_account'. |
--provider-bg-color=value |
Optional | none | The normal background color of the provider's button on the login page (when applicable), as a hexadecimal color value. |
Copyright © TIBCO Software Inc. All rights reserved.