Skip to content
oidc-provider

Clients

clients

Section titled “clients”

Statically Configured Clients

An array of client metadata objects representing statically configured OAuth 2.0 and OpenID Connect clients. These clients are persistent, do not expire, and remain available throughout the authorization server’s lifetime. For dynamic client resolution, the authorization server will invoke the adapter’s find method when encountering unregistered client identifiers.

To restrict the authorization server to only statically configured clients and disable dynamic registration, configure the adapter to return falsy values for client lookup operations (e.g., return Promise.resolve()).

Each client’s metadata shall be validated according to the specifications in which the respective properties are defined.

default value:

[]

Example: (Click to expand) Available Metadata.

application_type, client_id, client_name, client_secret, client_uri, contacts, default_acr_values, default_max_age, grant_types, id_token_signed_response_alg, initiate_login_uri, jwks, jwks_uri, logo_uri, policy_uri, redirect_uris, require_auth_time, response_types, response_modes, scope, sector_identifier_uri, subject_type, token_endpoint_auth_method, tos_uri The following metadata is available but may not be recognized depending on this authorization server’s configuration. Authorization_details_types, authorization_encrypted_response_alg, authorization_encrypted_response_enc, authorization_signed_response_alg, backchannel_authentication_request_signing_alg, backchannel_client_notification_endpoint, backchannel_logout_session_required, backchannel_logout_uri, backchannel_token_delivery_mode, backchannel_user_code_parameter, dpop_bound_access_tokens, id_token_encrypted_response_alg, id_token_encrypted_response_enc, introspection_encrypted_response_alg, introspection_encrypted_response_enc, introspection_signed_response_alg, post_logout_redirect_uris, request_object_encryption_alg, request_object_encryption_enc, request_object_signing_alg, require_pushed_authorization_requests, require_signed_request_object, tls_client_auth_san_dns, tls_client_auth_san_email, tls_client_auth_san_ip, tls_client_auth_san_uri, tls_client_auth_subject_dn, tls_client_certificate_bound_access_tokens, token_endpoint_auth_signing_alg, use_mtls_endpoint_aliases, userinfo_encrypted_response_alg, userinfo_encrypted_response_enc, userinfo_signed_response_alg

clientBasedCORS

Section titled “clientBasedCORS”

Cross-Origin Resource Sharing (CORS)

Specifies a function that determines whether Cross-Origin Resource Sharing (CORS) requests shall be permitted based on the requesting client. This function is invoked for each actual CORS request to evaluate the client’s authorization to access the authorization server from the specified origin. The function receives three arguments: ctx (the Koa request context), origin (the requesting origin string), and client (the resolved Client instance). It must return a boolean (or a Promise resolving to one).

See Configuring Client Metadata-based CORS Origin allow list

default value:

function clientBasedCORS(ctx, origin, client) {
  if (ctx.oidc.route === 'userinfo' || client.clientAuthMethod === 'none') {
    return client.redirectUris.some((uri) => URL.parse(uri)?.origin === origin);
  }
  return false;
}

clientDefaults

Section titled “clientDefaults”

Default Client Metadata

Specifies default client metadata values that shall be applied when properties are not explicitly provided during Dynamic Client Registration or for statically configured clients. This configuration allows override of the authorization server’s built-in default values for any supported client metadata property.

default value:

{
  grant_types: [
    'authorization_code'
  ],
  id_token_signed_response_alg: 'RS256',
  response_types: [
    'code'
  ],
  token_endpoint_auth_method: 'client_secret_basic'
}

Example: (Click to expand) Changing the default client token_endpoint_auth_method.

To change the default client token_endpoint_auth_method, configure clientDefaults to be an object like so:

{
  token_endpoint_auth_method: 'client_secret_post'
}
Example: (Click to expand) Changing the default client response type to `code id_token`.

To change the default client response_types, configure clientDefaults to be an object like so:

{
  response_types: ['code id_token'],
  grant_types: ['authorization_code', 'implicit'],
}

clientAuthMethods

Section titled “clientAuthMethods”

Supported Client Authentication Methods

Specifies the client authentication methods that this authorization server shall support for authenticating clients at the token endpoint and other authenticated endpoints.

default value:

[
  'client_secret_basic',
  'client_secret_jwt',
  'client_secret_post',
  'private_key_jwt',
  'none'
]

Example: (Click to expand) Supported values list.

[
  'none',
  'client_secret_basic', 'client_secret_post',
  'client_secret_jwt', 'private_key_jwt',
  'tls_client_auth', 'self_signed_tls_client_auth', // these methods are only available when features.mTLS is configured
]

extraClientMetadata

Section titled “extraClientMetadata”

Custom Client Metadata Properties

Specifies the configuration for custom client metadata properties that shall be supported by the authorization server for client registration and metadata validation purposes. This configuration enables extension of standard OAuth 2.0 and OpenID Connect client metadata with deployment-specific properties. Existing standards-defined properties are snakeCased on a Client instance (e.g. client.redirectUris), while new properties defined by this configuration shall be available with their names verbatim (e.g. client['urn:example:client:my-property']).

extraClientMetadata.properties

Section titled “extraClientMetadata.properties”

Specifies an array of property names that clients shall be allowed to have defined within their client metadata during registration and management operations. Each property name listed here extends the standard client metadata schema according to authorization server policy.

default value:

[]

extraClientMetadata.validator

Section titled “extraClientMetadata.validator”

Specifies a validator function that shall be executed in order once for every property defined in extraClientMetadata.properties, regardless of its value or presence in the client metadata passed during registration or update operations. The function MUST be synchronous; async validators or functions returning Promise shall be rejected during runtime. To modify the current client metadata values (for the current key or any other) simply modify the passed in metadata argument within the validator function.

default value:

function extraClientMetadataValidator(ctx, key, value, metadata) {
  // @param ctx - koa request context (only provided when a client is being constructed during
  //              Client Registration Request or Client Update Request
  // @param key - the client metadata property name
  // @param value - the property value
  // @param metadata - the current accumulated client metadata
  // @param ctx - koa request context (only provided when a client is being constructed during
  //              Client Registration Request or Client Update Request
}