- Generated by
1.8.18
|
Authlete
|
Information about a service which represents an authorization server / OpenID provider. More...
Properties | |
| string | ServiceName [get, set] |
| The service name. More... | |
| long | ApiKey [get, set] |
| The API key of this service. More... | |
| string | ApiSecret [get, set] |
| The API secret of this service. More... | |
| Uri | Issuer [get, set] |
The issuer identifier of this OpenID provider. This property corresponds to the "issuer" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | AuthorizationEndpoint [get, set] |
The URI of the authorization endpoint (3.1. Authorization Endpoint of RFC 6749). This property corresponds to the "authorization_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | TokenEndpoint [get, set] |
The URI of the token endpoint (3.2. Token Endpoint of RFC 6749). This property corresponds to the "token_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | RevocationEndpoint [get, set] |
The URI of the revocation endpoint (RFC 7009). This property corresponds to the "revocation_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| ClientAuthMethod[] | SupportedRevocationAuthMethods [get, set] |
| Client authentication methods at the revocation endpoint supported by this service. More... | |
| Uri | UserInfoEndpoint [get, set] |
The URI of the UserInfo endpoint (5.3. UserInfo Endpoint of OpenID Connect Core 1.0). This property corresponds to the "userinfo_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | JwksUri [get, set] |
The URI of the JWK Set of this service. This property corresponds to the "jwks_uri" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| string | Jwks [get, set] |
| The JWK Set of this service. More... | |
| Uri | RegistrationEndpoint [get, set] |
The URI of the registration endpoint (3. Client Registration Endpoint) of OpenID Connect Dynamic Client Registration 1.0). This property corresponds to the "registration_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | RegistrationManagementEndpoint [get, set] |
The URI of the registration management endpoint. If dynamic client registration is supported and this property is set, the URI will be used as the basis of the client's management endpoint by appending /clientID/ to it as a path element. If this property is unset, the value of the RegistrationEndpoint property will be used as the URI base instead. More... | |
| Scope[] | SupportedScopes [get, set] |
Scopes supported by this service (3.3. Access Token Scope of RFC 6749). This property corresponds to the "scopes_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| ResponseType[] | SupportedResponseTypes [get, set] |
Response types supported by this service (OAuth 2.0 Multiple Response Type Encoding Practices). This property corresponds to the "response_types_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| GrantType[] | SupportedGrantTypes [get, set] |
Grant types supported by this service. This property corresponds to the "grant_types_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| string[] | SupportedAcrs [get, set] |
ACR (Authentication Context Class Reference) values supported by this service. This property corresponds to the "acr_values_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| ClientAuthMethod[] | SupportedTokenAuthMethods [get, set] |
Client authentication methods at the token endpoint supported by this service. This property corresponds to the "token_endpoint_auth_methods_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Display[] | SupportedDisplays [get, set] |
Values of the "display" request parameter supported by this service. This property corresponds to the "display_values_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| ClaimType[] | SupportedClaimTypes [get, set] |
Claim types supported by this service (5.6. Claim Types in OpenID Connect Core 1.0). This property corresponds to the "claim_types_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| string[] | SupportedClaims [get, set] |
Claims supported by this service. This property corresponds to the "claims_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | ServiceDocumentation [get, set] |
The URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider. This property corresponds to the "service_documentation" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| string[] | SupportedClaimLocales [get, set] |
Language and scripts for claim values supported by this service. This property corresponds to the "claims_locales_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| string[] | SupportedUiLocales [get, set] |
Languages and scripts for the user interface supported by this service. This property corresponds to the "ui_locales_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | PolicyUri [get, set] |
The URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. This property corresponds to the "op_policy_uri" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | TosUri [get, set] |
The URI that this OpenID Provider provides to the person registering the client to read about the OP's terms of service. This property corresponds to the "op_tos_uri" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0. More... | |
| Uri | AuthenticationCallbackEndpoint [get, set] |
| The URI of the authentication callback endpoint. More... | |
| string | AuthenticationCallbackApiKey [get, set] |
| The API key to access the authentication callback endpoint. More... | |
| string | AuthenticationCallbackApiSecret [get, set] |
| The API secret to access the authentication callback endpoint. More... | |
| Sns[] | SupportedSnses [get, set] |
| The list of supported SNSes for social login at the direct authorization endpoint. More... | |
| SnsCredentials[] | SnsCredentials [get, set] |
| The list of SNS credentials that Authlete uses to support social login. More... | |
| long | CreatedAt [get, set] |
| The time at which this service was created. The value is milliseconds since the Unix epoch (1970-Jan-1). More... | |
| long | ModifiedAt [get, set] |
| The time at which this service was last modified. The value is milliseconds since the Unix epoch (1970-Jan-1). More... | |
| Uri | DeveloperAuthenticationCallbackEndpoint [get, set] |
| The URI of the developer authentication callback endpoint. More... | |
| string | DeveloperAuthenticationCallbackApiKey [get, set] |
| The API key to access the developer authentication callback endpoint. More... | |
| string | DeveloperAuthenticationCallbackApiSecret [get, set] |
| The API secret to access the developer authentication callback endpoint. More... | |
| Sns[] | SupportedDeveloperSnses [get, set] |
| The list of supported SNSes for social login at the developer console. However, this feature is not implemented yet. More... | |
| SnsCredentials[] | DeveloperSnsCredentials [get, set] |
| The list of SNS credentials that Authlete uses to support social login at the developer console. More... | |
| int | ClientsPerDeveloper [get, set] |
The number of client applications that one developer can have. 0 means that developers can have as many client applications as they want. More... | |
| bool | IsDirectAuthorizationEndpointEnabled [get, set] |
The flag which indicates whether the direct authorization endpoint is enabled or not. The path of the endpoint is /api/auth/authorization/direct/{serviceApiKey}. The default value is true, but it is recommended to disable the endpoint for production use. More... | |
| bool | IsDirectTokenEndpointEnabled [get, set] |
The flag which indicates whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/{serviceApiKey}. The default value is true, but it is recommended to disable the endpoint for production use. More... | |
| bool | IsDirectRevocationEndpointEnabled [get, set] |
The flag which indicates whether the direct revocation endpoint is enabled or not. The path of the endpoint is /api/auth/revocation/direct/{serviceApiKey}. More... | |
| bool | IsDirectUserInfoEndpointEnabled [get, set] |
| The flag which indicates whether the direct userinfo endpoint is enabled or not. However, this feature has not been implemented yet. More... | |
| bool | IsDirectJwksEndpointEnabled [get, set] |
The flag which indicates whether the direct JWK Set endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/{serviceApiKey}. More... | |
| bool | IsDirectIntrospectionEndpointEnabled [get, set] |
The flag which indicates whether the direct introspection endpoint is enabled or not. The path of the endpoint is /api/auth/introspection/standard/direct. The API is protected by pairs of API key and API secret of services. More... | |
| bool | IsSingleAccessTokenPerSubject [get, set] |
The flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more. If this flag is true, an attempt to issue a new access token invalidates existing access tokens which are associated with the same subject and the same client application. More... | |
| bool | IsPkceRequired [get, set] |
| The flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests using Authorization Code Flow. See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details. More... | |
| bool | IsRefreshTokenKept [get, set] |
| The flag which indicates whether a refresh token remains valid or gets renewed after its use. More... | |
| bool | IsRefreshTokenDurationKept [get, set] |
| The flag which indicates whether the remaining duration of the used refresh token is taken over to the newly issued one. More... | |
| bool | IsErrorDescriptionOmitted [get, set] |
The flag which indicates whether the error_description response parameter is omitted. More... | |
| bool | IsErrorUriOmitted [get, set] |
The flag which indicates whether the error_uri response parameter is omitted. More... | |
| bool | IsClientIdAliasEnabled [get, set] |
| Get the flag which indicates whether the "Client ID
Alias" feature is enabled or not. More... | |
| ServiceProfile[] | SupportedServiceProfiles [get, set] |
| Service profiles supported by this service. More... | |
| bool | IsTlsClientCertificateBoundAccessTokens [get, set] |
| The flag which indicates whether this service supports "client certificate bound access tokens". More... | |
| Uri | IntrospectionEndpoint [get, set] |
| The URI of the introspection endpoint (RFC 7662: OAuth 2.0 Token Introspection). More... | |
| ClientAuthMethod[] | SupportedIntrospectionAuthMethods [get, set] |
| Client authentication methods at the introspection endpoint supported by this service. More... | |
| bool | IsMutualTlsValidatePkiCertChain [get, set] |
| The flag which indicates whether this service validates certificate chains during PKI-based client mutual TLS authentication. More... | |
| string[] | TrustedRootCertificates [get, set] |
| The list of root certificates trusted by this service for PKI-based client mutual TLS authentication. More... | |
| bool | IsDynamicRegistrationSupported [get, set] |
| The flag which indicates whether dynamic client registration is supported. More... | |
| Uri | EndSessionEndpoint [get, set] |
| The end session endpoint for the service. This endpoint is used by clients to signal to the IdP that the user's session should be terminated. See OpenID Connect Session Management 1.0 for details. More... | |
| string | Description [get, set] |
| The description about this service. More... | |
| string | AccessTokenType [get, set] |
The token type of access tokens issued by this authorization server. It is the value of the "token_type" parameter in access token responses (5.1. Successful Response of RFC 6749). "Bearer" is recommended (RFC 6750). More... | |
| JWSAlg | AccessTokenSignAlg [get, set] |
| The signature algorithm of access tokens. More... | |
| long | AccessTokenDuration [get, set] |
The duration of access tokens in seconds. It is the value of the "expires_in" parameter in access token responses (5.1. Successful Response of RFC 6749). More... | |
| long | RefreshTokenDuration [get, set] |
| The duration of refresh tokens in seconds. More... | |
| long | IdTokenDuration [get, set] |
| The duration of ID tokens in seconds. More... | |
| long | AuthorizationResponseDuration [get, set] |
| The duration of authorization response JWTs in seconds. More... | |
| long | PushedAuthReqDuration [get, set] |
| The duration of pushed authorization requests. More... | |
| string | AccessTokenSignatureKeyId [get, set] |
| The key ID to identify a JWK used for signing access tokens. More... | |
| string | AuthorizationSignatureKeyId [get, set] |
| The key ID to identify a JWK used for signing authorization responses using an asymmetric key. More... | |
| string | IdTokenSignatureKeyId [get, set] |
| The key ID to identify a JWK used for ID token signature using an asymmetric key. More... | |
| string | UserInfoSignatureKeyId [get, set] |
| The key ID to identify a JWK used for user info signature using an asymmetric key. More... | |
| DeliveryMode[] | SupportedBackchannelTokenDeliveryModes [get, set] |
The supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata. More... | |
| Uri | BackchannelAuthenticationEndpoint [get, set] |
The URI of the backchannel authentication endpoint. This property corresponds to the backchannel_authentication_endpoint metadata. More... | |
| bool | IsBackchannelUserCodeParameterSupported [get, set] |
The boolean flag which indicates whether the user_code request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata. More... | |
| int | BackchannelAuthReqIdDuration [get, set] |
The duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint. More... | |
| int | BackchannelPollingInterval [get, set] |
The minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint. More... | |
| bool | IsBackchannelBindingMessageRequiredInFapi [get, set] |
The boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API. More... | |
| int | AllowableClockSkew [get, set] |
| The allowable clock skew between the server and clients in seconds. Must be in between 0 and 65,535. More... | |
| Uri | DeviceAuthorizationEndpoint [get, set] |
| The URI of the device authorization endpoint. More... | |
| Uri | DeviceVerificationUri [get, set] |
The verification URI for Device Flow (RFC 8628). This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint. More... | |
| Uri | DeviceVerificationUriComplete [get, set] |
The verification URI for Device Flow (RFC 8628) with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint. More... | |
| int | DeviceFlowCodeDuration [get, set] |
The duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint. More... | |
| int | DeviceFlowPollingInterval [get, set] |
The minimum interval between polling requests to the token endpoint from client applications in seconds in Device Flow (RFC 8628). This is used as the value of the interval property in responses from the device authorization endpoint. More... | |
| UserCodeCharset | UserCodeCharset [get, set] |
The character set for end-user verification codes (user_code) for Device Flow (RFC 8628). More... | |
| int | UserCodeLength [get, set] |
The length of end-user verification codes (user_code) for Device Flow (RFC 8628). More... | |
| Uri | PushedAuthReqEndpoint [get, set] |
| The URI of the pushed authorization request endpoint. More... | |
| NamedUri[] | MtlsEndpointAliases [get, set] |
| The MTLS endpoint aliases. More... | |
| string[] | SupportedAuthorizationDataTypes [get, set] |
The supported data types that can be used as values of the type field in authorization_details. More... | |
| string[] | SupportedTrustFrameworks [get, set] |
| Trust frameworks supported by this service. More... | |
| string[] | SupportedEvidence [get, set] |
| Evidence supported by this service. More... | |
| string[] | SupportedIdentityDocuments [get, set] |
| Identity documents supported by this service. More... | |
| string[] | SupportedVerificationMethods [get, set] |
| Verification methods supported by this service. More... | |
| string[] | SupportedVerifiedClaims [get, set] |
| Verified claims supported by this service. More... | |
| bool | IsMissingClientIdAllowed [get, set] |
The flag which indicates whether token requests from public clients without the client_id request parameter are allowed when the client can be guessed from authorization_code or refresh_token. More... | |
| bool | IsParRequired [get, set] |
| The flag which indicates whether this service requires that clients use PAR (Pushed Authorization Request). More... | |
| bool | IsRequestObjectRequired [get, set] |
The flag which indicates whether this service requires that authorization requests always utilize a request object by using either request or request_uri request parameter. More... | |
| bool | IsTraditionalRequestObjectProcessingApplied [get, set] |
| The flag which indicates whether a request object is processed based on rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured Authorization Request). More... | |
| bool | IsClaimShortcutRestrictive [get, set] |
The flag which indicates whether claims specified by shortcut scopes (e.g. profile) are included in the issued ID token only when no access token is issued. More... | |
| bool | IsScopeRequired [get, set] |
| The flag which indicates whether requests that request no scope are rejected or not. More... | |
Information about a service which represents an authorization server / OpenID provider.
Some properties correspond to the ones listed in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0
JWT-based access token
When the AccessTokenSignAlg property holds a non-null value, access tokens issued by this service become JWTs. The value held by the property is used as the signature algorithm of the JWTs. When the property holds null, access tokens issued by this service are random strings as before.
A JWT-based access token has the following claims.
scope (string) : Space-delimited scope names.
client_id (string) : Client ID.
exp (integer) : Time at which this access token will expire. Seconds since the Unix epoch.
iat (integer) : Time at which this access token was issued. Seconds since the Unix epoch.
sub (string) : The subject (unique identifier) of the resource owner who approved issue of this access token. This claim does not exist or its value is null if this access token was issued by resource owner password credentials flow.
iss (string) : The issuer identifier of this service.
jti (string) : The unique identifier of this JWT. The value of this claim itself is the random-string version of this access token.
cnf (object) : If this access token is bound to a client certificate, this claim is included. The type of its value is object and the sub object contains a x5t#S256 claim. The value of the x5t#S256 claim is the X.509 Certificate SHA-256 thumbprint of the client certificate. See "3.1. X.509 Certificate Thumbprint Confirmation
Method for JWT" of OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens for details. Visible (= not-hidden) extra properties of the access token are embedded in the JWT as custom claims. Regarding extra properties, see the Authlete API document.
This feature of JWT-based access token is available since Authlete 2.1. Access tokens issued by older Authlete versions are always random strings.
|
getset |
The duration of access tokens in seconds. It is the value of the "expires_in" parameter in access token responses (5.1. Successful Response of RFC 6749).
|
getset |
The signature algorithm of access tokens.
When the value of this property is null, access tokens issued by this service are just random strings. On the other hand, when this property holds a non-null value, access tokens issued by this service are JWTs and the value of this property represents the signature algorithm of the JWTs. Regarding the format, see the description of this Service class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
Note that symmetric algorithms (HS256, HS384 and HS512) are not supported.
Since version 1.3.0.
|
getset |
The key ID to identify a JWK used for signing access tokens.
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (see RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based access token (see the description of the AccessTokenSignAlg for details about JWT-based access token). Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for access token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This property exists for the purpose described above.
Since version 1.3.0.
|
getset |
The token type of access tokens issued by this authorization server. It is the value of the "token_type" parameter in access token responses (5.1. Successful Response of RFC 6749). "Bearer" is recommended (RFC 6750).
|
getset |
The allowable clock skew between the server and clients in seconds. Must be in between 0 and 65,535.
The clock skew is taken into consideration when time-related claims in a JWT (e.g. exp, iat, nbf) are verified.
Since version 1.3.0.
|
getset |
The API key of this service.
|
getset |
The API secret of this service.
|
getset |
The API key to access the authentication callback endpoint.
|
getset |
The API secret to access the authentication callback endpoint.
|
getset |
The URI of the authentication callback endpoint.
|
getset |
The URI of the authorization endpoint (3.1. Authorization Endpoint of RFC 6749). This property corresponds to the "authorization_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The duration of authorization response JWTs in seconds.
Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.
Since version 1.2.0.
|
getset |
The key ID to identify a JWK used for signing authorization responses using an asymmetric key.
Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) has added new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is used, response parameters returned from the authorization endpoint will be packed into a JWT. The JWT is always signed. For the signature of the JWT, Authlete Server has to pick up one JWK from the service's JWK Set.
Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.
Since version 1.2.0.
|
getset |
The URI of the backchannel authentication endpoint. This property corresponds to the backchannel_authentication_endpoint metadata.
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
Since version 1.3.0.
|
getset |
The duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.
Since version 1.3.0.
|
getset |
The minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.
Since version 1.3.0.
|
getset |
The number of client applications that one developer can have. 0 means that developers can have as many client applications as they want.
|
getset |
The time at which this service was created. The value is milliseconds since the Unix epoch (1970-Jan-1).
|
getset |
The description about this service.
|
getset |
The API key to access the developer authentication callback endpoint.
|
getset |
The API secret to access the developer authentication callback endpoint.
|
getset |
The URI of the developer authentication callback endpoint.
|
getset |
The list of SNS credentials that Authlete uses to support social login at the developer console.
|
getset |
The URI of the device authorization endpoint.
This property corresponds to the device_authorization_endpoint server metadata defined in RFC 8628 (OAuth 2.0 Device Authorization Grant).
Since version 1.4.0.
|
getset |
The duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint.
Since version 1.4.0.
|
getset |
The minimum interval between polling requests to the token endpoint from client applications in seconds in Device Flow (RFC 8628). This is used as the value of the interval property in responses from the device authorization endpoint.
The value must be in between 0 and 65535.
Since version 1.4.0.
|
getset |
The verification URI for Device Flow (RFC 8628). This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint.
Since version 1.4.0.
|
getset |
The verification URI for Device Flow (RFC 8628) with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint.
It is expected that the URI contains a fixed string USER_CODE somewhere as a placeholder for a user code. For example, like the following.
The fixed string is replaced with an actual user code when Authlete builds a verification URI with a user code for the verification_uri_complete parameter.
If this URI is not set, the verification_uri_complete parameter won't appear in device authorization responses.
Since version 1.4.0.
|
getset |
The end session endpoint for the service. This endpoint is used by clients to signal to the IdP that the user's session should be terminated. See OpenID Connect Session Management 1.0 for details.
Since version 1.4.0.
|
getset |
The duration of ID tokens in seconds.
|
getset |
The key ID to identify a JWK used for ID token signature using an asymmetric key.
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (see RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.
Since version 1.2.0.
|
getset |
The URI of the introspection endpoint (RFC 7662: OAuth 2.0 Token Introspection).
Since version 1.0.9.
|
getset |
The boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.
Since version 1.4.0.
|
getset |
The boolean flag which indicates whether the user_code request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.
Since version 1.3.0.
|
getset |
The flag which indicates whether claims specified by shortcut scopes (e.g. profile) are included in the issued ID token only when no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
"The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token."
Since version 1.5.0.
|
getset |
Get the flag which indicates whether the "Client ID Alias" feature is enabled or not.
When a new client is created, Authlete generates a numeric value and assigns it as a client ID to the newly created client. In addition to the client ID, each client can have a client ID alias. The client ID alias is, however, recognized only when this property is True.
Since version 1.2.0.
|
getset |
The flag which indicates whether the direct authorization endpoint is enabled or not. The path of the endpoint is /api/auth/authorization/direct/{serviceApiKey}. The default value is true, but it is recommended to disable the endpoint for production use.
Authlete provides APIs for developers to implement an authorization endpoint (3.1. Authorization Endpoint) such as /api/auth/authorization, /api/auth/authorization/issue and /api/auth/authorization/fail. On the other hand, the direct authorization endpoint is an implementation that directly works as an authorization endpoint. However, the endpoint exists mainly for development / experiment purposes, so it is recommended to disable it in a production environment.
|
getset |
The flag which indicates whether the direct introspection endpoint is enabled or not. The path of the endpoint is /api/auth/introspection/standard/direct. The API is protected by pairs of API key and API secret of services.
Authlete provides an API (/api/auth/introspection/standard) for developers to implement an introspection endpoint (RFC 7662). On the other hand, the direct introspection endpoint is an implementation that directly works as an introspection endpoint.
Note that Authlete provides another different introspection API (/api/auth/introspection). It does not comply with RFC 7662 but is much more useful for developers who implement protected resource endpoints.
|
getset |
The flag which indicates whether the direct JWK Set endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/{serviceApiKey}.
Authlete provides an API (/api/service/jwks/get) for developers to implement a JWK Set endpoint which exposes the JWK Set (RFC 7517) of the service. On the other hand, the direct JWK Set endpoint is an implementation that directly works as a JWK Set endpoint.
|
getset |
The flag which indicates whether the direct revocation endpoint is enabled or not. The path of the endpoint is /api/auth/revocation/direct/{serviceApiKey}.
Authlete provides an API (/api/auth/revocation) for developers to implement a revocation endpoint (RFC 7009). On the other hand, the direct revocation endpoint is an implementation that directly works as a revocation endpoint.
|
getset |
The flag which indicates whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/{serviceApiKey}. The default value is true, but it is recommended to disable the endpoint for production use.
Authlete provides APIs for developers to implement a token endpoint (3.2. Token Endpoint) such as /api/auth/token, /api/auth/token/issue and /api/auth/token/fail. On the other hand, the direct token endpoint is an implementation that directly works as a token endpoint. However, the endpoint exists mainly for development / experiment purposes, so it is recommended to disable it in a production environment.
|
getset |
The flag which indicates whether the direct userinfo endpoint is enabled or not. However, this feature has not been implemented yet.
Authlete provides APIs for developers to implement a userinfo endpoint (5.3. UserInfo Endpoint) such as /api/auth/userinfo and /api/auth/userinfo/issue.
|
getset |
The flag which indicates whether dynamic client registration is supported.
Since version 1.4.0.
|
getset |
The flag which indicates whether the error_description response parameter is omitted.
According to RFC 6749, authorization servers may include the error_description response parameter in error responses. When this property is True, Authlete does not embed the error_description response parameter in error responses.
Since version 1.2.0.
|
getset |
The flag which indicates whether the error_uri response parameter is omitted.
According to RFC 6749, authorization servers may include the error_uri response parameter in error responses. When this property is True, Authlete does not embed the error_uri response parameter in error responses.
Since version 1.2.0.
|
getset |
The flag which indicates whether token requests from public clients without the client_id request parameter are allowed when the client can be guessed from authorization_code or refresh_token.
This property should not be set to true unless you have special reasons.
Since version 1.4.0.
|
getset |
The flag which indicates whether this service validates certificate chains during PKI-based client mutual TLS authentication.
Since version 1.1.0.
|
getset |
The flag which indicates whether this service requires that clients use PAR (Pushed Authorization Request).
This property corresponds to the require_pushed_authorization_requests server metadata defined in "OAuth 2.0 Pushed Authorization Requests".
Since version 1.4.0.
|
getset |
The flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests using Authorization Code Flow. See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details.
|
getset |
The flag which indicates whether the remaining duration of the used refresh token is taken over to the newly issued one.
Since version 1.4.0.
|
getset |
The flag which indicates whether a refresh token remains valid or gets renewed after its use.
Since version 1.2.0.
|
getset |
The flag which indicates whether this service requires that authorization requests always utilize a request object by using either request or request_uri request parameter.
If this flag is true and IsTraditionalRequestObjectProcessingApplied property is false, the value of require_signed_request_object server metadata of this service is reported as true in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request). That require_signed_request_object is true means that authorization requests which don't conform to the JAR specification are rejected.
Since version 1.5.0.
|
getset |
The flag which indicates whether requests that request no scope are rejected or not.
When a request has no explicit scope parameter and the service's pre-defined default scope set is empty, the authorization server regards the request requests no scope. When this flag is true, requests that request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
"If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope."
However, if you interpret the state "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
Since version 1.5.0.
|
getset |
The flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more. If this flag is true, an attempt to issue a new access token invalidates existing access tokens which are associated with the same subject and the same client application.
Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.
|
getset |
The issuer identifier of this OpenID provider. This property corresponds to the "issuer" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The flag which indicates whether this service supports "client certificate bound access tokens".
If this property is true, client applications whose IsClientCertificateBoundAccessTokens property is true are required to present a client certificate on token requests to the authorization server and on API calls to the resource server.
Since version 1.1.0.
|
getset |
The flag which indicates whether a request object is processed based on rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured Authorization Request).
Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.
response_type request parameter exist outside a request object even if the request object includes the request parameter. scope request parameter exist outside a request object if the authorization request is an OIDC request even if the request object includes the request parameter. If this flag is false and IsRequestObjectRequired property is true, the value of require_signed_request_object server metadata of this service is reported as true in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request). That require_signed_request_object is true means that authorization requests which don't conform to the JAR specification are rejected.
Since version 1.5.0.
|
getset |
The JWK Set of this service.
|
getset |
The URI of the JWK Set of this service. This property corresponds to the "jwks_uri" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The time at which this service was last modified. The value is milliseconds since the Unix epoch (1970-Jan-1).
|
getset |
The MTLS endpoint aliases.
This property corresponds to the mtls_endpoint_aliases server metadata defined in RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens).
The aliases will be embedded in the response from the discovery endpoint like the following.
Since version 1.4.0.
|
getset |
The URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. This property corresponds to the "op_policy_uri" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The duration of pushed authorization requests.
"OAuth 2.0 Pushed Authorization Requests" (PAR) defines an endpoint (called "pushed authorization request endpoint") which client applications can register authorization requests into and get corresponding URIs (called "request URI") from. The issued request URIs represent the registered authorization requests. The client applications can use the URIs as the value of the request_uri request parameter in an authorization request.
The value held by this property represents the duration in seconds of registered authorization requests and is used as the value of the expires_in parameter in responses from the pushed authorization request endpoint.
Since version 1.4.0.
|
getset |
The URI of the pushed authorization request endpoint.
This property corresponds to the pushed_authorization_request_endpoint server metadata defined in "OAuth 2.0 Pushed Authorization Requests" (PAR).
Since version 1.4.0.
|
getset |
The duration of refresh tokens in seconds.
|
getset |
The URI of the registration endpoint (3. Client Registration Endpoint) of OpenID Connect Dynamic Client Registration 1.0). This property corresponds to the "registration_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The URI of the registration management endpoint. If dynamic client registration is supported and this property is set, the URI will be used as the basis of the client's management endpoint by appending /clientID/ to it as a path element. If this property is unset, the value of the RegistrationEndpoint property will be used as the URI base instead.
Since version 1.4.0.
|
getset |
The URI of the revocation endpoint (RFC 7009). This property corresponds to the "revocation_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider. This property corresponds to the "service_documentation" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The service name.
|
getset |
The list of SNS credentials that Authlete uses to support social login.
|
getset |
ACR (Authentication Context Class Reference) values supported by this service. This property corresponds to the "acr_values_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The supported data types that can be used as values of the type field in authorization_details.
This property corresponds to the authorization_data_types_supported server metadata defined in "OAuth 2.0 Rich Authorization Requests" (RAR).
Since version 1.4.0.
|
getset |
The supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
Since version 1.3.0.
|
getset |
Language and scripts for claim values supported by this service. This property corresponds to the "claims_locales_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Claims supported by this service. This property corresponds to the "claims_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Claim types supported by this service (5.6. Claim Types in OpenID Connect Core 1.0). This property corresponds to the "claim_types_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The list of supported SNSes for social login at the developer console. However, this feature is not implemented yet.
|
getset |
Values of the "display" request parameter supported by this service. This property corresponds to the "display_values_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Evidence supported by this service.
This corresponds to the evidence_supported server metadata defined in OpenID Connect for Identity Assurance 1.0.
Since version 1.4.0.
|
getset |
Grant types supported by this service. This property corresponds to the "grant_types_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Identity documents supported by this service.
This corresponds to the id_documents_supported server metadata defined in OpenID Connect for Identity Assurance 1.0.
Since version 1.4.0.
|
getset |
Client authentication methods at the introspection endpoint supported by this service.
This property corresponds to the "introspection_endpoint_auth_methods_supported" metadata defined in "OAuth 2.0 Authorization Server
Metadata".
Since version 1.0.9.
|
getset |
Response types supported by this service (OAuth 2.0 Multiple Response Type Encoding Practices). This property corresponds to the "response_types_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Client authentication methods at the revocation endpoint supported by this service.
This property corresponds to the "revocation_endpoint_auth_methods_supported" metadata defined in "OAuth 2.0 Authorization Server
Metadata".
Since version 1.0.9.
|
getset |
Scopes supported by this service (3.3. Access Token Scope of RFC 6749). This property corresponds to the "scopes_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Service profiles supported by this service.
Since version 1.0.8.
|
getset |
The list of supported SNSes for social login at the direct authorization endpoint.
|
getset |
Client authentication methods at the token endpoint supported by this service. This property corresponds to the "token_endpoint_auth_methods_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Trust frameworks supported by this service.
This corresponds to the trust_frameworks_supported server metadata defined in OpenID Connect for Identity Assurance 1.0.
Since version 1.4.0.
|
getset |
Languages and scripts for the user interface supported by this service. This property corresponds to the "ui_locales_supported" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
Verification methods supported by this service.
This corresponds to the id_documents_verification_methods_supported server metadata defined in OpenID Connect for Identity Assurance 1.0.
Since version 1.4.0.
|
getset |
Verified claims supported by this service.
This corresponds to the claims_in_verified_claims_supported server metadata defined in OpenID Connect for Identity Assurance 1.0.
Since version 1.4.0.
|
getset |
The URI of the token endpoint (3.2. Token Endpoint of RFC 6749). This property corresponds to the "token_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The URI that this OpenID Provider provides to the person registering the client to read about the OP's terms of service. This property corresponds to the "op_tos_uri" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
Since version 1.1.0.
|
getset |
The character set for end-user verification codes (user_code) for Device Flow (RFC 8628).
Since version 1.4.0.
|
getset |
The length of end-user verification codes (user_code) for Device Flow (RFC 8628).
The value must not be negative and must not be greater than 255.
Since version 1.4.0.
|
getset |
The URI of the UserInfo endpoint (5.3. UserInfo Endpoint of OpenID Connect Core 1.0). This property corresponds to the "userinfo_endpoint" metadata defined in 3. OpenID Provider Metadata of OpenID Connect Discovery 1.0.
|
getset |
The key ID to identify a JWK used for user info signature using an asymmetric key.
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (see RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.
Since version 1.2.0.
1.8.18