# Manage OpenID Token Issuer Allow/Deny Lists Various ESS microservices can configure [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#example-update-inrupt_jwt_issuer_allow_list) and [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#example-update-inrupt_jwt_issuer_deny_list) options to manage trusted issuers of Solid OIDC tokens (i.e., identity providers). The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the Kustomization label that can be used to maintain consistent configuration across the services that share the label: | Services | OAuth Component (oauth-component) | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | |

Access Grant Service
Pod Services
Query Service
WebID Service
WebSocket Notification Service

| **`resource-server`** | |

Authorization Service
UMA Service

| **`authorization-server`** | ## Example Customizations ### Example: Update `INRUPT_JWT_ISSUER_ALLOW_LIST` For a given service, * If its corresponding [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#example-update-inrupt_jwt_issuer_allow_list) is unset, the service accepts tokens from all Solid-OIDC token issuers with the exception of those listed in its [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#example-update-inrupt_jwt_issuer_deny_list) . * If its corresponding **`INRUPT_JWT_ISSUER_ALLOW_LIST`** is set, the service accepts only the Solid-OIDC tokens from the issuers in the list with the following exception: * If an issuer is in both **`INRUPT_JWT_ISSUER_ALLOW_LIST`** and **`INRUPT_JWT_ISSUER_DENY_LIST`** , the **`INRUPT_JWT_ISSUER_DENY_LIST`** supersedes the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** and tokens issued by that issuer is not accepted by the service. {% tabs %} {% tab title="resource-server" %} The following services have **`oauth-component`** value of **`resource-server`** : * [Access Grant Service](/ess/2.4/services/service-access-grant.md) * [Pod Services](/ess/2.4/services/service-pod-management.md) * [Query Service](/ess/2.4/services/service-query.md) * [WebID Service](/ess/2.4/services/service-webid.md) * [WebSocket Notification Service](/ess/2.4/services/service-notification/service-websocket.md) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** option across all services with the **`resource-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myESS.com,https://openid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure. {% hint style="warning" %} **Important**\ Ensure that the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** value for the **`authorization-server`** services are consistent with those set for **`resource-server`** . {% endhint %} {% endtab %} {% tab title="authorization-server" %} The following services have **`oauth-component`** value of **`authorization-server`** : * [Authorization Service](https://github.com/inrupt/docs-gitbook/blob/main/enterprise-solid-server/2.4/services/service-authorization/README.md) * [UMA Service](https://github.com/inrupt/docs-gitbook/blob/main/enterprise-solid-server/2.4/services/service-uma/README.md) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** option across all services with the **`authorization-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=authorization-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myESS.com,https://trustedopenid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure. {% hint style="warning" %} **Important**\ Ensure that the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** value for the **`authorization-server`** services are consistent with those set for **`resource-server`** . {% endhint %} {% endtab %} {% tab title="Individual Service" %} To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% hint style="info" %} **Tip**\ Target by the services by **`labelSelector`** if you need to maintain consistency across a group of services. {% endhint %} The following example updates ESS’ [Query Service](/ess/2.4/services/service-query.md) **`INRUPT_JWT_ISSUER_ALLOW_LIST`** configuration value only. 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          name: ess-fragments-query
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myess.com,https://trustedopenid.example.com"
3. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure. {% endtab %} {% endtabs %} ### Example: Update `INRUPT_JWT_ISSUER_DENY_LIST` For a given service, * If its corresponding **`INRUPT_JWT_ISSUER_DENY_LIST`** is unset, the service accepts tokens from all token issuers (Solid-OIDC and, if supported UMA) unless **`INRUPT_JWT_ISSUER_ALLOW_LIST`** is set, in which case, the service only accepts tokens from issuers in the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** . * If its corresponding **`INRUPT_JWT_ISSUER_DENY_LIST`** is set, the service disallows tokens from those issuers in the list. If **`INRUPT_JWT_ISSUER_ALLOW_LIST`** is also set, tokens from issuers not in the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** are also disallowed. {% tabs %} {% tab title="resource-server" %} The following services have **`oauth-component`** value of **`resource-server`** : * [Access Grant Service](/ess/2.4/services/service-access-grant.md) * [Pod Services](/ess/2.4/services/service-pod-management.md) * [Query Service](/ess/2.4/services/service-query.md) * [WebID Service](/ess/2.4/services/service-webid.md) * [WebSocket Notification Service](/ess/2.4/services/service-notification/service-websocket.md) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_DENY_LIST`** option across all services with the **`resource-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://openid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure. {% endtab %} {% tab title="authorization-server" %} The following services have **`oauth-component`** value of **`authorization-server`** : * [Authorization Service](https://github.com/inrupt/docs-gitbook/blob/main/enterprise-solid-server/2.4/services/service-authorization/README.md) * [UMA Service](https://github.com/inrupt/docs-gitbook/blob/main/enterprise-solid-server/2.4/services/service-uma/README.md) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_DENY_LIST`** option across all services with the **`authorization-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=authorization-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://openid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure. {% endtab %} {% tab title="Individual Service" %} To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% hint style="info" %} **Tip**\ To ensure consistency across ESS services, you can target the services by **`labelSelector`** instead. {% endhint %} The following example updates ESS’ [Query Service](/ess/2.4/services/service-query.md) **`INRUPT_JWT_ISSUER_DENY_LIST`** configuration value only. 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure)\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          name: ess-fragments-query
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://blockedopenid.example.com"
3. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure. {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.inrupt.com/ess/2.4/installation/customize-configurations/customization-security/manage-identity-providers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.