Ephemeral-client (Section)#
Path: /profiles/profile/settings/authorization-server/ephemeral-client
Enables the Ephemeral clients feature.
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| require-secured-authorization-response | empty | optional | - | If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification |
| require-request-object | empty | optional | - | If set, all authorization requests made by ephemeral clients must include a request object |
| require-id-token-encryption | empty | optional | - | If set, ephemeral clients must register with ID token encryption settings. Requires OpenId Connect to be enabled for the profile and the openid scope to be allowed by ephemeral clients. |
| jwks-uri-same-origin | boolean | optional | true | When enabled, the jwks_uri in the Client ID Metadata Document must have the same origin (scheme/host/port) as the client_id. Defaults to true. |
| informational-uris-same-origin | boolean | optional | true | When enabled, the informational URIs in the Client ID Metadata Document (logo_uri, policy_uri, tos_uri) must have the same origin (scheme/host/port) as the client_id. Defaults to true. Disable to allow these URIs to be served from a different origin, e.g. a CDN. |
| access-token-ttl | uint32 | optional | 300 | The number of seconds an access token will be valid |
| refresh-token-ttl | union (uint32 | enumeration (disabled)) | optional | 3600 | The number of seconds a refresh token will be valid. If set to ‘disabled’, no refresh tokens will be issued |
| refresh-token-max-rolling-lifetime | union (uint32 | enumeration (disabled)) | optional | - | When set, the refresh-token-ttl is used to set the expiration of new refresh tokens, until this max value is reached. |
| reuse-refresh-tokens | boolean | optional | - | Defines if refresh tokens are created on every refresh or if they are kept, when set this takes precedence over profile setting (reuse-refresh-tokens), when not set profile setting applies |
| id-token-ttl | uint32 | optional | - | The number of seconds an id token will be valid. If not set, the profile-setting is used. |
| require-pushed-authorization-requests | empty | optional | - | Clients must use PARs; if this is not enabled here, the profile settings for require-pushed-authorization-requests are followed. |
| database-scopes | empty | optional | - | Enable if database scopes can be used with ephemeral clients. Enabling it does not mean that all database scopes can be used with ephemeral clients. Enabling it only allows the database scopes that are explicitly set to be usable with ephemeral clients |
| localhost-allowed | empty | optional | - | If enabled, allows ephemeral client IDs (and their redirect_uris) to be localhost or loopback addresses. |
| http-client | leafref → /base:facilities/base:http/base:client/base:id | optional | - | The client that will be used to fetch the client ID metadata documents and possibly other resources (i.e. JWKS for client authentication). If not set, the default HTTP client will be used |
Subsections#
| Name | Type | Description |
|---|---|---|
| capabilities | Section | |
| client-authentication-method | Section | Configures how ephemeral clients can authenticate to token, introspect, etc. endpoints. |
| scopes | Section | The config scopes that ephemeral clients may request. |
| authenticators | Section | The authenticators that ephemeral clients may authenticate with |
| redirect-uri-validation | Section | Controls which redirect_uris an ephemeral client may register in its Client ID Metadata Document. Only applies when the code capability is enabled. |
| cache | Section | Enable caching of Client ID metadata documents |
| client-id-restrictions | Section | Rules to restrict what client IDs for ephemeral clients will the server accept. |
| user-consent | Section | When set, the user is asked to accept the delegation via a consent screen. |