Client (List)#
Path: /profiles/profile/settings/authorization-server/client-store/config-backed/client
Keys: id
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| id | string (length: 1..9223372036854775807) | required | - | The client ID corresponding to the spec |
| client-name | string (length: 1..9223372036854775807) | optional | - | A human readable name of the client |
| description | string | optional | - | A human readable description of the client |
| logo | string | optional | - | A logo of the client, that can shown in user interface templates. |
| redirect-uris | multi-value string | optional | - | The whitelist of Redirect URIs allowed for the client. If code or Implicit flow is used, this will have a required minimum of 1 items |
| application-url | string | optional | - | This URL is used if a request is made to the OAuth server without the parameters necessary to initiate authentication. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction. |
| enabled | boolean | optional | true | A settable state of the client, to be able to host disabled clients |
| created-at | string | optional | - | An operational state, for history purpose |
| created-by | string | optional | - | Describes who was the user that created the client. |
| access-token-ttl | uint32 | optional | 300 | The number of seconds an access token will be valid |
| refresh-token-ttl | union (uint32 | enumeration (disabled)) | optional | 3600 | The number of seconds a refresh token will be valid. If set to ‘disabled’, no refresh tokens will be issued |
| refresh-token-max-rolling-lifetime | union (uint32 | enumeration (disabled)) | optional | - | When set, the refresh-token-ttl is used to set the expiration of new refresh tokens, until this max value is reached. |
| id-token-ttl | uint32 | optional | - | The number of seconds an id token will be valid. If not set, the profile-setting is used. |
| audience | multi-value string | optional | - | The intended audiences for the token. The first element is the default. If none are stipulated, the ID of the client will be used as the audience |
| scope | multi-value leafref → ../../../../scopes/scope/id | optional | - | A subset of the scopes defined in the profile that this client is allowed to request or all if a subset are not defined here |
| claims-mapper | leafref → ../../../../claims/claims-mappers/claims-mapper/id | optional | - | The mapper to use when adding claims to tokens. The mapper decides what claims end up in which token or response. The claims themselves are defined in the scope. If not set, the default-mapper is used |
| allowed-origins | multi-value string (length: 1..9223372036854775807) | optional | - | The optional list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe, be a trusted source or be used for CORS. |
| require-secured-authorization-response | empty | optional | - | If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification |
| privacy-policy-url | string | optional | - | An absolute URL that refers to the privacy policy for the client |
| terms-of-service-url | string | optional | - | An absolute URL that refers to the terms of service of the client |
| validate-port-on-loopback-interfaces | boolean | optional | true | Whether the port should be validated when a client is configured to redirect to the loopback interface. Defaults to true for backwards compatibility. Future versions may default to false because RFC-8252 (sec. 3) says the port should not be validated and this does not generally reduces the security of local redirects. This option can not be set when the profile enables redirect-uri validation policies. This setting is deprecated in favour of redirect-uri-validation-policies. |
| redirect-uri-validation-policy | leafref → ../../../../redirect-uri-validation-policies/redirect-uri-validation-policy/id | optional | - | The redirect uri validation policy to use for this client. This value overrides the profile’s setting for the default redirect uri validation policy. |
| reuse-refresh-tokens | boolean | optional | - | Defines if refresh tokens are created on every refresh or if they are kept, when set this takes precedence over profile setting (reuse-refresh-tokens), when not set profile setting applies |
Subsections#
| Name | Type | Description |
|---|---|---|
| verifier | OneOf | Describes how the client is authenticated |
| assertion-jwt-validation | Section | Validate the assertion JWT used for client authentication according to RFC-7523 (e.g. optional jti; iss and sub don’t have to be equal) instead of OpenID Connect Core (which is done by default). |
| secondary-authentication-method | Section | |
| request-object | Section | Enable request-object support where the client can send in a JWT with the request parameters. If enabled, a request object JWT MUST be provided by the client. |
| user-consent | Section | When set, the user is asked to accept the delegation via a consent screen. This applies to all interactive flows (i.e. code, implicit, assisted token and device authorization flow) |
| proof-key | Section | Proof Key for Code Exchange (RFC 7636 - PKCE) is a measure for preventing authorization code interception. This is an attack on client systems that allow a malicious application to register itself as a handler for the custom scheme utilized by the legitimate app in the Authorization Code Grant flow. |
| user-authentication | Section | |
| capabilities | Section | OAuth capabilities that this client is allowed to perform |
| dynamic-client-registration-template | Section | Enable client as template for Dynamic Client Registration |
| use-pairwise-subject-identifiers | Section | Enable this when the client must always be issuing pairwise pseudonym subject identifiers instead of public identifiers. |
| signed-userinfo | Section | Enable support for returning userinfo as signed JWT |
| id-token-encryption | Section | Enable Id token encryption as per JWE specification |
| attestation | Section | |
| properties | Section | List of properties that can be configured on a client. These properties can be used from procedures to retrieve properties of the configured client. |