Client class models an OpenID Connect or OAuth 2.0 client -
e.g. a native application, a web application or a JS-based application.
- Specifies if client is enabled. Defaults to true.
- Unique ID of the client
- List of client secrets - credentials to access the token endpoint.
- Specifies whether this client needs a secret to request tokens from the token endpoint (defaults to
- Specifies the grant types the client is allowed to use. Use the
GrantTypesclass for common combinations.
- Specifies whether clients using an authorization code based grant type must send a proof key
- Specifies whether clients using PKCE can use a plain text code challenge (not recommended - and default to
- Specifies the allowed URIs to return tokens or authorization codes to
- By default a client has no access to any resources - specify the allowed resources by adding the corresponding scopes names
- Specifies whether this client can request refresh tokens (be requesting the
- Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser.
- Specifies allowed URIs to redirect to after logout
- Specifies logout URI at client for HTTP based logout
- Specifies if the user’s session id should be sent to the LogoutUri. Defaults to true.
- Specifies if this client can use local accounts, or external IdPs only. Defaults to true.
- Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty.
- Lifetime to identity token in seconds (defaults to 300 seconds / 5 minutes)
- Lifetime of access token in seconds (defaults to 3600 seconds / 1 hour)
- Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes)
- Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days
- Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days
ReUsethe refresh token handle will stay the same when refreshing tokens
OneTimethe refresh token handle will be updated when refreshing tokens
Absolutethe refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime)
Slidingwhen refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime.
- Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request.
Specifies whether the access token is a reference token or a self contained JWT token (defaults to Jwt).
note production usage of reference tokens requires and implementation of
- Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim).
- Allows settings claims for the client (will be included in the access token).
- If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is false)
- If set, all client claims will be prefixed with client_ to make sure they don’t accidentally collide with user claims. Default is true.
- Specifies whether a consent screen is required. Defaults to true.
Specifies whether user can choose to store consent decisions. Defaults to true.
note production usage of that features requires an implementation of
- Client display name (used for logging and consent screen)
- URI to further information about client (used on consent screen)
- URI to client logo (used on consent screen)