Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
OAuth 1.0 requires that the protected resources endpoints have access to the client credentials in order to validate the request. This breaks the typical architecture of most large providers in which a centralized authorization server is used for issuing credentials, and a separate server is used for handling API calls. Because OAuth 1.0 requires the use of the client credentials to verify the signatures, it makes this separation very hard.
OAuth 2.0 addresses this by using the client credentials only when the application obtains authorization from the user. After the credentials are used in the authorization step, only the resulting access token is used when making API calls. This means the API servers do not need to know about the client credentials since they can validate access tokens themselves.
Authority is an authentication solution built with the Crystal programming language. It offers robust authentication features, including OAuth grants and customizable authentication logic. The following documentation will guide you through the installation, configuration, and usage of the Authority project.
A OAuth2 Server, sometimes also referred to as an OAuth 2.0 Server, OAuth Server, Authorization Server, is a software system that implements network protocol flows that allow a client software applica
Authority is an OAuth 2 Server, sometimes also referred to as an OAuth 2.0 Server, OAuth Server, Authorization Server, is a software system that implements network protocol flows that allow a client software application to act on behalf of a user.
Authority is an OpenID OAuth 2.0 Server and OpenID Connect Provider written in Crystal optimized for low-latency, high throughput, and low resource consumption. Authority has a built in identity provider user login.
Authority is an open source API security for your infrastructure.
Authority follows architecture principles that work best on container orchestration systems such as Kubernetes, CloudFoundry, OpenShift, and similar projects. While it is possible to run the Authority stack on a RaspberryPI, the integration with the Docker and Container ecosystem is best documented and supported.
Authority's architecture is designed along several guiding principles:
Minimal dependencies (no system dependencies; might need a database backend)
Runs everywhere (Linux, macOS, FreeBSD, Windows; AMD64, i386, ARMv5, ...)
Scales without effort (no memcached, etcd, required, ...)
Minimize room for human and network errors
Implementing and using OAuth2 without understanding the whole specification is challenging and prone to errors, even when SDKs are being used. The primary goal of Authority is to make OAuth 2.0 and OpenID Connect 1.0 better accessible.
The Authority implements five grants for acquiring an access token:
Authorization code Grant
Implicit Grant
Resource owner credentials grant
Client credentials grant
Refresh token Grant
Device Token Grant
The following RFCs are implemented:
Authority differentiates itself in the following key areas:
Everything is developed and licensed under Open Source Principles, allowing you to participate, collaborate, and understand the inner workings of Authority.
You can bring your own UI, in the programming language of your choosing, with the user experience that you like.
From designing Identity Schemas, to webhooks, to advanced configuration options - Authority is fully customizable.
Authority spans the whole authentication and authorization real with well-designed APIs:
Identity Management
Session management
Flows for login
Registration
Account recovery & verification
Mfa, and many more.
Security is a critical aspect of the Authority authentication system. Below are some key considerations:
Token Management: Ensure that OAuth tokens are stored securely and are not exposed to unauthorized users.
Access Control: Implement proper access control mechanisms to ensure that only authorized users can access sensitive data.
Encryption: Always use HTTPS to encrypt communication between the client and the server.
Authority provides a simple yet flexible authentication system using OAuth.
Register your application with the desired OAuth provider.
Obtain the client ID and client secret.
Set these in the environment variables OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET.
Users will be redirected to the OAuth provider for authentication.
Once authenticated, the provider will return an authorization code.
This code can be exchanged for an access token, which can be used for further API requests.
Invalid OAuth Token: Ensure the token has not expired and is correctly included in the Authorization header.
Database Connection Failed: Check that the DATABASE_URL environment variable is set correctly.
Check the logs for detailed error messages and follow standard Crystal debugging practices to resolve issues.
Authority exposes several API endpoints for authentication. Below are some key endpoints:
POST /auth/login: Authenticate a user and obtain a token.
GET /auth/user: Retrieve authenticated user details.
POST /auth/logout: Log out a user.
Each endpoint accepts and returns JSON data. Ensure that you include the correct OAuth token in the Authorization header for protected routes.
You can modify the default behavior of the Authority authentication system by extending the authentication logic.
To add a custom OAuth provider, modify the OAuth::Client configuration in the src/auth.cr file:
This allows you to connect to other OAuth providers or implement custom authentication logic.
The Authority project includes several important configuration files located in the src/config directory. These files define settings for key components of the application, including sessions, authentication, and the overall system behavior.
The session.cr file handles session management for the application. Sessions are crucial for maintaining user state between requests, especially in authentication systems.
Key settings:
Session duration: Define how long a session should remain active before expiring.
Storage options: Configure where session data is stored (e.g., in-memory or database-backed).
You can adjust session behavior based on your requirements by modifying this file.
The authly.cr file is responsible for authentication-related settings. This includes OAuth configuration and other authentication logic.
Key settings:
OAuth client configuration: Define client IDs, secrets, and other OAuth-specific settings.
Authentication flows: Customize how the system handles different types of authentication (e.g., token-based or session-based).
The clear.cr file likely manages caching and clearing of session data or other temporary data. This file ensures that outdated session data or cache entries are purged efficiently.
Key settings:
Cache expiration: Define when cached data should be invalidated.
Manual clearing options: Set up specific points where data is cleared to optimize performance.
The authority.cr file contains the main configurations for the Authority authentication system. This file ties together various authentication and authorization components.
Key settings:
General system settings: Configure global behavior for the Authority system.
Custom provider options: Define how different authentication providers are integrated with the system.
To customize any of these settings, simply open the corresponding configuration file in the src/config directory and adjust the necessary parameters. Be sure to restart the application after making changes to ensure that the new configurations are applied.
Client providers are responsible for managing OAuth clients in the Authority authentication system. They represent applications that request access to user resources on behalf of the users.
To set up a client provider, you'll need to configure Authly config/authly.cr settings for your application. This is typically done by defining a Client Provider class that has access to the registered client data.
Example:
Once configured, your application can initiate the OAuth flow by redirecting users to the provider's authorization page. Here's an example of how the flow works:
The user is redirected to the OAuth provider.
After authentication, the user is redirected back to your application with an authorization code.
Use this code to request an access token.
In your CLIENT application, you must use the client_id and client_secret generated by the provider
Client providers allow your application to securely interact with OAuth providers on behalf of users.
Performing HTTP client requests with OAuth2 authentication https://crystal-lang.org/api/1.13.3/OAuth2.html
This project requires
Crystal Language - find the installation instructions here https://crystal-lang.org/install/
Docker and Docker-Compose - https://docs.docker.com/engine/install/
Geckodriver - Needed for specs https://www.softwaretestinghelp.com/geckodriver-selenium-tutorial/
Owner providers in the Authority system represent the resource owners—typically the users who own the data or resources being accessed. They play a crucial role in controlling access to their resources.
To configure an owner provider, you need to establish ownership models in your application. This usually involves mapping user records to resources that they own.
In your database schema, make sure that resources have an owner_id field that corresponds to the user who owns the resource.
Once the ownership structure is in place, you can enforce access control rules by checking whether the currently authenticated user is the owner of the resource they are trying to access.
Example in Crystal:
Owner providers help implement fine-grained access control mechanisms, ensuring that users can only access the resources they own.
This document describes the syntax and semantics of the template engine and will be most useful as a reference to those modifying the Authority templates. As the template engine is very flexible.
The Managed UI implements screens such as login, registration, account recovery, account setting, and account verification. This allows for fast adoption of Authority.
Contrary to other vendors, Authority allows you to implement your own UI by offering simple HTML templates. You can change the look of Authority signin and authorize HTML pages.
The public directory contains all the front-end CSS and HTML-related files that compose the user interface for Authority. These are small easy to understand files that are clearly named for easy adoption.
Just edit the ./public/templates/signin.html and ./public/templates/authorize.html
HTML (jinja) TemplatesA template contains variables and/or expressions, which get replaced with values when a template is rendered; and tags, which control the logic of the template.
Below is a minimal template that illustrates a few basics using the default Jinja configuration. We will cover the details later in this document:
Learn more about the template syntax and capabilities at https://jinja.palletsprojects.com/en/3.0.x/templates/ and https://shards.info/github/straight-shoota/crinja
This section documents all the available API endpoints in the Authority project. Each endpoint serves a specific purpose, such as managing OAuth clients, handling user sessions, or authorizing users.
The clients endpoints manage OAuth clients that represent applications interacting with the Authority system.
POST /clients: Create a new OAuth client.
Example Request:
Example Response:
GET /clients: Retrieve a list of registered OAuth clients.
Example Response:
The owner endpoints manage resource owners, allowing the Authority system to verify and manage access to resources owned by users.
GET /owner: Retrieve information about the authenticated resource owner.
Example Response:
The sessions endpoints manage user sessions, including login and logout functionality.
POST /sessions/login: Authenticate a user and create a session.
Example Request:
Example Response:
POST /sessions/logout: Log out the authenticated user and invalidate the session.
Example Response:
The authorize endpoints manage the OAuth authorization flow.
GET /authorize: Redirect users to the OAuth provider for authorization.
Example Response: Redirects the user to the OAuth provider's login page.
POST /authorize: Handle the authorization code returned by the OAuth provider and exchange it for an access token.
Example Request:
Example Response:
The device endpoints manage device-specific interactions, such as registering or authenticating devices.
POST /device/register: Register a new device.
Example Request:
Example Response:
The access_token endpoints handle the management of access tokens, including issuing, refreshing, and revoking tokens.
POST /access_token: Exchange an authorization code for an access token.
Example Request:
Example Response:
POST /access_token/revoke: Revoke an access token.
Example Request:
Example Response:
The health_check.cr endpoint is used to check the health of the Authority service.
GET /health_check: Returns the status of the service.
Example Response:
As a refresher here is a quick glossary of OAuth terms (taken from the core spec):
Resource owner (a.k.a. the User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
Resource server (a.k.a. the API server) - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client - An application making protected resource requests on behalf of the resource owner and with its authorization. The term client does not imply any particular implementation characteristics (e.g. whether the application executes on a server, a desktop, or other devices).
Authorization server - The server issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
An access token represents permission granted to a client to access some protected resources.
If you authorize a machine to access resources and don’t require user permission to access said resources, you should implement the client credentials grant.
Whether or not the client is capable of keeping a secret will depend on which grant the client should use.
If the client is a web application with a server-side component, you should implement the authorization code grant.
If the client is a web application that has runs entirely on the front end (e.g., a single page web application), you should implement the password grant for first -arty clients and the implicit grant for a third party clients.
If the client is a native application such as a mobile app, you should implement the password grant.
A first-party client is a client that you trust enough to handle the end user’s authorization credentials. For example, Spotify’s iPhone app is owned and developed by Spotify; therefore, they implicitly trust it.
A third-party client is a client that you don’t trust.
The project specifications can be found in the specs directory. Use the directory to get an idea of the project capabilities and configuration.
Running Specs
If you have all the requirements installed, running the specs should be fairly simple. Run the following commands to run the specs locally
Ensure you have a Postgres database process running with the correct credentials
Headless Mode
Specs run using the Flux shard, this allows for browser testing. Currently, the configuration is set to run headless by default, which means that you will not see the browser interactions, if you wish to change this behavior simply remove the `-headless` parameter for the spec/flows files
This tutorial walks you through a quick setup of Authority, a PostgreSQL instance, and a simple User Login & Consent App based on Docker Compose. You need to have the latest and version installed.
Authority project contains a simple Dockerfile that compiles and builds a simple docker image with little to no dependencies.
To start using Authority run the following command
To change the Authority server configuration change the local.env file
A grant is a method of acquiring an access token. Deciding which grants to implement depends on the type of client the end-user will be using, and the experience you want for your users.
Dive into the specifics of each OAuth 2 Flow implementation
The OAuth 2.0 “Device Flow” extension enables OAuth on devices that have an Internet connection but don’t have a browser or an easy way to enter text.
This flow is seen on devices such as smart TVs, media consoles, picture frames, printers, or hardware video encoders. In this flow, the device instructs the user to open a URL on a secondary device such as a smartphone or computer in order to complete the authorization. There is no communication channel required between the user’s two devices.
First, the client makes a request to the authorization server to request the device code.
POST http://app.com/device/code
The client makes a request to the authorization server to request the device code.
| Name | Type | Description |
|---|
Note that some authorization servers will allow the device to specify a scope in this request, which will be shown to the user later on the authorization interface.
After validating the client ID and scopes, the authorization server returns the response with the verification URL, device code, and user code. There are a few optional parameters that the authorization server can return in addition to the example given above.
device_code – Required, the verification code generated by the authorization server.
user_code – Required, the code the user will enter on the device screen should be relatively short. Typically 6-8 numbers and letters are used.
verification_uri – Required, the URL on the authorization server that the user should visit to begin authorization. The user is expected to hand-enter this URL on their computer or mobile phone.
expires_in – Optional, the lifetime in seconds of the device code and user code.
interval – Optional, the minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
The device shows the verification_uri and user_code to the user on its display, directing the user to enter the code at that URL.
Visiting that URL after you’ve signed in to your account shows an interface that prompts you to enter the code that’s displayed on the device.
Meanwhile, the client should attempt to acquire an access token every few seconds (at a rate specified by interval) by POSTing to the access token endpoint on the authorization server.
While the device is waiting for the user to complete the authorization flow on their own computer or phone, the device meanwhile begins polling the token endpoint to request an access token.
POST https://app.com/device/token
The device makes a POST request with the device_code at the rate specified by interval. The device should continue requesting an access token until a response other than authorization_pending is returned, either the user grants or denies the request or the device code expires.
All server settings are defined using environment variables
| Name | Type | Description |
|---|
grant_type* | String | The Device Code grant type value is |
client_id* | String | The client id for which the device code was created |
code* | String | The value of |
client_id* | String | the client identifier |
scope | String | Define the scopes the application has access to |
The implicit grant is similar to the authorization code grant with two distinct differences.
It is intended to be used for user-agent-based clients (e.g. single page web apps) that can’t keep a client secret because all of the application code and storage are easily accessible.
Secondly, instead of the authorization server returning an authorization code that is exchanged for an access token, the authorization server returns an access token.
The client will redirect the user to the authorization server with the following parameters in the query string:
response_type with the value token
client_id with the client identifier
redirect_uri with the client redirect URI. This parameter is optional, but if not sent the user will be redirected to a pre-registered redirect URI.
scope a space delimited list of scopes
state with a CSRF token. This parameter is optional but highly recommended. You should store the value of the CSRF token in the user’s session to be validated when they return.
All of these parameters will be validated by the authorization server.
The user will then be asked to sign in to the authorization server and approve the client.
If the user approves the client they will be redirected back to the authorization server with the following parameters in the query string
Self-encoded tokens provide a way to avoid storing tokens in a database by encoding all of the necessary information in the token string itself. The main benefit of this is that API servers are able to verify access tokens without doing a database lookup on every API request, making the API much more easily scalable.
The benefit of OAuth 2.0 Bearer Tokens is that applications don’t need to be aware of how you’ve decided to implement access tokens in your service. This means it’s possible to change your implementation later without affecting clients.
A common technique for this is using the JSON Web Signature (JWS) standard to handle encoding, decoding and verification of tokens. The JSON Web Token (JWT) specification defines some terms you can use in the JWS, as well as defines some timestamp terms to determine whether a token is valid. We’ll use a JWT library in this example, since it provides built-in handling of expiration.
Environment Variable | Default Value | Description |
CRYSTAL_ENV | Development |
CRYSTAL_LOG_SOURCES | "*" |
CRYSTAL_LOG_LEVEL | debug |
CRYSTAL_WORKERS | 4 | the number of CPU cores to use |
PORT | 4000 |
PORT_REUSE | true |
HOST | 0.0;0.0 | Binds the server to a particular ip address on the host machine |
DATABASE_URL | postgres://auth_user:auth_pass@db:5432/authority_db?initial_pool_size=10&checkout_timeout=3P | PostgreSQL database connection URL |
SECRET_KEY | secret_key | The encryption key to use signed JWTs |
CODE_TTL | 5 | Duration in seconds |
ACCESS_TOKEN_TTL | 60 | Duration in seconds |
TEMPLATES_PATH | ./public/templates |
SESSION_KEY | session_id |
BASE_URL |
DEVICE_CODE_TTL | 300 | Duration in seconds |
SSL_CERT | "" |
SSL_KEY | "" |
SSL_CA | "" |
SSL_MODE | "" |
Access tokens eventually expire; however some grants respond with a refresh token which enables the client to get a new access token without requiring the user to be redirected.
eWhen you initially received the access token, it may have included a refresh token as well as an expiration time like in the example below.
The presence of the refresh token means that the access token will expire and you’ll be able to get a new one without the user’s interaction.
The “expires” value is the number of seconds that the access token will be valid. It’s up to the service you’re using to decide how long access tokens will be valid, and may depend on the application or the organization’s own policies. You can use this to preemptively refresh your access tokens instead of waiting for a request with an expired token to fail.
If you make an API request and the token has expired already, you’ll get back a response indicating as such. You can check for this specific error message, and then refresh the token and try the request again.
If you’re using a JSON-based API, then it will likely return a JSON error response with the invalid_token error. In any case, the WWW-Authenticate header will also have the invalid_token error.
When your code recognizes this specific error, it can then make a request to the token endpoint using the refresh token it previously received, and will get back a new access token it can use to retry the original request.
To use the refresh token, make a POST request to the service’s token endpoint with grant_type=refresh_token, and include the refresh token as well as the client credentials.
POST https::/app.com/token
The refresh token, make a POST request to the service’s token endpoint with grant_type=refresh_token, and include the refresh token as well as the client credentials.
If the request for an access token is valid, the authorization server needs to generate an access token (and optional refresh token) and return these to the client, typically along with some additional properties about the authorization.
For example, a successful token response may look like the following:
The format for OAuth 2.0 Bearer tokens is actually described in a separate spec, RFC 6750. There is no defined structure for the token required by the spec, so you can generate a string and implement tokens however you want. The valid characters in a bearer token are alphanumeric, and the following punctuation characters:
The simplest of all of the OAuth 2.0 grants, this grant is suitable for machine-to-machine authentication where a specific user’s permission to access data is not required.
The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources.
The following is an example authorization code grant the service would receive.
POST https://app.com/token
In some cases, applications may need an access token to act on behalf of themselves rather than a user. For example, the service may provide a way for the application to update their own information such as their website URL or icon, or they may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client_credentials grant type for this purpose.
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
The authorization code grant should be very familiar if you’ve ever signed into an application using your Facebook or Google account.
The authorization code grant is used when an application exchanges an authorization code for an access token. After the user returns to the application via the redirect URL, the application will get the authorization code from the URL and use it to request an access token. This request will be made to the token endpoint.
The client will redirect the user to the authorization server with the following parameters in the query string:
GET https://authorization-server.com/authorize
The client will redirect the user to the authorization server with the following parameters in the query string:
| Name | Type | Description |
|---|---|---|
You should first compare this state value to ensure it matches the one you started with. You can typically store the state value in a cookie or session, and compare it when the user comes back. This helps ensure your redirection endpoint isn't able to be tricked into attempting to exchange arbitrary authorization codes.
The parameters will be validated by the authorization server.
The user will then be asked to sign in to the authorization server and approve the client.
The user sees the authorization prompt
If the user approves the client they will be redirected from the authorization server back to the client (specifically to the redirect URI) with the following parameters in the query string:
code with the authorization code
state with the state parameter sent in the original request. You should compare this value with the value stored in the user’s session to ensure the authorization code obtained is in response to requests made by this client rather than another client application.
The Proof Key for Code Exchange (PKCE, pronounced pixie) extension describes a technique for public clients to mitigate the threat of having the authorization code intercepted. The technique involves the client first creating a secret, and then using that secret again when exchanging the authorization code for an access token. This way if the code is intercepted, it will not be useful since the token request relies on the initial secret.
Once the app has generated the code verifier, it uses that to create the code challenge. For devices that can perform a SHA256 hash, the code challenge is a BASE64-URL-encoded string of the SHA256 hash of the code verifier. Clients that do not have the ability to perform a SHA256 hash are permitted to use the plain code verifier string as the challenge.
Now that the client has a code challenge string, it includes that and a parameter that indicates which method was used to generate the challenge (plain or S256) along with the standard parameters of the authorization request. This means a complete authorization request will include the following parameters.
The PKCE extension does not add any new responses, so clients can always use the PKCE extension even if an authorization server does not support it.
Exchange the authorization code for an access token
To exchange the authorization code for an access token, the app makes a POST request to the service’s token endpoint. The request will have the following parameters.
POST https://my-auth-server.com/token
The server exchanges the authorization code for an access token by making a POST request to the token endpoint.
OAuth Security
Up until 2019, the OAuth 2.0 spec only recommended using the PKCE extension for mobile and JavaScript apps. The latest OAuth Security BCP now recommends using PKCE also for server-side apps, as it provides some additional benefits there as well. It is likely to take some time before common OAuth services adapt to this new recommendation, but if you’re building a server from scratch you should definitely support PKCE for all types of clients.
OpenID Connect provides user identity and authentication on top of the OAuth 2.0 framework. You can use OpenID Connect to establish a login session, and use OAuth to access protected resources.
You can request both an ID token and access token in the same flow in order to both authenticate the user as well as obtain authorization to access a protected resource.
OpenID Connect is maintained by the . The core OpenID Connect spec, as well as many extensions, can be read in full on .
The is a fantastic resource to help you build OpenID Connect requests and walk through the flows. Additionally, the provides a walkthrough of the OpenID Connect flow against a live server.
The Password grant is used when the application exchanges the user’s username and password for an access token.
This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.
A common use for this grant type is to enable password logins for your service’s own apps. Users won’t be surprised to log in to the service’s website or native application using their username and password, but third-party apps should never be allowed to ask the user for their password.
The following is an example password grant the service would receive.
See for details on the parameters to return when generating an access token or responding to errors.
When a developer comes to your website, they will need a way to create a new application and obtain credentials. Typically you will have them create a developer account, or create an account on behalf of their organization, before they can create an application.
While the OAuth 2.0 spec doesn’t require you to collect any application information in particular before granting credentials, most services collect basic information about an app, such as the app name and an icon, before issuing the client_id and client_secret. It is, however, important that you require the developer to register one or more redirect URLs for the application for security purposes. This is explained in more detail in .
Typically services collect information about an application such as:
Application name
An icon for the application
URL to the application’s home page
A short description of the application
A link to the application’s privacy policy
A list of redirect URLs
Client ID
The client_id is a public identifier for apps. Even though it’s public, it’s best that it isn’t guessable by third parties, so many implementations use something like a 32-character hex string. It must also be unique across all clients that the authorization server handles. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications.
Client Secret
The client_secret is a secret known only to the application and the authorization server. It must be sufficiently random to not be guessable, which means you should avoid using common UUID libraries which often take into account the timestamp or MAC address of the server generating it. A great way to generate a secure secret is to use a cryptographically-secure library to generate a 256-bit value and convert it to a hexadecimal representation.
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
-._~+/
Authorization
String
The client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
grant_type*
String
A Parameter must be set to clienst_credentials.
scope
String
The service supports different scopes for the client credentials grant. In practice, not many services actually support this.
Authorization*
String
The client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
grant_type*
String
Must be set to refresh_token
refresh_token*
String
The curent refresh token
response_type*
String
Indicates that your server expects to receive an authorization code. Must be code
client_id*
String
The client ID you received when you first registered the application
redirect_uri*
String
Indicates the URI to return the user to after authorization is complete
scope*
String
One or more scope values indicating which parts of the user's account you wish to access
state
String
with a CSRF token. This parameter is optional but highly recommended.
Authorization*
String
Contains the word Basic, followed by a space and a base64-encoded(non-encrypted) string with the client id and client secret
grant_type*
String
The grant type for this flow is authorization_code
redirect_uri*
String
Must be identical to the redirect URI provided in the original link
code*
String
The authorization code from the query string
code_verifier
String
PCKE Extension - the code verifier for the PKCE request, that the app originally generated before the authorization request.
Delete a registred client.
ID of the client
Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
Client deleted
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
Renew the client secret of a registred client.
ID of the client
Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
Claims about the updated client.
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
JWKS endpoint containing the public keys used by OpenID Connect Relying Party to verify any JWT issued by the authorization server.
A JSON object that represents a set of JWKs
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The Dynamic Client Registration (dcr) Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested.
Bearer token obtained through client crendentials flow with as mandatory scope "dcr_admin". Token required unless open dynamic client registration is enabled.
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
Claims about the registred client
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User.
To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication
Claims about the authenticated End-User
Subject - Identifier for the End-User at the Issuer
End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences
Given name(s) or first name(s) of the End-User
Surname(s) or last name(s) of the End-User
Middle name(s) of the End-User
Casual name of the End-User that may or may not be the same as the given_name
Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe
URL of the End-User's profile page
URL of the End-User's profile picture
URL of the End-User's Web page or blog
End-User's preferred e-mail address
User at the time the verification was performed
End-User's gender
End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format
String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone
End-User's locale, represented as a BCP47 [RFC5646] language tag
End-User's preferred telephone number
User at the time the verification was performed
End-User's preferred postal address
Time the End-User's information was last updated
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User.
To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication
Claims about the authenticated End-User
Subject - Identifier for the End-User at the Issuer
End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences
Given name(s) or first name(s) of the End-User
Surname(s) or last name(s) of the End-User
Middle name(s) of the End-User
Casual name of the End-User that may or may not be the same as the given_name
Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe
URL of the End-User's profile page
URL of the End-User's profile picture
URL of the End-User's Web page or blog
End-User's preferred e-mail address
User at the time the verification was performed
End-User's gender
End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format
String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone
End-User's locale, represented as a BCP47 [RFC5646] language tag
End-User's preferred telephone number
User at the time the verification was performed
End-User's preferred postal address
Time the End-User's information was last updated
Update information about a registred client.
ID of the client
Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
Claims about the updated client.
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
See information about a registred client.
ID of the client
Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
Claims about the registred client.
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
Kind of the application. The default, if omitted, is web. The defined values are native or web.
Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
Name of the Client to be presented to the End-User.
URL that references a logo for the Client application.
URL of the home page of the Client. The value of this field MUST point to a valid Web page.
URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
URL for the Client's JSON Web Key Set [JWK] document.
The value of the "keys" parameter is an array of JWK values
The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
The "use" (public key use) parameter identifies the intended use of the public key
The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
The "kid" (key ID) parameter is used to match a specific key
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
WS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
JWE [JWE] alg algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256. The value none MUST NOT be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true.
Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.
URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0 [OpenID.Core].
Array of request_uri values that are pre-registered by the RP for use at the OP.
String containing a space-separated list of scope values
A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id".
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
