import { Client } from "https://deno.land/x/authlete_deno@v1.2.3/mod.ts";
Information about a client application.
Some properties correspond to the ones listed in Client Metadata in OpenID Connect Dynamic Client Registration 1.0.
Properties
The application type. The value of this property affects the
validation steps for a redirect URI. See the description about
redirectUris
property above.
This property corresponds to application_type
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The data types that this client may use as values of the type
field in authorization_details
.
This property corresponds to the authorization_data_types
metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR)
for details.
The JWE alg
algorithm for encrypting authorization responses.
When authorizationEncryptionEnc
is set, this property also must
be set.
This property corresponds to authorization_encrypted_response_alg
in 5. Client Metadata
of Financial-grade API: JWT Secured Authorization Response Mode
for OAuth 2.0 (JARM).
The JWE enc
algorithm for encrypting authorization responses.
This property corresponds to authorization_encrypted_response_enc
in 5. Client Metadata
of Financial-grade API: JWT Secured Authorization Response Mode
for OAuth 2.0 (JARM).
The JWS alg
algorithm for signing authorization responses.
This property corresponds to authorization_signed_response_alg
in 5. Client Metadata
of Financial-grade API: JWT Secured Authorization Response Mode
for OAuth 2.0 (JARM).
true
if the client application requires the auth_time
claim
to be in an ID token. Regardless of the value of this property,
Authlete embeds the auth_time
claim when authTime
parameter
in the /auth/authorization/issue
request is not 0 and does not
do it when authTime
is 0.
This property corresponds to require_auth_time
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The backchannel token delivery mode.
This property corresponds to the backchannel_token_delivery_mode
metadata. The backchannel token delivery mode is defined in the
specification of the CIBA (Client Initiated Backchannel Authentication).
The backchannel client notification endpoint.
This property corresponds to the backchannel_client_notification_endpoint
metadata. The backchannel token delivery mode is defined in the
specification of the CIBA (Client Initiated Backchannel Authentication).
The signature algorithm of the request to the backchannel authentication endpoint.
This property corresponds to the backchannel_authentication_request_signing_alg
metadata. The backchannel token delivery mode is defined in the
specification of the CIBA (Client Initiated Backchannel Authentication).
The boolean flag which indicates whether a user code is required when this client makes a backchannel authentication request.
This property corresponds to the backchannel_user_code_parameter metadata
.
Client ID. The value of this property is assigned by Authlete.
The value of this property is assigned by Authlete. Even if the
property has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
The alias of the client ID. Note that the client ID alias feature
works only when this client's clientIdAliasEnabled
property
is true
AND the service's clientIdAliasEnabled
property is
also true
.
The flag to indicate whether the client ID alias is enabled or
not. Service
object also has clientIdAliasEnabled
property.
If the service's clientIdAliasEnabled
property is false
, the
client ID alias feature does not work even if this client's
clientIdAliasEnabled
property is true
.
The name of the client application. This property corresponds to
client_name
in OpenID Connect Dynamic Client Registration 1.0,
2. Client Metadata.
If clientName
in a request to Authlete /client/create
API or
/client/update
API is not set, this property is set to the value
of clientId
.
Client names with language tags. If the client application has different names for different languages, this property can be used to register the names.
The client secret. A random 512-bit value encoded by base64url (86 letters). The
value of this property is assigned by Authlete. Even if the property
has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
Note that Authlete issues a client secret even to a public
client
application, but the client application should not use the client
secret unless it changes its client type to confidential
. That
is, a public client application should behave as if it had not
been issued a client secret. To be specific, a token request from
a public client of Authlete should not come along with a client
secret although RFC 6749, 3.2.1. Client Authentication says as follows.
Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.
The client type. See RFC 6749, 2.1. Client Types for details.
If clientType
is not set in a request to Authlete /client/create
API or /client/update
API, it is set to ClientType.PUBLIC
.
The URL pointing to the home page of the client application.
This property corresponds to client_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
Home page URLs with language tags. If the client application has different home pages for different languages, this property can be used to register the URLs.
An array of email addresses of people responsible for the client application.
This property corresponds to contacts
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.
The time at which this client was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
The default ACRs (Authentication Context Class References). This
value is used when an authorization request from the client application
has neither acr_values
request parameter nor acr
claim in
claims
request parameter.
The default maximum authentication age in seconds. This value is
used when an authorization request from the client application
does not have max_age
request parameter.
This property corresponds to default_max_age
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The sector identifier host component as derived from either the
sector_identifier_uri
or the registered redirect_uri
. If no
sector_identifier_uri
is registered and multiple redirect_uri
s
are also registered, the property is not set.
A string array of grant types which the client application declares that it will restrict itself to using.
This property corresponds to grant_types
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
If grantTypes
in a request to Authlete /client/create
API
or /client/update
API is not set, it is set to an array containing
just GrantType.AUTHORIZATION_CODE
.
The value of alg
header parameter of JWE that the client application
requires the service to use for encrypting an ID token.
This property corresponds to id_token_encrypted_response_alg
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of enc
header parameter of JWE that the client application
requires the service to use for encrypting an ID token.
This property corresponds to id_token_encrypted_response_enc
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS that the client application
requires the service to use for signing an ID token.
When JWSAlg.NONE
may be specified, the client application cannot
obtain an ID token from the service.
This property corresponds to id_token_signed_response_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
JSON Web Key Set. The content of the JWK Set of the client application. The format is described in 'JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format'.
OpenID Connect Dynamic Client Registration 1.0 says that jwks
must not be used when the client can use jwks_uri
, but Authlete
allows both properties to be registered at the same time. However,
Authlete does not use the content of jwks
when jwksUri
is
registered.
This property corresponds to jwks
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.
The URL pointing to the JWK Set of the client application. The format of the content pointed to by the URL is described in 'JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format'.
If the client application requests encryption for ID tokens (from
the authorization/token/userinfo
endpoints) and/or signs request
objects, it must make available its JWK Set containing public keys
for the encryption and/or the signature at the URL of jwksUri
.
The service (Authlete) fetches the JWK Set from the URL as necessary.
OpenID Connect Dynamic Client Registration 1.0 says that jwks
must not be used when the client can use jwks_uri
, but Authlete
allows both properties to be registered at the same time. However,
Authlete does not use the content of jwks
when jwksUri
is registered.
This property corresponds to jwks_uri
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.
The URL which a third party can use to initiate a login by the
client application. The URL must start with https
and consist
of ASCII letters only. Its length must not exceed 200.
This property corresponds to initiate_login_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The URL pointing to the logo image of the client application.
This property corresponds to logo_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
Logo image URLs with language tags. If the client application has different logo images for different languages, this property can be used to register URLs of the images.
The time at which this client was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
Client number. The sequential number of the client application.
The value of this property is assigned by Authlete. Even if the
property has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
The URL pointing to the page which describes the policy as to how end-users' profile data are used. The URL must consist of printable ASCII letters only and its length must not exceed 200.
This property corresponds to policy_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
URLs of policy pages with language tags. If the client application has different policy pages for different languages, this property can be used to register the URLs.
Redirect URIs that the client application uses to receive a response from the authorization endpoint. Requirements for a redirect URI are as follows.
Requirements by RFC 6749
(From RFC 6749, 3.1.2. Redirection Endpoint)
- Must be an absolute URI.
- Must not have a fragment component.
Requirements by OpenID Connect
(From OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, application_type)
-
The scheme of the redirect URI used for Implicit Grant by a client application whose application type is "web" must be
https
. This is checked at runtime by Authlete. -
The hostname of the redirect URI used for Implicit Grant by a client application whose application type is "web" must not be
localhost
. This is checked at runtime by Authlete. -
The scheme of the redirect URI used by a client application whose application type is "native" must be either (1) a custom scheme or (2) http, which is allowed only when the hostname part is
localhost
. This is checked at runtime by Authlete.
Requirements by Authlete
- Must consist of printable ASCII letters only.
- Must not exceed 200 letters.
Note that Authlete allows the application type not to be set.
In other words, a client application does not have to choose
ApplicationType.WEB
or ApplicationType.NATIVE
as its applicationType
.
If the applicationType
is not set, the requirements by OpenID
Connect are not checked at runtime.
An authorization request from a client application which has not registered any redirect URI fails unless at least all the following conditions are satisfied.
- The
clientType
of the client application isClientType.CONFIDENTIAL
. - The value of response_type request parameter is
code
. - The authorization request has the
redirect_uri
request parameter. - The value of
scope
request parameter does not containopenid
.
RFC 6749 allows partial match of redirect URI under some conditions (see RFC 6749, 3.1.2.2. Registration Requirements for details), but OpenID Connect requires exact match.
The value of alg
header parameter of JWE that the client application
uses for encrypting a request object.
Regardless of whether this property is set or not, the client application may and may not encrypt a request object. Furthermore, the client application may use other supported encryption algorithms.
This property corresponds to request_object_encryption_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of enc
header parameter of JWE that the client application
uses for encrypting a request object.
This property corresponds to request_object_encryption_enc
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS that the client application
uses for signing a request object.
If this property is set, request objects sent from the client
application must be signed using the algorithm. Request objects
signed by other algorithms are rejected. Note that "not setting
this property" and "setting this property to JWSAlg.NONE
" are
different.
If the value of this property indicates an asymmetric signing
algorithm, the client application must make available its JWK Set
which contains a public key for the service to verify the signature
of the request object at the URL referred to by its jwksUri
configuration property.
This property corresponds to request_object_signing_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
An array of URLs each of which points to a request object.
Authlete requires that URLs used as values for request_uri
request
parameter be pre-registered. This requestUris
property is used
for the pre-registration. See OpenID Connect Core 1.0, 6.2. Passing
a Request Object by Reference for details.
A string array of response types which the client application declares that it will restrict itself to using.
This property corresponds to response_types
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
If responseTypes
in a request to Authlete /client/create
API
or /client/update
API is not set, it is set to an array containing
just ResponseType.CODE
.
The sector identifier which is a URL starting with https. This URL is used by the service to calculate pairwise subject values. See OpenID Connect Core 1.0, 8.1. Pairwise Identifier Algorithm.
This property corresponds to sector_identifier_uri
in OpenID
Connect Dynamic Client Registration 1.0, 2. Client Metadata.
The sequential number of the service of the client application.
The value of this property is assigned by Authlete. Even if the
property has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
The unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
This property corresponds to the software_id
metadata defined
in 2. Client Metadata
of RFC 7591 (OAuth 2.0
Dynamic Client Registration Protocol).
The version identifier string for the client software identified by the software ID.
This property corresponds to the software_version
metadata
defined in 2. Client Metadata
of RFC 7591 (OAuth 2.0
Dynamic Client Registration Protocol).
The subject type that the client application requests. Details about the subject type are described in OpenID Connect Core 1.0 , 8. Subject Identifier Types.
This property corresponds to subject_type
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_dns
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_email
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_ip
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_uri
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_subject_dn
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The client authentication method that the client application declares that it uses at the token endpoint.
This property corresponds to token_endpoint_auth_method
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS which is used for
client authentication at the token endpoint. If this property
is set, the client application must use the algorithm.
This property is used only for the two JWT-based client authentication,
namely, ClientAuthMethod.PRIVATE_KEY_JWT
and ClientAuthMethod.CLIENT_SECRET_JWT
(see the description of the tokenAuthMethod
property).
This property corresponds to token_endpoint_auth_signing_alg
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The URL pointing to the 'Terms Of Service' page.
This property corresponds to tos_uri
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.s
URLs of 'Terms Of Service' pages with language tags. If the client application has different 'Terms Of Service' pages for different languages, this property can be used to register the URLs.
The value of alg
header parameter of JWE that the client application
requires the service to use for encrypting the JWT returned
from the user info endpoint.
If the value of this property indicates an asymmetric encryption
algorithm, the client application must make available its JWK Set
which contains a public key for encryption at the URL referred
to by its jwksUri
configuration property.
If both userInfoSignAlg
and userInfoEncryptionAlg
are set,
the format of the response from the user info endpoint is a plain
JSON (not JWT).
This property corresponds to userinfo_encrypted_response_alg
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of enc
header parameter of JWE that the client application
requires the service to use for encrypting the JWT returned
from the user info endpoint.
This property corresponds to userinfo_encrypted_response_enc
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS that the client application
requires the service to use for signing the JWT returned
from the user info endpoint.
If both userInfoSignAlg
and userInfoEncryptionAlg
are not set,
the format of the response from the user info endpoint is a plain
JSON (not JWT). Note that "not setting this property" and "setting
this property to JWSAlg.NONE
" are different.
This property corresponds to userinfo_signed_response_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.