Ephemeral-client (Section)#
Path: /profiles/profile{id, type}/settings/authorization-server/ephemeral-client
Enables the Ephemeral clients feature.
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| require-secured-authorization-response | empty | optional | If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification | |
| require-request-object | empty | optional | If set, all authorization requests made by ephemeral clients must include a request object | |
| require-id-token-encryption | empty | optional | If set, ephemeral clients must register with ID token encryption settings. Requires OpenId Connect to be enabled for the profile and the openid scope to be allowed by ephemeral clients. | |
| access-token-ttl | token-time-to-live | optional | 300 | The number of seconds an access token will be valid |
| refresh-token-ttl | disablable-token-time-to-live | optional | 3600 | The number of seconds a refresh token will be valid. If set to ‘disabled’, no refresh tokens will be issued |
| refresh-token-max-rolling-lifetime | disablable-token-time-to-live | optional | When set, the refresh-token-ttl is used to set the expiration of new refresh tokens, until this max value is reached. | |
| reuse-refresh-tokens | boolean | optional | Defines if refresh tokens are created on every refresh or if they are kept, when set this takes precedence over profile setting (reuse-refresh-tokens), when not set profile setting applies | |
| id-token-ttl | token-time-to-live | optional | The number of seconds an id token will be valid. If not set, the profile-setting is used. | |
| require-pushed-authorization-requests | empty | optional | Clients must use PARs; if this is not enabled here, the profile settings for require-pushed-authorization-requests are followed. | |
| localhost-allowed | empty | optional | If enabled, allows ephemeral client IDs to be localhost or loopback addresses. | |
| http-client | leafref | optional | The client that will be used to fetch the client ID metadata documents and possibly other resources (i.e. JWKS for client authentication). If not set, the default HTTP client will be used |
Subsections#
| Name | Type | Description |
|---|---|---|
| capabilities | Section | None |
| client-authentication-method | Section | Configures how ephemeral clients can authenticate to token, introspect, etc. endpoints. |
| scopes | Section | The scopes that ephemeral clients may request. |
| authenticators | Section | The authenticators that ephemeral clients may authenticate with |
| cache | Section | Enable caching of Client ID metadata documents |
| client-id-restrictions | Section | Rules to restrict what client IDs for ephemeral clients will the server accept. |
| user-consent | Section | When set, the user is asked to accept the delegation via a consent screen. |