Realms

A Realm has a few specific responsibilities :

It represents an oAuth Authorization Server & OpenID Connect Provider
It enforces a template for Dynamic Client Registration
Sandboxes a collection of applications which are allowed to communicate between each other.

Attribute	Required	Description
Name	Yes	The Realm name used internally within Salesforce by your administrators
Name__c	Yes	The Realm name used externally. Must not include any spaces or special characters since it'll be part of the URL structure for the endpoints
Community__c	Yes	The community which will host the Realm created. The realm will inherit the URL (and custom domains) of the community
Url__c	Yes	A domain from the Community to which the Realm will be tied to. The Realm will reject all requests from URLs different than this one
AccessTokenExpirationTime__c	Yes	The default setting Applications will have when using the Dynamic Client Registration endpoint or if an admin does not define a specific application access_token_expiration_time
AccessTokenSigningAlgValue__c	Yes	The default access_token signing algorithm to be assigned to new applications created through Dynamic Client Registration or if an admin does not define a specific application access_token_signing_alg_value
AccessTokenPolicy__c	Yes	Depending on your security context, you can define the policy to storing `access_tokens`. `no-store` (default): No access_token is stored. All tokens are stateless. `blacklist`: Only revoked access_tokens are stored. `whitelist`: all access_tokens are stored. Tokens generated by `ExternalAuthServer`s are always saved.
RefreshTokenExpirationTime__c	Yes	The default setting Applications will have when using the Dynamic Client Registration endpoint or if an admin does not define a specific application refresh_token_expiration_time
IsAdminApproved__c	Yes	The default setting Applications will have when using the Dynamic Client Registrationendpoint. If checked, the Realm will show a consent screen to the user before issuing any tokens
ResponseTypes__c	Yes	A list of `response_type`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint
GrantTypes__c	Yes	A list of `grant_type`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint
ResponseModes__c	Yes	A list of `response_mode`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint
TokenEndpointAuthMethods__c	Yes	A list of `token_endpoint_auth_method`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint
TokenEndpointAuthSigning__c	No	A list of `token_endpoint_auth_signing_alg`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint. Required if the token_endpoint_auth_methods include either private_key_jwt or client_secret_jwt
RevocationEndpointAuthMethods__c	Yes	A list of `revocation_endpoint_auth_method`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint
RevocationEndpointAuthSigning__c	No	A list of `revocation_endpoint_auth_signing_alg`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint. Required if the revocation_endpoint_auth_methods include either private_key_jwt or client_secret_jwt
IntrospectionEndpointAuthMethods__c	Yes	A list of `introspection_endpoint_auth_method`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint
IntrospectionEndpointAuthSigning__c	No	A list of `introspection_endpoint_auth_signing_alg`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint. Required if the introspection_endpoint_auth_methods include either private_key_jwt or client_secret_jwt
IdTokenExpirationTime__c	Yes	The default setting Applications will have when using the Dynamic Client Registration endpoint or if an admin does not define a specific application id_token_expiration_Time
IdTokenSigningAlgValues__c	Yes	A list of `id_token_signing_alg`s allowed by the Realm. Will be displayed on the OpenID Discovery document and will restrict the values Clients use on the Dynamic Client Registration endpoint.
IdTokenIncludeClaims__c	No	A Boolean which indicates if by default clients registered through Dynamic Client Registration should receive user claims in the id_token
IdTokenIncludeInRefreshToken__c	No	A Boolean which indicates if by default clients registered through Dynamic Client Registration should receive an id_token on each refresh_token flow
SubjectTypes__c	Yes	Subject type for applications. Only public is supported now
Config__c	No	Stores the Realm custom configuration. Read more on the Extensions section
ResourceServer__c	No	A Resource Server from the Realm which protects the Realm's protected resources (client_registration for example). Refer to Dynamic Client Registration for more information

Scopes allows you to manage the application access to APIs.

Attribute	Required	Description
Name	Yes	The name which should be used by consumers to request the Scope. The name MUST NOT contain spaces
Label__c	Yes	The label to be displayed to the user. You can enter the name of a Custom Label which allows you to translate the prompt to the user
Visible__c	No	A checkbox which controls whether the scope is shared on the OpenID Discovery
Assignment__c	Yes	Defines how the Scope can be assigned to Clients and Resources
Realm__c	Yes	Realm to which the Scope belongs

There are three possible scope assignments :

Assignment	Description
open	Any user can assign this scope to a Client or a Resource (provided they have access to update the record)
restricted	Only users with access to the Realm Scope record can assign it to a Client or Resource (provided they have access to update the Client or Resource record as well)
closed	Only the scope owner can assign it to a Client or Resource (provided she has access to update the Client or resource record as well)

Name	Standard	Description
offline_access	OpenID Core	Allows an application to request an long-term lived token on behalf of the user
openid	OpenID Core	Allows an application to receive an id_token on behalf of the user. Includes a unique identifier of the user
profile	OpenID Core	Allows an application to receive user data as part of the id_token & userinfo_endpoint
address	OpenID Core	Allows an application to receive user address as part of the id_token & userinfo_endpoint
phone	OpenID Core	Allows an application to receive user phone as part of the id_token & userinfo_endpoint
email	OpenID Core	Allows an application to receive user email as part of the id_token & userinfo_endpoint

Name	Description
cym.client_registration	Allows an application to manage (create, read, update, delete) clients on behalf of the user. Refer to Dynamic Client Registration for more information
cym.client_registration.read	Allows an application to read clients on behalf of the user. Refer to Dynamic Client Registration for more information
cym.client_registration.create	Allows an application to create clients on behalf of the user. Refer to Dynamic Client Registration for more information
cym.client_registration.update	Allows an application to update clients on behalf of the user. Refer to Dynamic Client Registration for more information
cym.client_registration.delete	Allows an application to delete clients on behalf of the user. Refer to Dynamic Client Registration for more information

You can create your own scopes which allow you to manage your own business requirements. e.g. :

Name	Description
contacts	Allows an application full control of a user's contacts
contacts:read	Allows an application to read the contacts of a user
https://acme.com/contacts.delete	Allows an application to delete the contacts of a user

Since the name is used as part of the authorization request, choose a set of characters which are URL friendly, and must not include a space.

Similarly to how OpenID Connect manages user claims with Scopes, you can create your own claims and assign them to Scopes. When an application or a ResourceServer is assigned the scope, it'll automatically receive the claims provisioned.

Attribute	Required	Description
Name	Yes	The name is used in the well-known document and as a key for the claim in the `id_token`, the `userinfo_endpoint` and the `introspection_endpoint` responses. The name MUST NOT contain spaces. You also must choose a collision-resistant name (we recommend to namespace all the claims with you company acronym for example)
Visible__c	No	A checkbox which controls whether the claim is shared on the OpenID Discovery
Scope__c	Yes	Which scope is required to release the claim
Plugin__c	Yes	The name of a class which returns the current claim. The class name must be prefixed by `callable:` (if the apex class is MyClaimCallable, then the value must be `callable:MyClaimCallable`)

The plugin class must adhere to the claims extension requirements

Based on your Realm configuration, you must create the corresponding JWKs.

You need to create as many JWKs as Asymmetric algorithms enabled (either on id_token_signing_alg, token_endpoint_auth_signing_alg, revocation_endpoint_auth_signing_alg or introspection_endpoint_auth_signing_alg )

CYM-Identity does not check for integrety so as an admin, you'll have to manage this yourself.

Attribute	Required	Description
Kid__c	Yes	A unique identifier for the JWK
Use__c	Yes	What will the JWK be used for. The only possible value is `sig` which means the JWK will sign data
Alg__c	Yes	Algorithm used by this JWK - possible values `RS256`, `RS384` or `RS512`
Kty__c	Yes	Key type. Only `RSA` keys are supported
PublicKey__c	Yes	The public part of the Key, A JSON object with the following attributes : `x5c`, `e` & `n`
PrivateKey__c	Yes	The Private part of the Key. The value stored is the encrypted value of the private_key and can only be created/updated through the CYM-Identity App.

Attribute	Required	Description
Name	Yes	The name is used in the well-known document. The name MUST NOT contain spaces.
Visible__c	No	A checkbox which controls whether the claim is shared on the OpenID Discovery
Strength__c	Yes	The strength of the ACR defined. It allows to rank the different ACRs
Realm__c	Yes	The Realm to which the ACR is linked

Attribute	Required	Description
RealmAcr__c	Yes	The parent RealmACR
CommunityAuthenticator__c	Yes	The Community Authenticator used
Path__c	Yes	A path index.
Factor__c	Yes	A factor index.
MaxAge__c	Yes	The time in seconds after which authentications through the `Community Authenticator` will not fulfill the parent ACR

Realm__c has been designed in a way that you can use your organization sharing rules (org-wide, role, sharing rules or manual sharing) for both internal and external.

The records on this object are purely created for administration and security purposes. Only give access to your admins. For a standard user or developer, they can use the Metadata Endpoint to get the public information about a Realm record

We strongly recommend that the external sharing be set to Private

There are no specific mandates for extending this object.

We still recommend extending CYM-Identity objects with a composition model (a custom object with a lookup field or MasterDetail) instead of an inheritance model (a custom field in the same object)