Token Issuers
Grid validates tokens issued by multiple token issuers within the same installation. Each token issuer has its own configuration in Grid. If a token issuer uses more than one 'iss' claim value in its tokens, you must create a separate configuration for each approved issuer value.
Grid uses the ''iss'' claim in id-tokens to determine the validation process and subsequent handling of the token once it is validated.
Token issuer configuration properties
| Property | Required | Description |
|---|---|---|
| Name | Yes | Use a short, descriptive, and unique name for each configuration. This name appears in tabs on the left side of the page. |
| Well-known URI | Yes | Enter the URL that points to the openid-configuration JSON document. |
| Issuer | Yes | The value of the 'iss' claim in the tokens that the Grid receives. |
| Validate Toke Issuer | No | When this option is checked, validation checks that the 'iss' claim value matches the issuer field in the well-known openid-configuration. By default, this option is true, ensuring that the 'iss' claim matches the metadata issuer. |
| Principal Name Claim | Yes | This is the name of the token claim used as a unique user identifier. |
| Display Name Claim | No | The name of the token claim used as the display name for the principal in the request. If not specified, it defaults to the value of the Principal Name Claim. |
| Tenant Claim | No | The name of the token claim to use as the tenant value for the principal in the request. If this property is not set, the resulting principal will not have a tenant value. |
| Role Claim | No | The name of the token claim that serves as the roles for the principal in the request. If not specified, the principal will not be assigned any roles. |
| Time skew | The maximum permitted time skew (in seconds) for when validating token expiration. The default value is 30 seconds. | |
| Fallback Signature Algorithm | No | The fallback signature algorithm for token signature validation. This is necessary only if the openid-configuration metadata does not include 'id_token_signing_alg_values_supported'. The default is RS512 if not set. |
| Require Audience | No | Set if the 'aud' claim is required in the token. |
| Audience | No | If set, the 'aud' claim in the token must match this property's value to become valid. |
| Endpoint Trust | Yes | Select Custom for certificate pinning, which provides higher security, or choose CA Certs to use the Java runtime's certificate trust store (cacerts). |
Endpoint Trust Certificate Data |
No |
The certificates needed for Grid to establish trust with the metadata endpoint and the jwks endpoints. Required when the Endpoint Trust is set to Custom. |
| Property | Required | Description |
|---|---|---|
| Role Mapping Mode | No | Select from MAP, PASSTHROUGH,
or PASSTHROUGH_ADMIN modes.
The default value is MAP but with no mappings. |
| Role Mapping | No |
This setting applies only when Role Mapping Mode is set to MAP. Configure a list of Grid and Grid-application roles to map to specific roles from the token's Role Claim. If the Role Claim includes multiple roles, map each role individually. The resulting role set combines all roles mapped from each role in the token's Role Claim. |
| Property | Required | Description |
|---|---|---|
| Add service | No |
This property maps request URI paths to service names. It is necessary for enabling impersonation of JWT-based sessions in Grid but optional otherwise. Grid allows impersonation headers based on this mapping and the existence of the run-as claim in the authorization claim's permissions. Impersonation is allowed only if the service identified by the path mapping has the "run-as" permission. See Infor Ming.le Authorization Service documentation for details. |