URI to redirect to after authorization failure. The URI must be registered to the IDP as an allowed redirect URI. The URI must also be a public and require no authorization for it to work. Set to empty string '' to disable. A generic error will be displayed by the IDP
The clientId passed to the IDP in the client_id property and is validated against the
'audience' (aud) claim of the JWT tokens. For example for EntraId, the clientId should
be the Enterprise App ID related to this OIDC configuration
OptionaldomainProviding a domain hint bypasses the email-based Home Realm Discovery (HRD) dialog during IDP authentication. This accelerates the UX for users that have multiple active logins, for example for MS EntraID
OptionalissuerThe 'issuer' (iss) claim value provided by the IDP for the access_token. Passing this value
overrides the info read from the .well-known endpoint. This may be required for example for
EntraID. Issuer of the id_token is always validated against the info from the .well-known
endpoint
URI to redirect the user after IDP logout. The logout URI must be registered to the IDP. If no redirect after logout is desired, set this to an empty string ''. In this case the user will be displayed a generic message by the IDP
List of URI path prefix for paths that bypass authentication. Set to empty array [] to require auth for
all paths. Use for example for static error pages. The path entry must start and end with / character
OAuth 2.0 scopes to request from the IDP
Max session validity to use for refresh token. This should match to the session validity set by the IDP
in order to avoid refresh token errors from IDP. The sessionValidity should also be loner than
the validity of the access_token set by the IDP
The well-known data endpoint for the IDP
Application domain name