libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6
keycloak-scim/server_admin/topics/clients/oidc/con-basic-settings-prod.adoc
andymunro c54c0dd588
Updating Server Admin Guide for new Admin Console (#1626) 
Closes #1575
2022-07-26 11:50:24 -04:00

92 lines
No EOL
6.4 KiB
Text
Raw Blame History

[id="con-basic-settings_{context}"]
= Basic settings
[role="_abstract"]
On the *Settings* tab, you can make basic changes. For details on a specific field, click the question mark icon for that field. However, certain fields are described in detail in this section.
*Client ID*:: The alpha-numeric ID string that is used in OIDC requests and in the {project_name} database to identify the client.
*Name*:: The name for the client in {project_name} UI screen. To localize
the name, set up a replacement string value. For example, a string value such as $\{myapp}. See the link:{developerguide_link}[{developerguide_name}] for more information.
*Description*:: The description of the client. This setting can also be localized.
*Enabled*:: When turned off, the client cannot request authentication.
*Always Display in Console*:: Always list this client in the Account Console even if this user does not have an active session.
*Consent Required*:: When turned on, users see a consent page that they can use to grant access to that application. It will also display metadata so the user knows the exact information that the client can access.
*Login theme*:: A theme to use for login, OTP, grant registration and forgotten password pages.
*Client Protocol*:: The Open ID connect protocol.
[[_access-type]]
*Access Type*:: The type of OIDC client.
_Confidential_::
For server-side clients that perform browser logins and require client secrets when making an Access Token Request. This setting should be used for server-side applications.
_Public_::
For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.
_Bearer-only_::
The application allows only bearer token requests. When turned on, this application cannot participate in browser logins.
*Standard Flow Enabled*:: When enabled, clients can use the OIDC xref:_oidc-auth-flows-authorization[Authorization Code Flow].
*Implicit Flow Enabled*:: When enabled, clients can use the OIDC xref:_oidc-auth-flows-implicit[Implicit Flow].
*Direct Access Grants Enabled*:: When enabled, clients can use the OIDC xref:_oidc-auth-flows-direct[Direct Access Grants].
*OAuth 2.0 Device Authorization Grant Enabled*:: If this is on, clients are allowed to use the OIDC xref:con-oidc-auth-flows_server_administration_guide[Device Authorization Grant].
*OpenID Connect Client Initiated Backchannel Authentication Grant Enabled*::
If this is on, clients are allowed to use the OIDC xref:con-oidc-auth-flows_{context}[Client Initiated Backchannel Authentication Grant].
*Standard Flow Enabled*:: When enabled, clients can use the OIDC xref:_oidc-auth-flows-authorization[Authorization Code Flow].
*Implicit Flow Enabled*:: When enabled, clients can use the OIDC xref:_oidc-auth-flows-implicit[Implicit Flow].
*Direct Access Grants Enabled*:: When enabled, clients can use the OIDC xref:_oidc-auth-flows-direct[Direct Access Grants].
*OAuth 2.0 Device Authorization Grant Enabled*:: If this is on, clients are allowed to use the OIDC xref:con-oidc-auth-flows_server_administration_guide[Device Authorization Grant].
*Root URL*:: If {project_name} uses any configured relative URLs, this value is prepended to them.
*Valid Redirect URIs*:: Required field. Enter a URL pattern and click *+* to add and *-* to remove existing URLs and click *Save*. You can use wildcards at the end of the URL pattern. For example $$http://host.com/*$$
+
Exclusive redirect URL patterns are typically more secure. See xref:unspecific-redirect-uris_{context}[Unspecific Redirect URIs] for more information.
*Base URL*:: This URL is used when {project_name} needs to link to the client.
[[_admin-url]]
*Admin URL*:: Callback endpoint for a client. The server uses this URL to make callbacks like pushing revocation policies, performing backchannel logout, and other administrative operations. For {project_name} servlet adapters, this URL can be the root URL of the servlet application.
For more information, see link:{adapterguide_link}[{adapterguide_name}].
*Web Origins*:: Enter a URL pattern and click *+* to add and *-* to remove existing URLs. Click *Save*.
+
This option handles link:https://fetch.spec.whatwg.org/[Cross-Origin Resource Sharing (CORS)].
If browser JavaScript attempts an AJAX HTTP request to a server whose domain is different from the one that the
JavaScript code came from, the request must use CORS. The server must handle CORS requests, otherwise the browser will not display or allow the request to be processed. This protocol protects against XSS, CSRF, and other JavaScript-based attacks.
+
Domain URLs listed here are embedded within the access token sent to the client application. The client application uses this information to decide whether to allow a CORS request to be invoked on it. Only {project_name} client adapters support this feature. See link:{adapterguide_link}[{adapterguide_name}] for more iformation.
[[_front-channel-logout]]
*Front Channel Logout*:: If *Front Channel Logout* is enabled, the application should be able to log out users through the front channel as per link:https://openid.net/specs/openid-connect-frontchannel-1_0.html[OpenID Connect Front-Channel Logout] specification. If enabled, you should also provide the `Front-Channel Logout URL`.
*Front-Channel Logout URL*:: URL that will be used by {project_name} to send logout requests to clients through the front-channel.
[[_back-channel-logout-url]]
*Backchannel Logout URL*:: URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout requests are sent to the client.
*Backchannel Logout Session Required*::
Specifyies whether a session ID Claim is included in the Logout Token when the *Backchannel Logout URL* is used.
*Backchannel logout revoke offline sessions*:: Specifies whether a revoke_offline_access event is included in the Logout Token when the Backchannel Logout URL is used. {project_name} will revoke offline sessions when receiving a Logout Token with this event.
[NOTE]
====
After completing the fields on the *Settings* tab, you can use the other tabs to perform advanced configuration, such as configuring fine-grained authentication for administrators. See <<_fine_grain_permissions, Fine grain admin permissions>>. Also, see the following sections for other procedures.
====
Reference in a new issue View git blame Copy permalink