import { Client } from "https://deno.land/x/authlete_deno@v1.2.7/mod.ts";
Information about a client application.
Some properties correspond to the ones listed in Client Metadata in OpenID Connect Dynamic Client Registration 1.0.
Properties
The application type. The value of this property affects the
validation steps for a redirect URI. See the description about
redirectUris
property above.
This property corresponds to application_type
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
Attributes.
Authorization details types that this client may use as values
of the type
field in authorization_details
.
This property corresponds to the authorization_details_types
metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for
details.
Note that the property name was renamed from authorizationDataTypes
to authorizationDetailsTypes
to align with the change made by
the 5th draft of the RAR specification. The data types that this
client may use as values of the type
field in authorization_details
.
The JWE alg
algorithm for encrypting authorization responses.
When authorizationEncryptionEnc
is set, this property also must
be set.
This property corresponds to authorization_encrypted_response_alg
in 5. Client Metadata
of Financial-grade API: JWT Secured Authorization Response Mode
for OAuth 2.0 (JARM).
The JWE enc
algorithm for encrypting authorization responses.
This property corresponds to authorization_encrypted_response_enc
in 5. Client Metadata
of Financial-grade API: JWT Secured Authorization Response Mode
for OAuth 2.0 (JARM).
The JWS alg
algorithm for signing authorization responses.
This property corresponds to authorization_signed_response_alg
in 5. Client Metadata
of Financial-grade API: JWT Secured Authorization Response Mode
for OAuth 2.0 (JARM).
true
if the client application requires the auth_time
claim
to be in an ID token. Regardless of the value of this property,
Authlete embeds the auth_time
claim when authTime
parameter
in the /auth/authorization/issue
request is not 0 and does not
do it when authTime
is 0.
This property corresponds to require_auth_time
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The backchannel token delivery mode.
This property corresponds to the backchannel_token_delivery_mode
metadata. The backchannel token delivery mode is defined in the
specification of the CIBA (Client Initiated Backchannel Authentication).
The backchannel client notification endpoint.
This property corresponds to the backchannel_client_notification_endpoint
metadata. The backchannel token delivery mode is defined in the
specification of the CIBA (Client Initiated Backchannel Authentication).
The signature algorithm of the request to the backchannel authentication endpoint.
This property corresponds to the backchannel_authentication_request_signing_alg
metadata. The backchannel token delivery mode is defined in the
specification of the CIBA (Client Initiated Backchannel Authentication).
The boolean flag which indicates whether a user code is required when this client makes a backchannel authentication request.
This property corresponds to the backchannel_user_code_parameter metadata
.
Client ID. The value of this property is assigned by Authlete.
The value of this property is assigned by Authlete. Even if the
property has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
The alias of the client ID. Note that the client ID alias feature
works only when this client's clientIdAliasEnabled
property
is true
AND the service's clientIdAliasEnabled
property is
also true
.
The flag to indicate whether the client ID alias is enabled or
not. Service
object also has clientIdAliasEnabled
property.
If the service's clientIdAliasEnabled
property is false
, the
client ID alias feature does not work even if this client's
clientIdAliasEnabled
property is true
.
The name of the client application. This property corresponds to
client_name
in OpenID Connect Dynamic Client Registration 1.0,
2. Client Metadata.
If clientName
in a request to Authlete /client/create
API or
/client/update
API is not set, this property is set to the value
of clientId
.
Client names with language tags. If the client application has different names for different languages, this property can be used to register the names.
The client secret. A random 512-bit value encoded by base64url (86 letters). The
value of this property is assigned by Authlete. Even if the property
has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
Note that Authlete issues a client secret even to a public
client
application, but the client application should not use the client
secret unless it changes its client type to confidential
. That
is, a public client application should behave as if it had not
been issued a client secret. To be specific, a token request from
a public client of Authlete should not come along with a client
secret although RFC 6749, 3.2.1. Client Authentication says as follows.
Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.
The client type. See RFC 6749, 2.1. Client Types for details.
If clientType
is not set in a request to Authlete /client/create
API or /client/update
API, it is set to ClientType.PUBLIC
.
The URL pointing to the home page of the client application.
This property corresponds to client_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
Home page URLs with language tags. If the client application has different home pages for different languages, this property can be used to register the URLs.
An array of email addresses of people responsible for the client application.
This property corresponds to contacts
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.
The time at which this client was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
The custom client metadata in JSON format.
Standard specifications define client metadata as necessary. The following are such examples.
- OpenID Connect Dynamic Client Registration 1.0
- RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol
- RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
- OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0<
- The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
- Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
- OAuth 2.0 Pushed Authorization Requests (PAR)
- OAuth 2.0 Rich Authorization Requests (RAR)
Standard client metadata included in Client Registration Request
and Client Update Request (cf. OIDC DynReg,
RFC 7591 and RFC
7592) are, if supported
by Authlete, set to corresponding properties of the client application.
For example, the value of the client_name
client metadata in
Client Registration/Update Request is set to the clientName
property.
On the other hand, unrecognized client metadata are discarded.
By listing up custom client metadata in advance by using the
supportedCustomClientMetadata
property of Service
, Authlete
can recognize them and stores their values into the database.
The stored custom client metadata values can be referenced by this
method.
The default ACRs (Authentication Context Class References). This
value is used when an authorization request from the client application
has neither acr_values
request parameter nor acr
claim in
claims
request parameter.
The default maximum authentication age in seconds. This value is
used when an authorization request from the client application
does not have max_age
request parameter.
This property corresponds to default_max_age
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The sector identifier host component as derived from either the
sector_identifier_uri
or the registered redirect_uri
. If no
sector_identifier_uri
is registered and multiple redirect_uri
s
are also registered, the property is not set.
Descriptions about the client application with language tags.
The developer of the client application. It consists of at most 100 ASCII letters.
The digest algorithm that this client requests the server to use
when it computes digest values of external attachments,
which may be referenced from within ID tokens or userinfo responses
(or any place that can have the verified_claims
claim).
Possible values are listed in the Hash Algorithm Registry
of IANA (Internet Assigned Numbers Authority), but the server does
not necessarily support all the values there. When this property
is omitted, sha-256
is used as the default algorithm.
This property corresponds to the digest_algorithm
client metadata
which was defined by the third implementer's draft of OpenID Connect
for Identity Assurance 1.0".
This property is recognized by Authlete 2.3 and newer versions.
The flag which indicates whether this client has been registered dynamically.
The extended information about this client.
The flag indicating whether encryption of request object is required when the request object is passed through the front channel.
This flag does not affect the processing of request objects at the
Pushed Authorization Request Endpoint, which is defined in OAuth
2.0 Pushed Authorization Requests.
Unecrypted request objects are accepted at the endpoint even if
this flag is true
.
This flag does not indicate whether a request object is always
required. There is a different flag, requestObjectRequired
, for
the purpose. See the description of isRequestObjectRequired
for
details.
Even if this flag is false
, encryption of request object is
required if the Service.frontChannelRequestObjectEncryptionRequired
flag is true
.
A string array of grant types which the client application declares that it will restrict itself to using.
This property corresponds to grant_types
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
If grantTypes
in a request to Authlete /client/create
API
or /client/update
API is not set, it is set to an array containing
just GrantType.AUTHORIZATION_CODE
.
The value of alg
header parameter of JWE that the client application
requires the service to use for encrypting an ID token.
This property corresponds to id_token_encrypted_response_alg
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of enc
header parameter of JWE that the client application
requires the service to use for encrypting an ID token.
This property corresponds to id_token_encrypted_response_enc
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS that the client application
requires the service to use for signing an ID token.
When JWSAlg.NONE
may be specified, the client application cannot
obtain an ID token from the service.
This property corresponds to id_token_signed_response_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
JSON Web Key Set. The content of the JWK Set of the client application. The format is described in 'JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format'.
OpenID Connect Dynamic Client Registration 1.0 says that jwks
must not be used when the client can use jwks_uri
, but Authlete
allows both properties to be registered at the same time. However,
Authlete does not use the content of jwks
when jwksUri
is
registered.
This property corresponds to jwks
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.
The URL pointing to the JWK Set of the client application. The format of the content pointed to by the URL is described in 'JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format'.
If the client application requests encryption for ID tokens (from
the authorization/token/userinfo
endpoints) and/or signs request
objects, it must make available its JWK Set containing public keys
for the encryption and/or the signature at the URL of jwksUri
.
The service (Authlete) fetches the JWK Set from the URL as necessary.
OpenID Connect Dynamic Client Registration 1.0 says that jwks
must not be used when the client can use jwks_uri
, but Authlete
allows both properties to be registered at the same time. However,
Authlete does not use the content of jwks
when jwksUri
is registered.
This property corresponds to jwks_uri
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.
The URL which a third party can use to initiate a login by the
client application. The URL must start with https
and consist
of ASCII letters only. Its length must not exceed 200.
This property corresponds to initiate_login_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The URL pointing to the logo image of the client application.
This property corresponds to logo_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
Logo image URLs with language tags. If the client application has different logo images for different languages, this property can be used to register URLs of the images.
The time at which this client was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
Client number. The sequential number of the client application.
The value of this property is assigned by Authlete. Even if the
property has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
The flag indicating whether this client is required to use the pushed authorization request endpoint.
This property corresponds to the require_pushed_authorization_requests
client metadata defined in "OAuth 2.0 Pushed Authorization Requests".
The URL pointing to the page which describes the policy as to how end-users' profile data are used. The URL must consist of printable ASCII letters only and its length must not exceed 200.
This property corresponds to policy_uri
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
URLs of policy pages with language tags. If the client application has different policy pages for different languages, this property can be used to register the URLs.
Redirect URIs that the client application uses to receive a response from the authorization endpoint. Requirements for a redirect URI are as follows.
Requirements by RFC 6749
(From RFC 6749, 3.1.2. Redirection Endpoint)
- Must be an absolute URI.
- Must not have a fragment component.
Requirements by OpenID Connect
(From OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, application_type)
-
The scheme of the redirect URI used for Implicit Grant by a client application whose application type is "web" must be
https
. This is checked at runtime by Authlete. -
The hostname of the redirect URI used for Implicit Grant by a client application whose application type is "web" must not be
localhost
. This is checked at runtime by Authlete. -
The scheme of the redirect URI used by a client application whose application type is "native" must be either (1) a custom scheme or (2) http, which is allowed only when the hostname part is
localhost
. This is checked at runtime by Authlete.
Requirements by Authlete
- Must consist of printable ASCII letters only.
- Must not exceed 200 letters.
Note that Authlete allows the application type not to be set.
In other words, a client application does not have to choose
ApplicationType.WEB
or ApplicationType.NATIVE
as its applicationType
.
If the applicationType
is not set, the requirements by OpenID
Connect are not checked at runtime.
An authorization request from a client application which has not registered any redirect URI fails unless at least all the following conditions are satisfied.
- The
clientType
of the client application isClientType.CONFIDENTIAL
. - The value of response_type request parameter is
code
. - The authorization request has the
redirect_uri
request parameter. - The value of
scope
request parameter does not containopenid
.
RFC 6749 allows partial match of redirect URI under some conditions (see RFC 6749, 3.1.2.2. Registration Requirements for details), but OpenID Connect requires exact match.
The hash of the registration access token for this client.
The value of alg
header parameter of JWE that the client application
uses for encrypting a request object.
Regardless of whether this property is set or not, the client application may and may not encrypt a request object. Furthermore, the client application may use other supported encryption algorithms.
This property corresponds to request_object_encryption_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of enc
header parameter of JWE that the client application
uses for encrypting a request object.
This property corresponds to request_object_encryption_enc
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The flag indicating whether the JWE alg
of encrypted request
object must match the request_object_encryption_alg
client metadata.
The request_object_encryption_alg
client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0
as follows.
request_object_encryption_alg
OPTIONAL. JWE [JWE]
alg
algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that aclient_secret
value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."
The property that represents the client metadata is requestEncryptionAlg
.
See the description of requestEncryptionAlg
for details.
Even if this flag is false
, the match is required if the
Service.requestObjectEncryptionAlgMatchRequired
flag is true
.
The flag indicating whether the JWE enc
of encrypted request
object must match the request_object_encryption_enc
client metadata.
The request_object_encryption_enc
client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0
as follows.
request_object_encryption_enc
OPTIONAL. JWE
enc
algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. Ifrequest_object_encryption_alg
is specified, the default for this value isA128CBC-HS256
. Whenrequest_object_encryption_enc
is included,request_object_encryption_alg
MUST also be provided.
The property that represents the client metadata is requestEncryptionEnc
.
See the description of requestEncryptionEnc
for details.
Even if this flag is false
, the match is required if the Service.requestObjectEncryptionEncMatchRequired
flag is true
.
The flag indicating whether authorization requests from this client
are always required to utilize a request object by using either
request
or request_uri
request parameter.
If this flag is true
and the service's isTraditionalRequestObjectProcessingApplied
is false
, authorization requests from this client are processed
as if require_signed_request_object
client metadata of this client
is true
. The metadata is defined in JAR (JWT Secured Authorization
Request).
The value of alg
header parameter of JWS that the client application
uses for signing a request object.
If this property is set, request objects sent from the client
application must be signed using the algorithm. Request objects
signed by other algorithms are rejected. Note that "not setting
this property" and "setting this property to JWSAlg.NONE
" are
different.
If the value of this property indicates an asymmetric signing
algorithm, the client application must make available its JWK Set
which contains a public key for the service to verify the signature
of the request object at the URL referred to by its jwksUri
configuration property.
This property corresponds to request_object_signing_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
An array of URLs each of which points to a request object.
Authlete requires that URLs used as values for request_uri
request
parameter be pre-registered. This requestUris
property is used
for the pre-registration. See OpenID Connect Core 1.0, 6.2. Passing
a Request Object by Reference for details.
A string array of response types which the client application declares that it will restrict itself to using.
This property corresponds to response_types
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
If responseTypes
in a request to Authlete /client/create
API
or /client/update
API is not set, it is set to an array containing
just ResponseType.CODE
.
The sector identifier which is a URL starting with https. This URL is used by the service to calculate pairwise subject values. See OpenID Connect Core 1.0, 8.1. Pairwise Identifier Algorithm.
This property corresponds to sector_identifier_uri
in OpenID
Connect Dynamic Client Registration 1.0, 2. Client Metadata.
The key ID of a JWK containing a self-signed certificate of this client.
The sequential number of the service of the client application.
The value of this property is assigned by Authlete. Even if the
property has a value in a request to Authlete /client/create
API or /client/update
API, it is ignored.
The unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
This property corresponds to the software_id
metadata defined
in 2. Client Metadata
of RFC 7591 (OAuth 2.0
Dynamic Client Registration Protocol).
The version identifier string for the client software identified by the software ID.
This property corresponds to the software_version
metadata
defined in 2. Client Metadata
of RFC 7591 (OAuth 2.0
Dynamic Client Registration Protocol).
The subject type that the client application requests. Details about the subject type are described in OpenID Connect Core 1.0 , 8. Subject Identifier Types.
This property corresponds to subject_type
in OpenID Connect
Dynamic Client Registration 1.0, 2. Client Metadata.
The string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_dns
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_email
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_ip
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_san_uri
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication.
See tls_client_auth_subject_dn
in "2.3. Dynamic Client Registration"
in "Mutual TLS Profiles for OAuth Clients" for details.
The flag which indicates whether this client use TLS client certificate bound access tokens.
The client authentication method that the client application declares that it uses at the token endpoint.
This property corresponds to token_endpoint_auth_method
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS which is used for
client authentication at the token endpoint. If this property
is set, the client application must use the algorithm.
This property is used only for the two JWT-based client authentication,
namely, ClientAuthMethod.PRIVATE_KEY_JWT
and ClientAuthMethod.CLIENT_SECRET_JWT
(see the description of the tokenAuthMethod
property).
This property corresponds to token_endpoint_auth_signing_alg
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The URL pointing to the 'Terms Of Service' page.
This property corresponds to tos_uri
in OpenID Connect Dynamic
Client Registration 1.0, 2. Client Metadata.s
URLs of 'Terms Of Service' pages with language tags. If the client application has different 'Terms Of Service' pages for different languages, this property can be used to register the URLs.
The value of alg
header parameter of JWE that the client application
requires the service to use for encrypting the JWT returned
from the user info endpoint.
If the value of this property indicates an asymmetric encryption
algorithm, the client application must make available its JWK Set
which contains a public key for encryption at the URL referred
to by its jwksUri
configuration property.
If both userInfoSignAlg
and userInfoEncryptionAlg
are set,
the format of the response from the user info endpoint is a plain
JSON (not JWT).
This property corresponds to userinfo_encrypted_response_alg
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of enc
header parameter of JWE that the client application
requires the service to use for encrypting the JWT returned
from the user info endpoint.
This property corresponds to userinfo_encrypted_response_enc
in OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.
The value of alg
header parameter of JWS that the client application
requires the service to use for signing the JWT returned
from the user info endpoint.
If both userInfoSignAlg
and userInfoEncryptionAlg
are not set,
the format of the response from the user info endpoint is a plain
JSON (not JWT). Note that "not setting this property" and "setting
this property to JWSAlg.NONE
" are different.
This property corresponds to userinfo_signed_response_alg
in
OpenID Connect Dynamic Client Registration 1.0, 2. Client
Metadata.