keycloak-scim/src/clients/help.json

{
  "clients-help": {
    "clientType": "'OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.",
    "serviceAccount": "Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.",
    "directAccess": "This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.",
    "standardFlow": "This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.",
    "implicitFlow": "This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.",
    "rootURL": "Root URL appended to relative URLs",
    "validRedirectURIs": "Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.",
    "webOrigins": "Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.",
    "homeURL": "Default URL to use when the auth server needs to redirect or link back to the client.",
    "adminURL": "URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.",
    "clientID": "Specifies ID referenced in URI and tokens. For example 'my-client'. For SAML this is also the expected issuer value from authn requests",
    "clientName": "Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}",
    "description": "Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example: ${my_client_description}",
    "loginTheme": "Select theme for login, OTP, grant, registration, and forgot password pages.",
    "encryptAssertions": "Should SAML assertions be encrypted with client's public key using AES?",
    "clientSignature": "Will the client sign their saml requests and responses? And should they be validated?",
    "downloadType": "this is information about the download type",
    "details": "this is information about the details",
    "createToken": "An initial access token can only be used to create clients",
    "expiration": "Specifies how long the token should be valid",
    "count": "Specifies how many clients can be created using the token",
    "client-authenticator-type": "Client Authenticator used for authentication of this client against Keycloak server",
    "registration-access-token": "The registration access token provides access for clients to the client registration service.",
    "signature-algorithm": "JWA algorithm, which the client needs to use when signing a JWT for authentication. If left blank, the client is allowed to use any algorithm.",
    "subject": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.",
    "evaluateExplain": "This page allows you to see all protocol mappers and role scope mappings",
    "scopeParameter": "You can copy/paste this value of scope parameter and use it in initial OpenID Connect Authentication Request sent from this client adapter. Default client scopes and selected optional client scopes will be used when generating token issued for this client",
    "user": "Optionally select user, for whom the example access token will be generated. If you do not select a user, example access token will not be generated during evaluation",
    "notBefore": "Revoke any tokens issued before this date for this client.",
    "notBeforeIntro": "In order to successfully push a revocation policy to the client, you need to set an Admin URL under the <1>Settings</1> tab for this client first",
    "nodeReRegistrationTimeout": "Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak",
    "fineGrainOpenIdConnectConfiguration": "This section is used to configure advanced settings of this client related to OpenID connect protocol.",
    "fineGrainSamlEndpointConfig": "This section to configure exact URLs for Assertion Consumer and Single Logout Service.",
    "accessTokenSignatureAlgorithm": "JWA algorithm used for signing access tokens.",
    "idTokenSignatureAlgorithm": "JWA algorithm used for signing ID tokens.",
    "idTokenEncryptionKeyManagementAlgorithm": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.",
    "idTokenEncryptionContentEncryptionAlgorithm": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.",
    "userInfoSignedResponseAlgorithm": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.",
    "requestObjectSignatureAlgorithm": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).",
    "requestObjectRequired": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.",
    "openIdConnectCompatibilityModes": "This section is used to configure settings for backward compatibility with older OpenID Connect / OAuth 2 adaptors. It's useful especially if your client uses older version of Keycloak / RH-SSO adapter.",
    "excludeSessionStateFromAuthenticationResponse": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if your client uses older OIDC / OAuth2 adapter, which does not support 'session_state' parameter.",
    "advancedSettingsOpenid-connect": "This section is used to configure advanced settings of this client related to OpenID Connect protocol",
    "advancedSettingsSaml": "This section is used to configure advanced settings of this client",
    "assertionLifespan": "Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The \"SessionNotOnOrAfter\" attribute is not modified and continue using the \"SSO Session Max\" time defined at realm level.",
    "accessTokenLifespan": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.",
    "oAuthMutual": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.",
    "keyForCodeExchange": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.",
    "assertionConsumerServicePostBindingURL": "SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.",
    "assertionConsumerServiceRedirectBindingURL": "SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.",
    "logoutServicePostBindingURL": "SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding",
    "logoutServiceRedirectBindingURL": "SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.",
    "authenticationOverrides": "Override realm authentication flow bindings.",
    "browserFlow": "Select the flow you want to use for browser authentication.",
    "directGrant": "Select the flow you want to use for direct grant authentication."
  }
}
Field level help (#152) * refactors form field help * format and test * add interpolation of help text * implement HelpItem and move help text * update DownloadDialog with new HelpItem * remove commented out code 2020-10-09 06:48:50 +00:00			`{`
			`"clients-help": {`
changed to be progressive added help to type and made `openid-connect` the default fixes: #446 2021-03-29 10:00:56 +00:00			`"clientType": "'OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.",`
fixed visual and logical errors described in #423 (#429) * fixed visual and logical errors described in #423 fixing: #423 * changed reload to reset * format 2021-03-19 07:49:33 +00:00			`"serviceAccount": "Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.",`
			`"directAccess": "This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.",`
			`"standardFlow": "This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.",`
			`"implicitFlow": "This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.",`
			`"rootURL": "Root URL appended to relative URLs",`
			`"validRedirectURIs": "Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/'. Relative path can be specified too such as /my/relative/path/. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.",`
Fix some issues on client detail page (#388) * adding missing fields fixes: #377 * fixed redirects from cancel and save button fixes: #386 * fixed filter 2021-02-23 08:55:24 +00:00			`"webOrigins": "Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '' wildcard though. To permit all origins, explicitly add ''.",`
fixed visual and logical errors described in #423 (#429) * fixed visual and logical errors described in #423 fixing: #423 * changed reload to reset * format 2021-03-19 07:49:33 +00:00			`"homeURL": "Default URL to use when the auth server needs to redirect or link back to the client.",`
Fix some issues on client detail page (#388) * adding missing fields fixes: #377 * fixed redirects from cancel and save button fixes: #386 * fixed filter 2021-02-23 08:55:24 +00:00			`"adminURL": "URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.",`
Fixed issue using import (#393) * add icons change description to use TextArea * add missing saml config * switch based on protocol * add capabilty config to import * fixed key element warning * fixed merge error * don't clear on file drag event * don't allow editing of json * prettier * fix tests * missing timeout 2021-03-09 13:59:41 +00:00			`"clientID": "Specifies ID referenced in URI and tokens. For example 'my-client'. For SAML this is also the expected issuer value from authn requests",`
			`"clientName": "Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}",`
			`"description": "Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example: ${my_client_description}",`
fixed visual and logical errors described in #423 (#429) * fixed visual and logical errors described in #423 fixing: #423 * changed reload to reset * format 2021-03-19 07:49:33 +00:00			`"loginTheme": "Select theme for login, OTP, grant, registration, and forgot password pages.",`
Fixed issue using import (#393) * add icons change description to use TextArea * add missing saml config * switch based on protocol * add capabilty config to import * fixed key element warning * fixed merge error * don't clear on file drag event * don't allow editing of json * prettier * fix tests * missing timeout 2021-03-09 13:59:41 +00:00			`"encryptAssertions": "Should SAML assertions be encrypted with client's public key using AES?",`
			`"clientSignature": "Will the client sign their saml requests and responses? And should they be validated?",`
Field level help (#152) * refactors form field help * format and test * add interpolation of help text * implement HelpItem and move help text * update DownloadDialog with new HelpItem * remove commented out code 2020-10-09 06:48:50 +00:00			`"downloadType": "this is information about the download type",`
Added the credentials tab (#196) * initial version credentials tab * added signed jwt * submit token endpoint signing alg * added x509 * show tab when public client * fixed test default confimnation dailog size is small * pr review comments 2020-11-02 20:15:09 +00:00			`"details": "this is information about the details",`
added save dialog 2021-03-04 08:20:37 +00:00			`"createToken": "An initial access token can only be used to create clients",`
			`"expiration": "Specifies how long the token should be valid",`
			`"count": "Specifies how many clients can be created using the token",`
Added the credentials tab (#196) * initial version credentials tab * added signed jwt * submit token endpoint signing alg * added x509 * show tab when public client * fixed test default confimnation dailog size is small * pr review comments 2020-11-02 20:15:09 +00:00			`"client-authenticator-type": "Client Authenticator used for authentication of this client against Keycloak server",`
			`"registration-access-token": "The registration access token provides access for clients to the client registration service.",`
			`"signature-algorithm": "JWA algorithm, which the client needs to use when signing a JWT for authentication. If left blank, the client is allowed to use any algorithm.",`
Evaluate tab clients client-scopes (#263) * created scope picker * added user select * added evaluate function * added the tabs * added generated token * added useFetch * fixed formating after merge * fixed the tabs layout Co-authored-by: srambach * added space between tabs and content * added help into text 2021-01-12 13:16:35 +00:00			`"subject": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.",`
			`"evaluateExplain": "This page allows you to see all protocol mappers and role scope mappings",`
			`"scopeParameter": "You can copy/paste this value of scope parameter and use it in initial OpenID Connect Authentication Request sent from this client adapter. Default client scopes and selected optional client scopes will be used when generating token issued for this client",`
Advanced tab (#373) * initial version of the advanced tab * added registered nodes * added fine grain open id connect configuration * added open id connect compatibility section * added advanced section * added backend * fixed type * renamed 'advanced' to advancedtab to prevent strange add of '/index.js' by snowpack * fixed storybook stories * change '_' to '-' because '_' is also used * fix spacing buttons * stop passing the form * cypress test for advanced tab * more tests * saml section * changed to use NumberInput * added authetnication flow override * fixed merge error * updated text and added link to settings tab * fixed test * added filter on flows and better reset * added now mandetory error handler * added sorting * Revert "changed to use NumberInput" This reverts commit 7829f2656ae8fc8ed4a4a6b1c4b1961241a09d8e. * allow users to put empty string as value * already on detail page after save * fixed merge error 2021-02-28 20:02:31 +00:00			`"user": "Optionally select user, for whom the example access token will be generated. If you do not select a user, example access token will not be generated during evaluation",`
			`"notBefore": "Revoke any tokens issued before this date for this client.",`
			`"notBeforeIntro": "In order to successfully push a revocation policy to the client, you need to set an Admin URL under the <1>Settings</1> tab for this client first",`
			`"nodeReRegistrationTimeout": "Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak",`
			`"fineGrainOpenIdConnectConfiguration": "This section is used to configure advanced settings of this client related to OpenID connect protocol.",`
			`"fineGrainSamlEndpointConfig": "This section to configure exact URLs for Assertion Consumer and Single Logout Service.",`
			`"accessTokenSignatureAlgorithm": "JWA algorithm used for signing access tokens.",`
			`"idTokenSignatureAlgorithm": "JWA algorithm used for signing ID tokens.",`
			`"idTokenEncryptionKeyManagementAlgorithm": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.",`
			`"idTokenEncryptionContentEncryptionAlgorithm": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.",`
			`"userInfoSignedResponseAlgorithm": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.",`
			`"requestObjectSignatureAlgorithm": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).",`
			`"requestObjectRequired": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.",`
			`"openIdConnectCompatibilityModes": "This section is used to configure settings for backward compatibility with older OpenID Connect / OAuth 2 adaptors. It's useful especially if your client uses older version of Keycloak / RH-SSO adapter.",`
			`"excludeSessionStateFromAuthenticationResponse": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if your client uses older OIDC / OAuth2 adapter, which does not support 'session_state' parameter.",`
			`"advancedSettingsOpenid-connect": "This section is used to configure advanced settings of this client related to OpenID Connect protocol",`
			`"advancedSettingsSaml": "This section is used to configure advanced settings of this client",`
			`"assertionLifespan": "Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The \"SessionNotOnOrAfter\" attribute is not modified and continue using the \"SSO Session Max\" time defined at realm level.",`
			`"accessTokenLifespan": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.",`
			`"oAuthMutual": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.",`
			`"keyForCodeExchange": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.",`
			`"assertionConsumerServicePostBindingURL": "SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.",`
			`"assertionConsumerServiceRedirectBindingURL": "SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.",`
			`"logoutServicePostBindingURL": "SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding",`
			`"logoutServiceRedirectBindingURL": "SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.",`
			`"authenticationOverrides": "Override realm authentication flow bindings.",`
			`"browserFlow": "Select the flow you want to use for browser authentication.",`
			`"directGrant": "Select the flow you want to use for direct grant authentication."`
Field level help (#152) * refactors form field help * format and test * add interpolation of help text * implement HelpItem and move help text * update DownloadDialog with new HelpItem * remove commented out code 2020-10-09 06:48:50 +00:00			`}`
			`}`