Client Capabilities
Client Capabilities define what kinds of actions should be allowed for a given client.
The capabilities can be broadly divided into two types:
- grant types: enable certain authorization flows .
- token types: define what a client is allowed to do with obtained tokens, such as introspecting them.
The table below describes each client capability:
| Capability | Type | Description |
|---|---|---|
authorization-code | Grant type | Allows Authorization Code Grant |
implicit | Grant type | Allows Implicit Grant |
resource-owner-password-credentials | Grant type | Allows Resource Owner Password Credentials Grant |
client_credentials | Grant type | Allows Client Credentials Grant |
assisted-token | Grant type | Allows Assisted Token Grant |
ciba | Grant type | Allows Backchannel Authentication Grant |
introspection | Token | Allows Token Introspection |
token-exchange | Token | Allows Token Exchange |
device-flow | Token | Allows Device Flow |
Configuration Client Capabilities#
Before being added to a Client, a Capability must be configured in the Token Profile:
Admin UI → Profiles → Oauth → Oauth Dev → Client Settings
Configure Client Capabilities in the Token Profile.
The screenshot below shows how to enable the Code Flow capability:
Many Client Capabilities don’t require any configuration, just switching them on is enough.
Only those Client Capabilities which have been enabled in the Token Profile will be available to configure on specific OAuth Clients.
Adding Capabilities to Clients#
Once the Profile has been configured, individual clients may be configured with one or more of the enabled Capabilities.
Admin UI → Profiles → Oauth → Oauth Dev → Clients → Client
Configure Client Capabilities in the Token Profile.
A client with the Capabilities shown above would be able to perform the Client Credentials OAuth flow, for example, but not the Device Flow, since it has no such Capability.
For Dynamic Clients, the grant_types values are mapped to the equivalent Client Capability.
Hybrid Capabilities#
OpenID Connect defines a set of flows referred to as hybrid flows. These are not entirely new flows but rather,
as the name suggests, combinations of available flows such as authorization code and implicit.
These are not defined as separate capabilities in the Curity Identity Server, but will automatically be allowed if OpenID Connect is enabled and the capabilities involved are allowed separately.
To continue with the example, if both authorization code and implicit are configured to be allowed capabilities for a client,
OpenID Connect is allowed on the profile and the client is granted the openid scope,
then hybrid flows such as token code id_token will be allowed automatically.