Client configuration
The tables below describe mandatory and common parameters on the client model used in Web API (and cmdlets).
Client properties
| Parameter name | Parameter type | Description |
|---|---|---|
| ClientId | String | Unique identifier of the client. Required |
| ClientName | String | User friendly name of the client - Client display name (used for logging and consent screen) Required |
| ClientUri | String | Uri to further information about client. |
| ClientSecrets | List\<Secret> | Client secrets - only relevant for flows that require a secret Note When registering client with secret(s) leave the Value and Type of the secret unset. IDS will automatically generate them. See more about secret registration |
| Flow | enum Flows | Flows defines the following possible values: (Defaults to Implicit.): - AuthorizationCode (0), - Implicit (1), - Hybrid (2), - ClientCredentials (3), - Custom (5), - AuthorizationCodeWithProofKey (6), - HybridWithProofKey (7). Note: When ClientCredentials flow is used, IDS-Admin will generate a ClientSecret (even if it is not provided in the request); in such case "SharedSecret" secret type without expiration date will be generated. |
| Claims | List\<Claims> | Allows settings claims for the client (will be included in the access token) |
| AccessTokenType | AccessTokenType | Specifies whether the access token is a reference token or a self contained JWT token (defaults to Jwt) |
| AccessTokenLifetime | int | Specifies the time of access token lifetime. It should be used within a specified timeframe of 3 600 to 5 400 seconds (60 to 90 minutes), with the default set at 4 500 seconds (75 minutes) |
| AllowedScopes | List\<string> | Specifies the scopes that the client is allowed to request. If empty, the client can't access any scope |
| Enabled | boolean | default = true |
| RequireConsent | boolean | Specifies whether a consent screen is required. Defaults to true. If anything to consent the consent screen will be shown after login. Only valid for implicit, hybrid and authorization code flow. |
| RedirectUris | List\<string> | Specifies allowed URIs to return tokens or authorization codes to |
| PostLogoutRedirectUris | List\<string> | Specifies allowed URIs to redirect to after logout |
| IdentityTokenLifetime | int | Identity codes should be used within a specified timeframe of 3 600 to 5 400 seconds (24 hours to 7 days), with the default set at 4 500 seconds (75 minutes) |
| RefreshTokenExpiration | enum | Allowed values: - Absolute(0): the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime) - Sliding(1): when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime. |
| AbsoluteRefreshTokenLifetime | int | This should be used within a specified timeframe of 86 400 to 604 800 seconds (24 hours to 7 days), with the default set at 604 800 seconds |
| SlidingRefreshTokenLifetime | int | This should be used within a specified timeframe of 86 400 to 604 800 seconds (24 hours to 7 days), with the default set at 604 800 seconds |
| RefreshTokenUsage | enum | - ReUse(0): the refresh token handle will stay the same when refreshing tokens; - OneTime(1): the refresh token handle will be updated when refreshing tokens |
| UserId | string | - To be used internally for auditing : |
| UserName | string | - To be used internally for auditing : |
| AuthorizationCodeLifetime | int | Authorization codes should be used within a specified timeframe of 30 to 600 seconds, with the default set at 300 seconds |
| AllowAccessToAllScopes | boolean | By default a client has no access to any scopes - either set to true or specify the supported scopes explicitly via the AllowedScopes property. |
| AlwaysSendClientClaims | boolean | If set, the client claims will be sent for every flow. If not, only for client credentials flow. Default is false. |
| PrefixClientClaims | boolean | If set, all client claims will be prefixed with client_ to make sure they don't accidentally collide with user claims. Default is false. |
| IncludeJwtId | boolean | Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim) |
Se also client registration.
ClientSecret properties
| Parameter name | Parameter type | Description |
|---|---|---|
| Description | string | Description of the secret |
| Expiration | DateTimeOffset | Expiration time of the secret nullable if never expires |
| Type | string | Secret type |
| Value | string | Secret value Note: the value of the secret must not be provided by the user in the request. It is always generated on the IDS-Admin side. See secret registration. |
| ## Claim properties | ||
| Parameter name | Parameter type | Description |
| -------------- | -------------- | ----------- |
| Issuer | string | issuer of the claim |
| OriginalIssuer | string | original issuer of the claim |
| Type | string | claim type |
| Value | string | claim value |