Application Center appsettings

This page lists all the appsettings.json settings available for the Application Center (Core).

The appsettings.json file is located in the folder <AMT Environment>\AmtTools\ApplicationCenterCore\

The appsettings file is (sub-)divided into the following sections.

Section	Description
AMT	The main section where most settings are located.
ApplicationCenter	A sub section under AMT where settings unique to the Application Center are located.
Logging	Section for the logging settings for the Web Application.
Blazor	Section for settings related to the Blazor Web Clients.
AllowedHosts	Solo settings which restricts the hosts which may access the Web Application.

{

"Amt": {

"ApplicationCenter": {

"LogOnKind": false,

"HideMenu": false,

"ShowLogOff": true,

"LogOffBehavior": "AllSessions",

"Theme": "Default",

"Culture": "ENGLISH",

"KeepAliveInterval": 5,

"AmtCookieEncryptionKey": "eN5lwyldYKKCLzjwYGfY2rpRa791JMFSke5PDTRL0lA=",

"BusinessLogic": {

"Address": "https://<domain>[:port]/<path>",

"RequestTimeout": 1.67

"Authentication": {

"AuthenticationType": "OIDC",

"AmtOIDC": {

"OIDC": {

"ClientId": "",

"Authority": "",

"Scope": [ "" ],

"ClientSecret": "",

"TokenValidationParameters": {

"NameClaimType": "preferred_username"

"RequireHttpsMetadata": true

"CookieAuthenticationOptions": {

"Cookie": {

"Name": ".Amt.AC.Auth",

"Domain": "",

"Path": "/",

"SameSite": "None"

}

"DisableRefreshTokens": false,

"RefreshThreshold": 60,

"EnableClientAssertion": false,

"ClientAssertionAlgorithm": "RS256",

"CertificateConfig": {

"AllowInvalid": true,

"Subject": "",

"StoreName": "MY",

"StoreLocation": "CurrentUser",

"Path": "certificate.pfx",

"Password": ""

}

"DataProtection": {

"ApplicationName": "",

"KeyRingFolder": "D:\\keyringfolder\\"

"WebSessionState": {

"IdleTimeout": 10,

"IOTimeout": 1,

"Cookie": {

"Domain": "",

"Path": "/",

"Name": ".Amt.AC.WebSession"

}

"HSTS": {

"MaxAge": 31536000,

"IncludeSubDomains": false

}

"Logging": {

"LogLevel": {

"Default": "Information",

"Microsoft": "Warning",

"Microsoft.Hosting.Lifetime": "Information",

"System.Net.Http": "Warning"

}

"AllowedHosts": "*"

}

HideMenu

With this setting set to true, the Application Center will start with the left menu hidden. The default value is false.

"HideMenu": false,

ShowLogOff

When this setting is added and set to false, the Log off link in the Application Center will not be shown. The default value is true.

"ShowLogOff": true,

LogOffBehavior

This setting is explained in Session Logout Behaviour.

Theme

This setting is explained in AMT Web Themes.

Culture

The language of the Application Center, used for localization. See Localization.

"Culture": "ENGLISH",

KeepAliveInterval

The number of minutes between keepalive calls originating from a JavaScript script in the browser. It is important that this interval is shorter or equal to the lifetime of the authentication tokens and the web session timeout.

"KeepAliveInterval": 5,

AmtCookieEncryptionKey

This setting is explained in Generating Keys.

BusinessLogic

Settings needed to communicate with the Application Center WebAPI.

Address - The URL of the ApplicationCenterBL website should be set as the value of this key.
RequestTimeout - The timeout (in minutes) for requests to the business logic address. This default value is approximately 1 minute and 40 seconds (1.67 minutes).

"BusinessLogic": {
"Address": "https://<domain>[:port]/<path>",
"RequestTimeout": 1.67
},

AuthenticationType

The authentication type used to log into the Application Center, the only valid option is "OIDC" (OpenID Connect).

"AuthenticationType": "OIDC",

OIDC

This section holds the settings for OpenID Connect authentication.

ClientId - The client ID of the application.
Authority - The OIDC authority URL.
Scope - The scopes to request from the authorization server to allow access tokens to be used to call other resource servers (e.g. CC, AC or Blazor APIs).
ClientSecret - The client secret of the application, not applicable if client assertion is enabled.
TokenValidationParameters:
- NameClaimType - The claim type that will be used to identify the user. Commonly preferred_username is used as claim type.
  The claim type must be identical to the claim type set in the ApplicationCenterBL appsettings.
RequireHttpsMetadata - If true then HTTPS is required for the authority. The default is true. This should be disabled only in development environments.

"AmtOIDC": {
"OIDC": {
"ClientId": "amt-applicationcenter",
"Authority": "https://login.example.org/amt-applications/v2/auth",
"Scope": [ "openid profile amt-applicationcenter-api-scope" ],
"ClientSecret": "c8A6L7j5E3N0n9Y",
"TokenValidationParameters": {
"NameClaimType": "preferred_username"
},
"RequireHttpsMetadata": true
},
...

CookieAuthenticationOptions

The 'CookieAuthenticationOptions' section holds settings for the cookie used for user authentication.

Name - Name of the authentication cookie that will be used to store the identity token.
Domain - The domain of the authentication cookie.
Path - The path of the authentication cookie.
SameSite - SameSite policy of the authentication cookie. Should be set to None if the application is used in an iframe.
Allowed values are: Undefined the default value which does not set a SameSite field, None to disable SameSite restrictions, Lax to send the cookie with "same-site" requests and with "cross-site" top-level navigations, and Strict to only send the cookie with "same-site" requests.

"CookieAuthenticationOptions": {
"Cookie": {
"Name": ".Amt.AC.Auth",
"Domain": "",
"Path": "/",
"SameSite": "None"
}
},

AmtOIDC

This section holds the remaining OpenID Connect options.

DisableRefreshTokens - Set to true to disable the refresh of tokens. Defaults to false.
RefreshThreshold - The refresh threshold in seconds if enabled. If tokens expire within the configured threshold, the tokens will be refreshed. Defaults to 60 seconds.
EnableClientAssertion - Set to true to enable client assertion. Defaults to false. If true, a signed token will be used to authenticate users instead of a client secret.
ClientAssertionAlgorithm - The algorithm used to sign the token to be used as client assertion. Defaults to RS256.
CertificateConfig - This section must be set if client assertion is enabled. See CertificateConfig.

"AmtOIDC": {
...
"DisableRefreshTokens": false,
"RefreshThreshold": 60,
"EnableClientAssertion": false,
"ClientAssertionAlgorithm": "RS256",
"CertificateConfig": {
...

CertificateConfig

Configuration options for the certificate used to sign the client assertion. This section can be left out if client assertion is disabled.

AllowInvalid - Set to true if invalid certificates should be allowed. Defaults to false.
Subject - The subject of the certificate.
StoreName - The name of the store where the certificate is located. Defaults to 'MY'.
StoreLocation - The location of the store where the certificate is located. Defaults to 'CurrentUser'.
Path - The path to the certificate file.
Password - The password for the certificate. Only necessary when loading the certificate from base64 or file.

"CertificateConfig": {
"AllowInvalid": true,
"Subject": "amt-application-cert",
"StoreName": "MY",
"StoreLocation": "LocalMachine",
"Path": "certificate.pfx"
"Password": ""
}

DataProtection

The DataProtection setting contains settings for ASP.NET Core data protection, which is used to encrypt the session state and authentication cookie, amongst other things. This section is optional and allows the keys to be saved to a specified folder, where they will be encrypted with DPAPI (Data Protection Application Programming Interface), allowing only accounts from the same system to access them. This is a replacement for the ASP.NET MachineKey.
When this section is not included in the appsettings file, keys are saved to the registry which is the default.

ApplicationName - The application name used for data protection. Setting the same application name in multiple web applications will result in the sharing of their keys.
KeyRingFolder - The local directory where data protection keys will be stored.

"DataProtection": {
"ApplicationName": "",
"KeyRingFolder": "D:\\keyringfolder\\"
},

WebSessionState

The 'WebSessionState' section contains optional settings for the ASP.NET Core web sessions used by the Application Center Core web application.

IdleTimeout - The time in minutes that a session remains active on the server before it is discarded, default is 10 minutes.
IOTimeout - The timeout (in minutes) for loading data from the session store. The default value of 1 is the ASP.NET Core default and usually should not have to be changed.
The Cookie section holds settings for the cookie used for the web session.
- Domain - The domain of the web session cookie.
- Path - The path of the web session cookie.
- Name - The name of the web session cookie.

"WebSessionState": {
"IdleTimeout": 10,
"IOTimeout": 1,
"Cookie": {
"Domain": "",
"Path": "/",
"Name": ".Amt.AC.WebSession"
}
}

Logging

Sets the logging levels for the various ASP.NET Core components of the web application. These settings do not need be adjusted in a normal situation.
The allowed log levels are, from most to least detailed: Trace, Debug, Information, Warning, Error, Critical and None.

"Logging" {
  "LogLevel": {
  "Default": "Information",
  "Microsoft": "Warning",
  "Microsoft.Hosting.Lifetime": "Information",
  "System.Net.Http": "Warning"
}
},

AllowedHosts

In the AllowedHosts section, access to the web application can be restricted to specific hostnames.
The value is a semicolon-delimited list of host names without port numbers.
By default all hostnames are allowed by the asterisk (*) wildcard.
Disallowed users will get a HTTP 400 error code (Bad Request).

"AllowedHosts": "*"