Last updated June 17, 2026

User-authentication (Section)#

Path: /profiles/profile/settings/authorization-server/client-store/config-backed/client/user-authentication

Parameters#

Name	Type	Required	Default	Description
allowed-authenticators	`multi-value` leafref → `/base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:authenticator/auth:id`	optional	-	The list of allowed authenticators for this client
authenticator-filters	`multi-value` leafref → `/base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticator-filters/auth:authenticator-filter/auth:id`	optional	-	The list of authenticator-filters for this client
required-claims	`multi-value` string	optional	-	A list of named claims that must be required by the authenticator when authenticating the user.
context-info	string	optional	“	Information that will be displayed to the user when authenticating the client
template-area	string (length: 1..9223372036854775807)	optional	-	Select an optional Template Area or Theme to apply to this Client. If they have the same name, both will be applied.
force-authn	boolean	optional	-	Optional default setting whether user authentication is forced at all times.
freshness	uint32	optional	-	Optional maximum age in seconds after which re-authentication must take place.
locale	string (length: 1..9223372036854775807)	optional	-	Optional override for default locale.
frontchannel-logout-uri	string	optional	-	Optional uri of the client that is called upon user logout when attempting front channel logout. Requires OpenId Connect to be enabled.
backchannel-logout-uri	string	optional	-	Optional uri of the client that is called upon user logout when attempting back channel logout. Requires OpenId Connect to be enabled.
http-client	leafref → `/base:facilities/base:http/base:client/base:id`	optional	-	The HTTP client that will be used when delivering the logout token to the backchannel logout uri
allowed-post-logout-redirect-uris	`multi-value` string	optional	-	The optional list of URIs that is allowed for the client to use as post logout redirect uri. Requires OpenId Connect to be enabled.

Subsections#

Name	Type	Description
ui-experience	Section	(experimental) Configure which UI experience to use. Defaults to the UI experience configured for the system. This can be overridden for specific client applications in the related profiles.

Was this helpful?