| Configuration of the lifetime of authorization codes used during the authorization code flow. Configuration whether PKCE is enabled (recommended) or not. | |
| Configure the content and behavior of the access token. By default, access tokens are opaque, random strings. If a JWT token should be issued, a JWT Access Token Format plugin may be configured. | |
| Configure the behavior of refresh tokens. Refresh tokens are always issued as opaque, random strings. | |
| Configure the content and behavior of the identity token. ID tokens are always JWTs. Use this plugin to configure the claims to be included in the ID token. | ID token claims are limited to user context data items. During the issuance of an ID token, it is possible to convert acquired roles to ACR values. |
| Configure the consent property with an OAuth 2.0 Local Consent plugin, if users should be involved to review requested scopes and only approve those scopes that they agree with. Configure the consent property with an OAuth 2.0 Remote Consent plugin, if consent management is delegated to an independent consent management service. See OAuth 2.0 Scopes . Configure a scope translator to present scopes in human-readable terms. | |
| Supplying a redirect URI with every request to the authorize endpoint is by definition optional. It is strongly recommended to make this parameter mandatory for security reasons and to avoid issues with clients that use multiple redirect URIs. | |
Configure if tokens with an empty scope are issued at all. It is strongly recommended to force clients to request at least one scope. | For OIDC the openid scope is mandatory. |
Configure which scopes are permitted to be added when tokens are issued. | This processor is applied after the user grants consent. As a consequence, a scope, granted by the user during consent, may not be added to the access token. |
Configure the login hint. - Configuring the OpenID Connect Username Login Hint plugin will allow the client to supply a username in the authorize call. This username will be pre-filled on the login screen.
- Configuring an OpenID Connect SSO Ticket Login Hint will allow the client to supply an SSO ticket in the authorize call. The SSO ticket may be used to authenticate the user.
| |