# Manage OpenID Token Issuer Allow/Deny Lists Various ESS microservices can configure [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#example-update-inrupt_jwt_issuer_allow_list) and [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#example-update-inrupt_jwt_issuer_deny_list) options to manage trusted issuers of Solid OIDC tokens (i.e., identity providers). The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the Kustomization label that can be used to maintain consistent configuration across the services that share the label: | Services | OAuth Component (oauth-component) | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | |

Access Grant Service
Pod Services
Query Service
WebID Service
WebSocket Notification Service

| **`resource-server`** | |

Authorization Service
UMA Service

| **`authorization-server`** | ## Example Customizations ### Example: Update `INRUPT_JWT_ISSUER_ALLOW_LIST` For a given service, * If its corresponding [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#example-update-inrupt_jwt_issuer_allow_list) is unset, the service accepts tokens from all Solid-OIDC token issuers with the exception of those listed in its [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#example-update-inrupt_jwt_issuer_deny_list) . * If its corresponding **`INRUPT_JWT_ISSUER_ALLOW_LIST`** is set, the service accepts only the Solid-OIDC tokens from the issuers in the list with the following exception: * If an issuer is in both **`INRUPT_JWT_ISSUER_ALLOW_LIST`** and **`INRUPT_JWT_ISSUER_DENY_LIST`** , the **`INRUPT_JWT_ISSUER_DENY_LIST`** supersedes the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** and tokens issued by that issuer is not accepted by the service. {% tabs %} {% tab title="resource-server" %} The following services have **`oauth-component`** value of **`resource-server`** : * [Access Grant Service](https://docs.inrupt.com/ess/2.5/services/service-access-grant) * [Pod Services](https://docs.inrupt.com/ess/2.5/services/service-pod-management) * [Query Service](https://docs.inrupt.com/ess/2.5/services/service-query) * [WebID Service](https://docs.inrupt.com/ess/2.5/services/service-webid) * [WebSocket Notification Service](https://docs.inrupt.com/ess/2.5/services/service-notification/service-websocket) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** option across all services with the **`resource-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myESS.com,https://openid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure. {% hint style="warning" %} **Important**\ Ensure that the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** value for the **`authorization-server`** services are consistent with those set for **`resource-server`** . {% endhint %} {% endtab %} {% tab title="authorization-server" %} The following services have **`oauth-component`** value of **`authorization-server`** : * [Authorization Service](https://docs.inrupt.com/ess/latest/services/service-authorization) * [UMA Service](https://docs.inrupt.com/ess/2.5/services/service-uma) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** option across all services with the **`authorization-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=authorization-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myESS.com,https://trustedopenid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure. {% hint style="warning" %} **Important**\ Ensure that the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** value for the **`authorization-server`** services are consistent with those set for **`resource-server`** . {% endhint %} {% endtab %} {% tab title="Individual Service" %} To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% hint style="info" %} **Tip**\ Target by the services by **`labelSelector`** if you need to maintain consistency across a group of services. {% endhint %} The following example updates ESS’ [Query Service](https://docs.inrupt.com/ess/2.5/services/service-query) **`INRUPT_JWT_ISSUER_ALLOW_LIST`** configuration value only. 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          name: ess-fragments-query
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myess.com,https://trustedopenid.example.com"
3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure. {% endtab %} {% endtabs %} ### Example: Update `INRUPT_JWT_ISSUER_DENY_LIST` For a given service, * If its corresponding **`INRUPT_JWT_ISSUER_DENY_LIST`** is unset, the service accepts tokens from all token issuers (Solid-OIDC and, if supported UMA) unless **`INRUPT_JWT_ISSUER_ALLOW_LIST`** is set, in which case, the service only accepts tokens from issuers in the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** . * If its corresponding **`INRUPT_JWT_ISSUER_DENY_LIST`** is set, the service disallows tokens from those issuers in the list. If **`INRUPT_JWT_ISSUER_ALLOW_LIST`** is also set, tokens from issuers not in the **`INRUPT_JWT_ISSUER_ALLOW_LIST`** are also disallowed. {% tabs %} {% tab title="resource-server" %} The following services have **`oauth-component`** value of **`resource-server`** : * [Access Grant Service](https://docs.inrupt.com/ess/2.5/services/service-access-grant) * [Pod Services](https://docs.inrupt.com/ess/2.5/services/service-pod-management) * [Query Service](https://docs.inrupt.com/ess/2.5/services/service-query) * [WebID Service](https://docs.inrupt.com/ess/2.5/services/service-webid) * [WebSocket Notification Service](https://docs.inrupt.com/ess/2.5/services/service-notification/service-websocket) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_DENY_LIST`** option across all services with the **`resource-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://openid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure. {% endtab %} {% tab title="authorization-server" %} The following services have **`oauth-component`** value of **`authorization-server`** : * [Authorization Service](https://docs.inrupt.com/ess/2.5/administration/logging) * [UMA Service](https://github.com/inrupt/docs-gitbook/blob/main/enterprise-solid-server/2.5/services/service-uma/README.md) You can use the **`oauth-component`** value to update the **`INRUPT_JWT_ISSUER_DENY_LIST`** option across all services with the **`authorization-server`** value. For example: 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure).\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=authorization-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://openid.example.com"
{% hint style="info" %} **Tip** To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% endhint %} 3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure. {% endtab %} {% tab title="Individual Service" %} To update just a single service, you can target the service deployment by **`name`** instead of by the **`labelSelector`** . {% hint style="info" %} **Tip**\ To ensure consistency across ESS services, you can target the services by **`labelSelector`** instead. {% endhint %} The following example updates ESS’ [Query Service](https://docs.inrupt.com/ess/2.5/services/service-query) **`INRUPT_JWT_ISSUER_DENY_LIST`** configuration value only. 1. Go to your ESS installation directory: ```sh cd ${HOME}/ess ``` 2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure)\ Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section: 

    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    patches:
      - target:
          kind: Deployment
          name: ess-fragments-query
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://blockedopenid.example.com"
3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure. {% endtab %} {% endtabs %}