Identity Provider (IdP) Options

Specify a parentName in an IdP Options configuration. Evaluation of key / value pairs will go in the order of child > parent, meaning you can extend a parent and override as many existing values as you wish.

• discovery - Discovery URL for the OpenID Connect provider (e.g. https://example.com/.well-known/openid-configuration)

• client_id - Client ID to be used in the authorization request

• client_secret - Environment variable name for the client secret to be used in the authorization request. os.getenv("CLIENT_SECRET") to use an environment variable for your client secrets rather than hardcoding strings in the configuration.

• redirect_uri - Redirect URI to be used in the authorization request

• scope - Scopes to request from the IdP (i.e. openid profile email)

• session_contents - Contents to be stored in the session storage: id_token, enc_id_token, user, access_token (includes refresh_token)

• logout_path - Logout URI to clear the OMG session. Requests to this URI will be handled by OMG and will NOT reach your backend.

• post_logout_redirect_uri - Redirect URL after clearing IdP session (and OMG session)

• redirect_after_logout_uri - Redirect URL after clearing OMG session (IdP session NOT cleared)

• redirect_after_logout_with_id_token_hint - Whether the redirect after logout should include the id_token_hint

• revoke_tokens_on_logout - Whether to revoke the tokens on logout (true or false)

• refresh_session_interval - Interval in seconds to refresh the tokens

• renew_access_token_on_expiry - Whether to renew access token on expiry. Redirect to authorization endpoint if renewal fails.

• access_token_expires_leeway - Leeway in seconds for access token renewal

• authorization_params - Additional parameters to be sent to the authorization endpoint

• iat_slack - Leeway in seconds for the issued at (iat) claim in the ID token

• ssl_verify - Enforcement of SSL certificate check to the IdP ("yes") or not ("no").

• redirect_uri_scheme - Scheme to use in redirect_uri ("http" or "https").

• keepalive - Connection keepalive with the IdP can be enabled ("yes") or disabled ("no")

• use_pkce - Whether to use PKCE in authorization request

• use_nonce - Whether to use nonce in authorization request

• force_reauthorize - Force reauthorization with the IdP even if tokens are already cached

• cache_segment - To segment jwt_verification and introspection caches if you are using locations with different opts configurations

• introspection_interval - Interval in seconds to refresh the introspection cache for an access token

• introspection_expiry_claim - Claim name in the introspection response that indicates the expiry time of the access token (default is exp)

• introspection_cache_ignore - Whether to ignore the introspection cache and always call the introspection endpoint

• jwt_verification_cache_ignore - Whether to ignore the jwt verification cache and always verify the jwt

• headerToOptsMapping - Used to define dynamic opts. Mapping of the opts names to the request header values. (e.g. { "key":"X-Forwarded-Host", "mapping":{ "www.oauthlink.com":"Main Options", "app1.oauthlink.com":"App 1 Options" } })

• headerToBackendMapping - Used to define dynamic backendValues. Mapping of the backendValues to the request header values. (e.g. { "key":"X-Forwarded-Host", "mapping":{ "www.oauthlink.com":"https://internal-vip", "app1.oauthlink.com":"App 1 Backend" } })

• disable_ootb_auth_error_response - Disable the default error response for auth policy errors. This will allow you to handle auth errors in your own way.

• disable_ootb_jwt_error_response - Disable the default error response for jwt verification errors. This will allow you to handle jwt errors in your own way.

• disable_ootb_introspect_error_response - Disable the default error response for introspection errors. This will allow you to handle introspection errors in your own way.