Client settings¶
Rules: Default(x) => in all mappings when value is null or empty (string) then force this value for storing it at the persistent layer.
Basics¶
| Property | Category | Rules | Type | Description |
|---|---|---|---|---|
| Enabled | Basics | Default(true) | boolean | Specifies if client is enabled. Defaults to true. |
| ClientIdentifier | Basics | REQUIRED,UNIQUE | string | Unique ID of the client |
| ClientName | Basics | REQUIRED | string | Client display name (used for logging and consent screen) |
| Description | Basics | OPTIONAL | string | General description of the client, for helping administrators |
| ProtocolType | Basics | Default(oidc), Range(oidc) | string | Authentication protocol. Always oidc. |
| RequireClientSecret | Basics | Default(true) | boolean | Specifies whether this client needs a secret to request tokens from the token endpoint (defaults to true) |
| ClientSecrets | Basics/Secrets | ListOf(ClientSecret) | List of client secrets - credentials to access the token endpoint. Ignored by put/patch operations | |
| ClientSecret.Description | Basics/Secrets | OPTIONAL | string | Description for management purposes of the secret |
| ClientSecret.Type | Basics/Secrets | Default(SharedSecret), Range(SharedSecret) | string | Type of secret. Default: SharedSecret |
| ClientSecret.Value | Basics/Secrets | Default(SharedSecret), Range(SharedSecret) | string | Secrets cannot be edited. If you need to change the secret, please create a new secret. |
| AllowedGrantTypes | Basics/GrantTypes | Range(authorization_code, client_credentials, hybrid, implicit) | ListOf(string) | Specifies the grant types the client is allowed to use. Use the GrantTypes class for common combinations. |
| RequirePkce | Basics/GrantTypes | Default(true) | boolean | Specifies whether clients using an authorization code based grant type must send a proof key (defaults to true). |
| AllowPlainTextPkce | Basics/GrantTypes | Default(false), R/O, No UI | boolean | Specifies whether clients using PKCE can use a plain text code challenge (not recommended - and default to false). Not included in the UI and forced to false for new clients. |
| AllowAccessTokensViaBrowser | Basics/GrantTypes | Default(true) | boolean | Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser. |
| RedirectUris | Basics\RedirectUri | ListOf(string) | Specifies the allowed URIs to return tokens or authorization codes to | |
| AllowedScopes | Basics\Scope | Range(Scopes) | ListOf(string) | By default a client has no access to any resources - specify the allowed resources by adding the corresponding scopes names (list of strings). List comes from existing scopes in ApiScopes table; however this information is just used as a typeahead, we will allow to add scopes that has not been yet defined in ApiScopes. |
| AllowOfflineAccess | Basics/Scope | Default(true) | boolean | Specifies whether this client can request refresh tokens (be requesting the offline_access scope) |
Authorization and logout¶
| Property | Category | Rules | Type | Description |
|---|---|---|---|---|
| PostLogoutRedirectUris | AuthLogout | ListOf(string) | Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec for more details. | |
| BackChannelLogoutUri | AuthLogout | string | Specifies logout URI at client for HTTP based back-channel logout. See the OIDC Back-Channel spec for more details. | |
| BackChannelLogoutSessionRequired | AuthLogout | Default(true) | boolean | Specifies if the user’s session id should be sent in the request to the BackChannelLogoutUri. Defaults to true. |
| FrontChannelLogoutUri | AuthLogout | string | Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec for more details. | |
| FrontChannelLogoutSessionRequired | AuthLogout | Default(true) | boolean | Specifies if the user’s session id should be sent to the FrontChannelLogoutUri. Defaults to true. |
| EnableLocalLogin | AuthLogout | Default(true) | boolean | Specifies if this client can use local accounts, or external IdPs only. Defaults to true. |
| IdentityProviderRestrictions | AuthLogout | ListOf(string) | Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty. |
Token¶
| Property | Category | Rules | Type | Description |
|---|---|---|---|---|
| IdentityTokenLifetime | Token | Default(300) | int | Lifetime to identity token in seconds (defaults to 300 seconds / 5 minutes) |
| AccessTokenLifetime | Token | Default(3600) | int | Lifetime of access token in seconds (defaults to 3600 seconds / 1 hour) |
| AuthorizationCodeLifetime | Token | Default(300) | int | Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes) |
| AccessTokenType | Token | Default(Jwt), R/O, NoUI | enum | Specifies whether the access token is a reference token or a self contained JWT token (defaults to Jwt). |
| IncludeJwtId | Token | Default(true), R/O, NoUI | boolean | Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim). Forced to true always. |
| PairWiseSubjectSalt | Token | NULL, R/O, NoUI | string | Salt value used in pair-wise subjectId generation for users of this client. NULL by |
Refresh Token¶
| Property | Category | Rules | Type | Description |
|---|---|---|---|---|
| RefreshTokenUsage | Token\Refresh | Default(1) | enum | ReUse the refresh token handle will stay the same when refreshing tokens (value=0). OneTime the refresh token handle will be updated when refreshing tokens (value=1). This is the default. |
| RefreshTokenExpiration | Token\Refresh | Default(1) | enum | Absolute the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime). Sliding when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime. |
| AbsoluteRefreshTokenLifetime | Token\Refresh | Default(2592000) | int | Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days. (int, not null) |
| SlidingRefreshTokenLifetime | Token\Refresh | Default(1296000) | int | Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days |
| UpdateAccessTokenClaimsOnRefresh | Token\Refresh | Default(0) | boolean | Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request. |
CORS¶
| Property | Category | Rules | Type | Description |
|---|---|---|---|---|
| AllowedCorsOrigins | Token\CORS | ListOf(string) | If specified, will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients. |
Claims¶
| Property | Category | Rules | Type | Description |
|---|---|---|---|---|
| Claims | Token\Claims | ListOf(Claim[Type+Value]) | Allows settings claims for the client (will be included in the access token). | |
| AlwaysSendClientClaims | Token\Claims | Default(false) | boolean | If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is false) |
| AlwaysIncludeUserClaimsInIdToken | Token\Claims | Default(false) | boolean | When requesting both an id token and access token, should the user claims always be added to the id token instead of requiring the client to use the userinfo endpoint. Default is false. |
| ClientClaimsPrefix | Token\Claims | Default(client_) | string | If set, the prefix client claim types will be prefixed with. Defaults to client_. The intent is to make sure they don’t accidentally collide with user claims. |