Type Alias CreateOIDCPayload

Payload for creating an OIDC-compatible identity provider.

type CreateOIDCPayload = {
    clockToleranceSec?: number;
    createNewUsersOnLogin?: boolean;
    description?: string;
    interactive: boolean;
    options?: {
        allowedClientIds?: string[];
        audience?: string;
        claimsMapping: ClaimsMappingNonInteractive;
        discoveryUrl?: string;
        openid_configuration?: OpenIDConfiguration;
        realm?: string;
    };
    pendingOptions?: {
        blockOfflineAccessScope?: boolean;
        claimsMapping: ClaimsMappingInteractive;
        clientId: string;
        clientSecret: string;
        decryptingKey?: DecryptingKey;
        discoveryUrl?: string;
        emailVerifiedAlwaysTrue?: boolean;
        idTokenSignatureAlg?: "RS256"
        | "RS512";
        openid_configuration?: OpenIDConfiguration;
        realm?: string;
        scope?: string;
        useClaimsFromIdToken?: boolean;
    };
    postLogoutRedirectUri?: string;
    protocol: "OIDC";
    provider: | "auth0"
    | "okta"
    | "generic"
    | "salesforce"
    | "keycloak"
    | "adfs"
    | "azureAD";
    skipVerify?: boolean;
    tenantIds?: string[];
}
Index

Properties

clockToleranceSec? createNewUsersOnLogin? description? interactive options? pendingOptions? postLogoutRedirectUri? protocol provider skipVerify? tenantIds?

Properties

clockToleranceSec?: number

There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set.

createNewUsersOnLogin?: boolean

Tells the consumer of the IdP that new users should be created on login if they don't exist.

description?: string
interactive: boolean

Indicates whether the IdP is meant for interactive login.

options?: {
    allowedClientIds?: string[];
    audience?: string;
    claimsMapping: ClaimsMappingNonInteractive;
    discoveryUrl?: string;
    openid_configuration?: OpenIDConfiguration;
    realm?: string;
}

Required OIDC configurations for non-interactive IdPs and interactive IdPs with skipVerify flag enabled.

Type declaration

  • OptionalallowedClientIds?: string[]

    Only clients with IDs in this list will be allowed API access. A blank list or empty value means any client IDs authenticated against the IdP will be allowed access.

  • Optionalaudience?: string

    Allows for setting audience in access tokens.

  • claimsMapping: ClaimsMappingNonInteractive

    Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

  • OptionaldiscoveryUrl?: string

    The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration). Required if openid_configuration is not given.

  • Optionalopenid_configuration?: OpenIDConfiguration

    OpenID configuration

  • Optionalrealm?: string

    The realm identifier for the IdP.

pendingOptions?: {
    blockOfflineAccessScope?: boolean;
    claimsMapping: ClaimsMappingInteractive;
    clientId: string;
    clientSecret: string;
    decryptingKey?: DecryptingKey;
    discoveryUrl?: string;
    emailVerifiedAlwaysTrue?: boolean;
    idTokenSignatureAlg?: "RS256" | "RS512";
    openid_configuration?: OpenIDConfiguration;
    realm?: string;
    scope?: string;
    useClaimsFromIdToken?: boolean;
}

Required OIDC configurations for interactive IdPs that require verification.

Type declaration

  • OptionalblockOfflineAccessScope?: boolean

    When true, the offline_access scope will not be requested from the IdP where applicable.

  • claimsMapping: ClaimsMappingInteractive

    Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

  • clientId: string

    The client identifier used as part of authenticating an interactive identity provider.

  • clientSecret: string

    The client secret used as part of authenticating an interactive identity provider.

  • OptionaldecryptingKey?: DecryptingKey

    A decrypting key used to decrypt OIDC encrypted assertions

  • OptionaldiscoveryUrl?: string

    The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration). Required if openid_configuration is not given.

  • OptionalemailVerifiedAlwaysTrue?: boolean

    Only ADFS and AzureAD IdPs can set this property. For ADFS and AzureAD, it defaults to false. For other IdPs, it defaults to undefined.

  • OptionalidTokenSignatureAlg?: "RS256" | "RS512"

    The algorithm used to sign the ID token. The default algorithm is RS256.

  • Optionalopenid_configuration?: OpenIDConfiguration

    OpenID configuration

  • Optionalrealm?: string

    The realm identifier for the IdP.

  • Optionalscope?: string

    Scope which will be sent along with token requests to the IdP. Scopes should be space delimited. Will default to certain values depending on the IdP provider.

  • OptionaluseClaimsFromIdToken?: boolean

    If true, will use the claims from the ID token. By default it is set to true for ADFS and AzureAD.

postLogoutRedirectUri?: string

Direct the user on logout to a specific URI.

protocol: "OIDC"

The protocol to be used for communicating with the identity provider.

provider:
    | "auth0"
    | "okta"
    | "generic"
    | "salesforce"
    | "keycloak"
    | "adfs"
    | "azureAD"

The identity provider to be used.

skipVerify?: boolean

If set to true, skips IdP verification process and assumes the IdP is verified.

tenantIds?: string[]

The tenant identifiers that map to the given IdP.

Settings

Member Visibility

On This Page

Properties