Client Configuration Settings#
OAuth Clients can have a large number of different configuration settings depending on their Client Capabilities and purpose.
This page explains which settings are available and how to use them.
General Settings#
Client ID#
A Client is identified by a client_id. This value is used throughout internal and external systems and hence cannot be
changed.
When choosing a value for client_id, the whitespace character is prohibited.
Other than that, all printable ASCII-characters are allowed. The client_id value has no technical limitations on its length.
While the Admin UI treats special characters differently, it is always possible to set a client_id-value through
the CLI or through REST CONF.
Client Name#
Human readable name for the client.
This name is for client management purposes only and is not used by the system otherwise.
Client Description#
Human readable description for the client.
This description is for client management purposes only and is not used by the system otherwise.
Logo#
A logo (image) of the client that can shown in user interface templates.
Redirect URIs#
The URIs that can be used by the client once it’s finished performing an authorization flow and wants to redirect back to the application.
Required by Capabilities:
- Authorization Code
- Implicit
Client Capabilities#
The Client Capabilities enable features for the Client. At least one Capability must be chosen.
See Client Capabilities .
Client Authentication Method#
The authentication method the Client will use to authenticate against the Curity Identity Server.
Public clients can use the no-authentication method.
See Client Authentication Methods .
Scopes and Claims#
The scopes that may be used by the client.
Only scopes configured in the Token Profile may be configured.
Claims can also be configured using the Token Designer, but only the scopes are part of the Client Configuration.
A Claims Mapper can be selected for use when adding claims to tokens. The mapper decides what claims end up in which token or response. The claims themselves are defined in the scopes. If not set, a default mapper is used.
User Authentication#
OAuth clients that require user authentication may be configured with the following properties:
| Parameter Name | Mandatory | Description |
|---|---|---|
allowed-authenticators | No | the authenticators to be used by this client (reference by ID). If not set, all authenticators are allowed. |
authenticator-filters | No | any authenticator filters to be used by this client. |
template-area | No | allows specifying template area overrides to override some (or all) templates being used. |
required-claim | No | a mandatory claim |
context-info | No | a message that can be shown to users during authentication. |
force-authn | No | whether user authentication is forced at all times. |
freshness | No | maximum age in seconds after which re-authentication must take place. |
allowed-origins | No | list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe or be a trusted source. See Service Providers framability for details. |
Security#
Credential Manager#
The optional Credential Manager to use when authenticating the user via Resource Owner Password Credentials.
Only available with Capabilities:
- Resource Owner Password Credentials
Allowed Origins#
The optional list of URIs or URI-patterns that are allowed to embed the rendered pages inside an iframe, be a trusted source or be used for CORS.
Only available with Capabilities:
- Authorization Code
- Implicit
- Assisted Token
- Device Authorization
Redirect URI Validation Policy#
The redirect URI validation policy to use for this client.
Setting this value overrides the Token Profile’s default redirect URI Validation Policy.
User Consent#
When enabled, the user is asked to accept the Authorization Grant via a consent screen.
Only available with Capabilities:
- Authorization Code
- Implicit
- Assisted Token
- Device Authorization
Request Object JWT Support#
Enable Request-Object support where the client can send in a JWT with the request parameters.
If enabled, a request object JWT MUST be provided by the client.
See OpenID Request Parameters.
Require Proof Key#
Proof Key for Code Exchange RFC 7636 (PKCE) is a measure for preventing authorization code interception.
This is an attack on client systems that allow a malicious application to register itself as a handler for the custom scheme utilized by the legitimate app in the Authorization Code Grant flow.
Only available with Capabilities:
- Authorization Code
Disallowed Proof Key Challenge Methods#
A list of proof key challenge methods the client isn’t allowed to use. Useful when one of the methods provided by the server is deemed insecure for the intended client.
This setting is merged with Profile-level settings.
For example, if the Token Profile disallowed plain and the client disallowed S256, then both methods are disallowed.
Only available with Capabilities:
- Authorization Code
Require Pushed Authorization Requests#
Enables Pushed Authorization Requests RFC-9126 (PAR), which means that the client will be required to use Pushed Authorization Requests when starting a code flow.
Only available with Capabilities:
- Authorization Code
Require Secured Authorization Response#
If enabled, all authorization responses need to be protected according to the JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) specification.
Only available with Capabilities:
- Authorization Code
- Implicit
User Authentication#
Freshness#
Optional maximum age in seconds after which re-authentication must take place.
Force Re-authentication#
If enabled, user authentication is forced at all times.
Front Channel Logout URI#
Optional URI of the client that is called upon user logout when attempting front channel logout.
Requires OpenId Connect to be enabled.
Back Channel Logout URI#
Optional URI of the client that is called upon user logout when attempting back channel logout.
Requires OpenId Connect to be enabled.
Allowed Post Logout Redirect URIs#
Optional list of URIs that are allowed for the client to use as post-logout redirect URI.
All URIs must be absolute and contain no fragments.
Requires OpenId Connect to be enabled.
HTTP Client (Logout)#
The HTTP client that will be used when delivering the logout token to the backchannel logout URI.
Authenticator Filters#
Optional list of Authenticator Filters for this client.
Required Claims#
Optional list of named claims that must be required by the authenticator when authenticating the user.
Template Area and Themes#
An optional Template Area or Theme to apply to this Client. If they have the same name, both will be applied.
Contextual Authentication Information#
Information that will be displayed to the user when authenticating the client.
Locale#
Determines the OAuth client’s default Locale.
Token Settings#
Audience#
The intended audiences for tokens obtained by the client.
The first element is the default. If none are stipulated, the ID of the client will be used as the audience.
Access Token Time to Live#
The number of seconds an access token issued for this client will be valid.
ID Token Time to Live#
The number of seconds an ID token issued for this client will be valid.
If not set, the Token Profile setting is used.
Refresh Token#
Enable Refresh Tokens.
Refresh Token Time to Live#
The number of seconds a Refresh token issued for this client will be valid.
Rolling Refresh Token#
When enabled, the Refresh Token TTL is used to set the expiration of new refresh tokens, until the Refresh Token Maximum Rolling Lifetime value is reached.
Reuse Refresh Token#
When enabled, refresh tokens are not re-issued so that the client can keep its initial refresh token.
An option is provided to use the Token Profile’s setting.
ID Token Encryption#
Enable ID Token encryption.
Key Management Algorithm#
The encryption algorithm for encrypting the content encryption key. Only asymmetric algorithms are supported.
Content Encryption Algorithm#
The encryption algorithm used to encrypt the payload of the JWE token.
Encryption Key#
A key to be used for encrypting ID Tokens.
Signed Userinfo#
Enable support for returning userinfo as signed JWT.
Userinfo Token Issuer#
A Token Issuer with a purpose of userinfo.
Use Pairwise Subject Identifiers#
Enable this when the client must always issue Pairwise Pseudonym Subject Identifiers instead of public identifiers.
Pairwise Pseudonymous Identifiers (PPID)
Sector Identifier#
The sector identifier that is used to derive the pairwise pseudonym from, i.e. the pairwise pseudonym is defined for the pair of sector identifier and subject.
Application#
Application URL#
This URL is used if a request is made to the OAuth server without the parameters necessary to initiate authentication. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction.
Privacy Policy URL#
An absolute URL that refers to the privacy policy for the client.
Terms of Service URL#
An absolute URL that refers to the terms of service of the client.
Client Properties#
List of properties that can be configured on a client.
These properties can be used from procedures to retrieve properties of the configured client.