| id | non-empty-string | required | | The client ID corresponding to the spec |
| client-name | non-empty-string | optional | | A human readable name of the client |
| description | string | optional | | A human readable description of the client |
| logo | string | optional | | A logo of the client, that can shown in user interface templates. |
| redirect-uris | multi-value, uri | optional | | The whitelist of Redirect URIs allowed for the client. If code or Implicit flow is used, this will have a required minimum of 1 items |
| application-url | uri | optional | | This URL is used if a request is made to the OAuth server without the parameters necessary to initiate authentication. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction. |
| enabled | boolean | optional | true | A settable state of the client, to be able to host disabled clients |
| created-at | date-and-time | optional | | An operational state, for history purpose |
| created-by | string | optional | | Describes who was the user that created the client. |
| access-token-ttl | token-time-to-live | optional | 300 | The number of seconds an access token will be valid |
| refresh-token-ttl | disablable-token-time-to-live | optional | 3600 | The number of seconds a refresh token will be valid. If set to ‘disabled’, no refresh tokens will be issued |
| refresh-token-max-rolling-lifetime | disablable-token-time-to-live | optional | | When set, the refresh-token-ttl is used to set the expiration of new refresh tokens, until this max value is reached. |
| id-token-ttl | token-time-to-live | optional | | The number of seconds an id token will be valid. If not set, the profile-setting is used. |
| audience | multi-value, string | optional | | The intended audiences for the token. The first element is the default. If none are stipulated, the ID of the client will be used as the audience |
| scope | multi-value, leafref | optional | | A subset of the scopes defined in the profile that this client is allowed to request or all if a subset are not defined here |
| claims-mapper | leafref | optional | | The mapper to use when adding claims to tokens. The mapper decides what claims end up in which token or response. The claims themselves are defined in the scope. If not set, the default-mapper is used |
| allowed-origins | multi-value, non-empty-string | optional | | The optional list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe, be a trusted source or be used for CORS. |
| require-secured-authorization-response | empty | optional | | If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification |
| privacy-policy-url | uri | optional | | An absolute URL that refers to the privacy policy for the client |
| terms-of-service-url | uri | optional | | An absolute URL that refers to the terms of service of the client |
| validate-port-on-loopback-interfaces | boolean | optional | true | Whether the port should be validated when a client is configured to redirect to the loopback interface. Defaults to true for backwards compatibility. Future versions may default to false because RFC-8252 (sec. 3) says the port should not be validated and this does not generally reduces the security of local redirects. This option can not be set when the profile enables redirect-uri validation policies. This setting is deprecated in favour of redirect-uri-validation-policies. |
| redirect-uri-validation-policy | leafref | optional | | The redirect uri validation policy to use for this client. This value overrides the profile’s setting for the default redirect uri validation policy. |
| reuse-refresh-tokens | boolean | optional | | Defines if refresh tokens are created on every refresh or if they are kept, when set this takes precedence over profile setting (reuse-refresh-tokens), when not set profile setting applies |