OAuth2.Client.Metadata
persistent class OAuth2.Client.Metadata extends %Library.Persistent, OAuth2.Metadata
SQL Table Name: OAuth2_Client.Metadata
OAuth 2.0 client metadata as specified by OpenID Connect Dynamic Client Registration. Note that this class includes the response data which is returned for dynamic client registration.OPTIONAL and REQUIRED in the property descriptions below refer to optional/required by the OpenID Connect specifications.
Property Inventory
- access_token_encrypted_response_alg
- access_token_encrypted_response_enc
- access_token_signed_response_alg
- application_type
- client_id
- client_id_issued_at
- client_name
- client_secret
- client_secret_expires_at
- client_uri
- contacts
- default_acr_values
- default_max_age
- frontchannel_logout_session_required
- frontchannel_logout_uri
- grant_types
- id_token_encrypted_response_alg
- id_token_encrypted_response_enc
- id_token_signed_response_alg
- initiate_login_uri
- jwks
- jwks_uri
- logo_uri
- policy_uri
- post_logout_redirect_uris
- redirect_uris
- registration_access_token
- registration_client_uri
- request_object_encryption_alg
- request_object_encryption_enc
- request_object_signing_alg
- request_uris
- require_auth_time
- response_types
- sector_identifier_uri
- subject_type
- token_endpoint_auth_method
- token_endpoint_auth_signing_alg
- tos_uri
- userinfo_encrypted_response_alg
- userinfo_encrypted_response_enc
- userinfo_signed_response_alg
Method Inventory
Properties
property access_token_encrypted_response_alg as %String (VALUELIST = ",none,RSA1_5,RSA-OAEP,A128KW,A192KW,A256KW,dir");
ADDITIONAL. JWE alg algorithm REQUIRED for encrypting a JWT access token.
If both signing and encryption are requested, the
response will be signed then encrypted, with the result being a Nested JWT.
The default, if omitted, is that no encryption is performed.
Property methods: access_token_encrypted_response_algDisplayToLogical(), access_token_encrypted_response_algGet(), access_token_encrypted_response_algGetStored(), access_token_encrypted_response_algIsValid(), access_token_encrypted_response_algLogicalToDisplay(), access_token_encrypted_response_algLogicalToOdbc(), access_token_encrypted_response_algNormalize(), access_token_encrypted_response_algSet()
property access_token_encrypted_response_enc as %String (VALUELIST = ",none,A128CBC-HS256,A192CBC-HS384,A256CBC-HS512");
ADDITIONAL. JWE enc algorithm REQUIRED for encrypting a JWT access token.
If access_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256.
When access_token_encrypted_response_alg is included, access_token_encrypted_enc MUST also be provided.
Property methods: access_token_encrypted_response_encDisplayToLogical(), access_token_encrypted_response_encGet(), access_token_encrypted_response_encGetStored(), access_token_encrypted_response_encIsValid(), access_token_encrypted_response_encLogicalToDisplay(), access_token_encrypted_response_encLogicalToOdbc(), access_token_encrypted_response_encNormalize(), access_token_encrypted_response_encSet()
property access_token_signed_response_alg as %String (VALUELIST = ",none,RS256,RS384,RS512,HS256,HS384,HS512,ES256,ES384,ES512");
ADDITIONAL. JWS alg algorithm REQUIRED for signing a JWT access token.
The default, if omitted, is for the introspection endpoint Response to not be signed.
Property methods: access_token_signed_response_algDisplayToLogical(), access_token_signed_response_algGet(), access_token_signed_response_algGetStored(), access_token_signed_response_algIsValid(), access_token_signed_response_algLogicalToDisplay(), access_token_signed_response_algLogicalToOdbc(), access_token_signed_response_algNormalize(), access_token_signed_response_algSet()
property application_type as %String;
OPTIONAL. Kind of the application. The default, if omitted, is web. The
defined values are native or web. Web Clients using the OAuth Implicit
Grant Type MUST only register URLs using the https scheme as
redirect_uris; they MUST NOT use localhost as the hostname. Native
Clients MUST only register redirect_uris using custom URI schemes or
URLs using the http: scheme with localhost as the hostname.
Authorization Servers MAY place additional constraints on Native Clients.
Authorization Servers MAY reject Redirection URI values using the http
scheme, other than the localhost case for Native Clients. The Authorization
Server MUST verify that all the registered redirect_uris conform to these
constraints. This prevents sharing a Client ID across different types of
Clients.
Property methods: application_typeDisplayToLogical(), application_typeGet(), application_typeGetStored(), application_typeIsValid(), application_typeLogicalToDisplay(), application_typeLogicalToOdbc(), application_typeNormalize(), application_typeSet()
property client_id as %String);
Used only for OpenID Connect Dynamic Registration Response.
REQUIRED. Unique Client Identifier. It MUST NOT be currently valid for any other registered Client.
REQUIRED. Unique Client Identifier. It MUST NOT be currently valid for any other registered Client.
Property methods: client_idDisplayToLogical(), client_idGet(), client_idGetStored(), client_idIsValid(), client_idLogicalToDisplay(), client_idLogicalToOdbc(), client_idNormalize(), client_idSet()
property client_id_issued_at as %Integer;
Used only for OpenID Connect Dynamic Registration Response.
OPTIONAL. Time at which the Client Identifier was issued. Its value is a JSON number representing the number of seconds from 19700101T0:0:0Z as measured in UTC until the date/time.
OPTIONAL. Time at which the Client Identifier was issued. Its value is a JSON number representing the number of seconds from 19700101T0:0:0Z as measured in UTC until the date/time.
Property methods: client_id_issued_atDisplayToLogical(), client_id_issued_atGet(), client_id_issued_atGetStored(), client_id_issued_atIsValid(), client_id_issued_atLogicalToDisplay(), client_id_issued_atNormalize(), client_id_issued_atSet()
property client_name as %String (MAXLEN = 128);
OPTIONAL. Name of the Client to be presented to the EndUser.
Property methods: client_nameDisplayToLogical(), client_nameGet(), client_nameGetStored(), client_nameIsValid(), client_nameLogicalToDisplay(), client_nameLogicalToOdbc(), client_nameNormalize(), client_nameSet()
property client_secret as %String);
Used only for OpenID Connect Dynamic Registration Response.
OPTIONAL. Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. This value is used by Confidential Clients to authenticate to the Token Endpoint, as described in Section 2.3.1 of OAuth 2.0, and for the derivation of symmetric encryption key values, as described in Section 10.2 of OpenID Connect Core. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt unless symmetric encryption will be used.
OPTIONAL. Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. This value is used by Confidential Clients to authenticate to the Token Endpoint, as described in Section 2.3.1 of OAuth 2.0, and for the derivation of symmetric encryption key values, as described in Section 10.2 of OpenID Connect Core. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt unless symmetric encryption will be used.
Property methods: client_secretDisplayToLogical(), client_secretGet(), client_secretGetStored(), client_secretIsValid(), client_secretLogicalToDisplay(), client_secretLogicalToOdbc(), client_secretNormalize(), client_secretSet()
property client_secret_expires_at as %Integer;
Used only for OpenID Connect Dynamic Registration Response.
REQUIRED if client_secret is issued. Time at which the client_secret will expire or 0 if it will not expire. Its value is a JSON number representing the number of seconds from 19700101T0:0:0Z as measured in UTC until the date/time.
REQUIRED if client_secret is issued. Time at which the client_secret will expire or 0 if it will not expire. Its value is a JSON number representing the number of seconds from 19700101T0:0:0Z as measured in UTC until the date/time.
Property methods: client_secret_expires_atDisplayToLogical(), client_secret_expires_atGet(), client_secret_expires_atGetStored(), client_secret_expires_atIsValid(), client_secret_expires_atLogicalToDisplay(), client_secret_expires_atNormalize(), client_secret_expires_atSet()
property client_uri as %OAuth2.uri;
OPTIONAL. URL of the home page of the Client. The value of this field MUST
point to a valid Web page. If present, the server SHOULD display this URL to
the EndUser in a followable fashion.
Property methods: client_uriDisplayToLogical(), client_uriGet(), client_uriGetStored(), client_uriIsValid(), client_uriLogicalToDisplay(), client_uriLogicalToOdbc(), client_uriNormalize(), client_uriSet()
property contacts as %List;
OPTIONAL. An array, which is represented as a $list, of email addresses of people responsible for this Client.
This might be used by some providers to enable a Web user interface to modify the Client information.
Property methods: contactsGet(), contactsGetStored(), contactsIsValid(), contactsLogicalToOdbc(), contactsOdbcToLogical(), contactsSet()
property default_acr_values as %List;
OPTIONAL. Default requested Authentication Context Class Reference values.
Array of strings that specifies the default acr values that the OP is being
requested to use for processing requests from this Client, with the values
appearing in order of preference. The Authentication Context Class satisfied
by the authentication performed is returned as the acr Claim Value in the
issued ID Token. The acr Claim is requested as a Voluntary Claim by this
parameter. The acr_values_supported discovery element contains a list of
the supported acr values supported by this server. Values specified in the
acr_values request parameter or an individual acr Claim request override
these default values.
This property is currently not supported and is ignored during registration.
This property is currently not supported and is ignored during registration.
Property methods: default_acr_valuesGet(), default_acr_valuesGetStored(), default_acr_valuesIsValid(), default_acr_valuesLogicalToOdbc(), default_acr_valuesOdbcToLogical(), default_acr_valuesSet()
property default_max_age as %Integer;
OPTIONAL. Default Maximum Authentication Age.
Specifies that the EndUser MUST be actively authenticated if the EndUser
was authenticated longer ago than the specified number of seconds.
The max_age request parameter overrides this default value.
If omitted, no default Maximum Authentication Age is specified.
Property methods: default_max_ageDisplayToLogical(), default_max_ageGet(), default_max_ageGetStored(), default_max_ageIsValid(), default_max_ageLogicalToDisplay(), default_max_ageNormalize(), default_max_ageSet()
property frontchannel_logout_session_required as %Boolean;
OPTIONAL. Boolean value specifying whether the client requires that iss (issuer) and sid (session ID)
query parameters be included to identify the client session with the OpenID Provider
when the frontchannel_logout_uri is used. If omitted, the default value is false.
Property methods: frontchannel_logout_session_requiredDisplayToLogical(), frontchannel_logout_session_requiredGet(), frontchannel_logout_session_requiredGetStored(), frontchannel_logout_session_requiredIsValid(), frontchannel_logout_session_requiredLogicalToDisplay(), frontchannel_logout_session_requiredNormalize(), frontchannel_logout_session_requiredSet()
property frontchannel_logout_uri as %OAuth2.uri;
OPTIONAL. URL that will cause the client to log itself out when rendered in an iframe by the OpenID Provider.
This URL SHOULD use the https scheme and MAY contain port, path, and query parameter components; however,
it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of
OAuth 2.0 [RFC6749], and provided the OP allows the use of http client URIs. An iss (issuer) query parameter and a
sid (session ID) query parameter MAY be included by the OP to enable the client to validate the request and
to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.
Property methods: frontchannel_logout_uriDisplayToLogical(), frontchannel_logout_uriGet(), frontchannel_logout_uriGetStored(), frontchannel_logout_uriIsValid(), frontchannel_logout_uriLogicalToDisplay(), frontchannel_logout_uriLogicalToOdbc(), frontchannel_logout_uriNormalize(), frontchannel_logout_uriSet()
property grant_types as %List;
OPTIONAL. An array, which is represented as a $list, containing a list of the OAuth 2.0 Grant Types that
the Client is declaring that it will restrict itself to using.
The Grant Type values used by OpenID Connect are:
authorization_code: The Authorization Code Grant Type described in OAuth 2.0 Section 4.1.
implicit: The Implicit Grant Type described in OAuth 2.0 [RFC3986] Section 4.2.
refresh_token: The Refresh Token Grant Type described in OAuth 2.0 Section 6.
The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list:
code: authorization_code
id_token: implicit
token id_token: implicit
code id_token: authorization_code, implicit
code token: authorization_code, implicit
code token id_token: authorization_code, implicit
The grant_types property is optional during client registration and default to code. However, the grant_types property is required when configuring using the SMP.
authorization_code: The Authorization Code Grant Type described in OAuth 2.0 Section 4.1.
implicit: The Implicit Grant Type described in OAuth 2.0 [RFC3986] Section 4.2.
refresh_token: The Refresh Token Grant Type described in OAuth 2.0 Section 6.
The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list:
code: authorization_code
id_token: implicit
token id_token: implicit
code id_token: authorization_code, implicit
code token: authorization_code, implicit
code token id_token: authorization_code, implicit
The grant_types property is optional during client registration and default to code. However, the grant_types property is required when configuring using the SMP.
Property methods: grant_typesGet(), grant_typesGetStored(), grant_typesIsValid(), grant_typesLogicalToOdbc(), grant_typesOdbcToLogical(), grant_typesSet()
property id_token_encrypted_response_alg as %String (VALUELIST = ",none,RSA1_5,RSA-OAEP,A128KW,A192KW,A256KW,dir");
OPTIONAL. JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client.
If this is requested, the response will be signed then encrypted, with the result being a Nested JWT.
The default, if omitted, is that no encryption is performed.
Property methods: id_token_encrypted_response_algDisplayToLogical(), id_token_encrypted_response_algGet(), id_token_encrypted_response_algGetStored(), id_token_encrypted_response_algIsValid(), id_token_encrypted_response_algLogicalToDisplay(), id_token_encrypted_response_algLogicalToOdbc(), id_token_encrypted_response_algNormalize(), id_token_encrypted_response_algSet()
property id_token_encrypted_response_enc as %String (VALUELIST = ",none,A128CBC-HS256,A192CBC-HS384,A256CBC-HS512");
OPTIONAL. JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client.
If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256.
When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
Property methods: id_token_encrypted_response_encDisplayToLogical(), id_token_encrypted_response_encGet(), id_token_encrypted_response_encGetStored(), id_token_encrypted_response_encIsValid(), id_token_encrypted_response_encLogicalToDisplay(), id_token_encrypted_response_encLogicalToOdbc(), id_token_encrypted_response_encNormalize(), id_token_encrypted_response_encSet()
property id_token_signed_response_alg as %String (VALUELIST = ",RS256,RS384,RS512,HS256,HS384,HS512,ES256,ES384,ES512") [ InitialExpression = "RS256" ];
OPTIONAL. JWS alg algorithm REQUIRED for signing the ID Token issued to this Client.
The value none MUST NOT be used as the ID Token alg
value unless the Client uses only Response Types that return no ID Token
from the Authorization Endpoint (such as when only using the Authorization Code Flow).
The default, if omitted, is RS256. The public key for validating
the signature is provided by retrieving the JWK Set referenced by the
jwks_uri element from OpenID Connect Discovery.
Property methods: id_token_signed_response_algDisplayToLogical(), id_token_signed_response_algGet(), id_token_signed_response_algGetStored(), id_token_signed_response_algIsValid(), id_token_signed_response_algLogicalToDisplay(), id_token_signed_response_algLogicalToOdbc(), id_token_signed_response_algNormalize(), id_token_signed_response_algSet()
property initiate_login_uri as %OAuth2.uri;
OPTIONAL. URI using the https scheme that a third party can use to initiate
a login by the RP, as specified in Section 4 of OpenID Connect Core.
The URI MUST accept requests via both GET and POST.
The Client MUST understand the login_hint and iss parameters and SHOULD
support the target_link_uri parameter.
This property is currently not supported and is ignored during registration.
This property is currently not supported and is ignored during registration.
Property methods: initiate_login_uriDisplayToLogical(), initiate_login_uriGet(), initiate_login_uriGetStored(), initiate_login_uriIsValid(), initiate_login_uriLogicalToDisplay(), initiate_login_uriLogicalToOdbc(), initiate_login_uriNormalize(), initiate_login_uriSet()
property jwks as %OAuth2.JSONString;
OPTIONAL. Client's JSON Web Key Set document, passed by value.
The semantics of the jwks parameter are the same as the jwks_uri
parameter, other than that the JWK Set is passed by value, rather than by
reference. This parameter is intended only to be used by Clients that, for
some reason, are unable to use the jwks_uri parameter, for instance, by
native applications that might not have a location to host the contents of the
JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One
significant downside of jwks is that it does not enable key rotation (which
jwks_uri does, as described in Section 10 of [OpenID.Core]).
The jwks_uri and jwks parameters MUST NOT be used together.
Property methods: jwksDisplayToLogical(), jwksGet(), jwksGetStored(), jwksIsValid(), jwksLogicalToDisplay(), jwksLogicalToOdbc(), jwksNormalize(), jwksSet()
property jwks_uri as %OAuth2.uri;
OPTIONAL. URL for the Client's JSON Web Key Set document. If the
Client signs requests to the Server, it contains the signing key(s) the Server
uses to validate signatures from the Client. The JWK Set MAY also contain
the Client's encryption keys(s), which are used by the Server to encrypt
responses to the Client. When both signing and encryption keys are made
available, a use (Key Use) parameter value is REQUIRED for all keys in the
referenced JWK Set to indicate each key's intended usage. Although some
algorithms allow the same key to be used for both signatures and
encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK
x5c parameter MAY be used to provide X.509 representations of keys
provided. When used, the bare key values MUST still be present and MUST
match those in the certificate.
Property methods: jwks_uriDisplayToLogical(), jwks_uriGet(), jwks_uriGetStored(), jwks_uriIsValid(), jwks_uriLogicalToDisplay(), jwks_uriLogicalToOdbc(), jwks_uriNormalize(), jwks_uriSet()
property logo_uri as %OAuth2.uri;
OPTIONAL. URL that references a logo for the Client application.
If present, the server SHOULD display this image to the EndUser during approval.
The value of this field MUST point to a valid image file.
Property methods: logo_uriDisplayToLogical(), logo_uriGet(), logo_uriGetStored(), logo_uriIsValid(), logo_uriLogicalToDisplay(), logo_uriLogicalToOdbc(), logo_uriNormalize(), logo_uriSet()
property policy_uri as %OAuth2.uri;
OPTIONAL. URL that the Relying Party Client provides to the EndUser to
read about the how the profile data will be used. The value of this field
MUST point to a valid web page. The OpenID Provider SHOULD display this
URL to the EndUser if it is given.
Property methods: policy_uriDisplayToLogical(), policy_uriGet(), policy_uriGetStored(), policy_uriIsValid(), policy_uriLogicalToDisplay(), policy_uriLogicalToOdbc(), policy_uriNormalize(), policy_uriSet()
property post_logout_redirect_uris as %List;
Array of URLs supplied by the client to which it MAY request that the End-User's User Agent be redirected
after a logout has been performed.
Property methods: post_logout_redirect_urisGet(), post_logout_redirect_urisGetStored(), post_logout_redirect_urisIsValid(), post_logout_redirect_urisLogicalToOdbc(), post_logout_redirect_urisOdbcToLogical(), post_logout_redirect_urisSet()
property redirect_uris as %List;
REQUIRED. An array, which is represented as a $list, of Redirection URI values used by the Client.
One of these registered Redirection URI values MUST exactly match the redirect_uri
parameter value used in each Authorization Request, with the matching
performed as described in Section 6.2.1 of (Simple String Comparison).
Property methods: redirect_urisGet(), redirect_urisGetStored(), redirect_urisIsValid(), redirect_urisLogicalToOdbc(), redirect_urisOdbcToLogical(), redirect_urisSet()
property registration_access_token as %String);
Used only for OpenID Connect Dynamic Registration Response.
OPTIONAL. Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration.
OPTIONAL. Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration.
Property methods: registration_access_tokenDisplayToLogical(), registration_access_tokenGet(), registration_access_tokenGetStored(), registration_access_tokenIsValid(), registration_access_tokenLogicalToDisplay(), registration_access_tokenLogicalToOdbc(), registration_access_tokenNormalize(), registration_access_tokenSet()
property registration_client_uri as %OAuth2.uri;
Used only for OpenID Connect Dynamic Registration Response.
OPTIONAL. Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration. Implementations MUST either return both a Client Configuration Endpoint and a Registration Access Token or neither of them.
OPTIONAL. Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration. Implementations MUST either return both a Client Configuration Endpoint and a Registration Access Token or neither of them.
Property methods: registration_client_uriDisplayToLogical(), registration_client_uriGet(), registration_client_uriGetStored(), registration_client_uriIsValid(), registration_client_uriLogicalToDisplay(), registration_client_uriLogicalToOdbc(), registration_client_uriNormalize(), registration_client_uriSet()
property request_object_encryption_alg as %String (VALUELIST = ",none,RSA1_5,RSA-OAEP,A128KW,A192KW,A256KW,dir");
OPTIONAL. JWE alg algorithm the RP is declaring that it may
use for encrypting Request Objects sent to the OP.
This parameter SHOULD be included when symmetric encryption will be used, since this signals to the
OP that a client_secret value needs to be returned from which the
symmetric key will be derived, that might not otherwise be returned.
The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present.
If both signing and encryption are requested, the Request Object will be signed then encrypted,
with the result being a Nested JWT.
The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
Property methods: request_object_encryption_algDisplayToLogical(), request_object_encryption_algGet(), request_object_encryption_algGetStored(), request_object_encryption_algIsValid(), request_object_encryption_algLogicalToDisplay(), request_object_encryption_algLogicalToOdbc(), request_object_encryption_algNormalize(), request_object_encryption_algSet()
property request_object_encryption_enc as %String (VALUELIST = ",none,A128CBC-HS256,A192CBC-HS384,A256CBC-HS512");
OPTIONAL. JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP.
If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256.
When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
Property methods: request_object_encryption_encDisplayToLogical(), request_object_encryption_encGet(), request_object_encryption_encGetStored(), request_object_encryption_encIsValid(), request_object_encryption_encLogicalToDisplay(), request_object_encryption_encLogicalToOdbc(), request_object_encryption_encNormalize(), request_object_encryption_encSet()
property request_object_signing_alg as %String (VALUELIST = ",none,RS256,RS384,RS512,HS256,HS384,HS512,ES256,ES384,ES512");
OPTIONAL. JWS alg algorithm that MUST be used for signing Request Objects sent to the OP.
All Request Objects from this Client MUST be rejected, if not signed with this algorithm.
Request Objects are described in Section 6.1 of OpenID Connect Core.
This algorithm MUST be used both when the Request Object is passed by value (using the
request parameter) and when it is passed by reference (using the request_uri parameter).
Servers SHOULD support RS256. The value none MAY be used.
The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
Property methods: request_object_signing_algDisplayToLogical(), request_object_signing_algGet(), request_object_signing_algGetStored(), request_object_signing_algIsValid(), request_object_signing_algLogicalToDisplay(), request_object_signing_algLogicalToOdbc(), request_object_signing_algNormalize(), request_object_signing_algSet()
property request_uris as %List;
OPTIONAL. Array of request_uri values that are preregistered by the RP for use at the OP.
Servers MAY cache the contents of the files referenced by
these URIs and not retrieve them at the time they are used in a request.
OPs can require that request_uri values used be preregistered
with the require_request_uri_registration discovery parameter.
If the contents of the request file could ever change, these URI values
SHOULD include the base64url encoded SHA256 hash value of the file
contents referenced by the URI as the value of the URI fragment.
If the fragment value used for a URI changes, that signals the server that its
cached value for that URI with the old fragment value is no longer valid.
Property methods: request_urisGet(), request_urisGetStored(), request_urisIsValid(), request_urisLogicalToOdbc(), request_urisOdbcToLogical(), request_urisSet()
property require_auth_time as %Boolean;
OPTIONAL. Boolean value specifying whether the auth_time Claim in the IDToken is REQUIRED.
It is REQUIRED when the value is true.
If this is false, the auth_time Claim can still be dynamically requested as an individual Claim for the IDToken
using the claims request parameter described in Section 5.5.1 of OpenID Connect Core.
If omitted, the default value is false.
Property methods: require_auth_timeDisplayToLogical(), require_auth_timeGet(), require_auth_timeGetStored(), require_auth_timeIsValid(), require_auth_timeLogicalToDisplay(), require_auth_timeNormalize(), require_auth_timeSet()
property response_types as %List;
OPTIONAL. An array, which is represented as a $list, containing a list of the OAuth 2.0 response_type
values that the Client is declaring that it will restrict itself to using.
If omitted, the default is that the Client will use only the code Response Type.
Property methods: response_typesGet(), response_typesGetStored(), response_typesIsValid(), response_typesLogicalToOdbc(), response_typesOdbcToLogical(), response_typesSet()
property sector_identifier_uri as %OAuth2.uri;
OPTIONAL. URL using the https scheme to be used in calculating
Pseudonymous Identifiers by the OP. The URL references a file with a single
JSON array of redirect_uri values. Please see . Providers that
use pairwise sub (subject) values SHOULD utilize the
sector_identifier_uri value provided in the Subject Identifier calculation
for pairwise identifiers.
Property methods: sector_identifier_uriDisplayToLogical(), sector_identifier_uriGet(), sector_identifier_uriGetStored(), sector_identifier_uriIsValid(), sector_identifier_uriLogicalToDisplay(), sector_identifier_uriLogicalToOdbc(), sector_identifier_uriNormalize(), sector_identifier_uriSet()
property subject_type as %String;
OPTIONAL. subject_type requested for responses to this Client. The
subject_types_supported Discovery parameter contains a list of the
supported subject_type values for this server. Valid types include pairwise and public.
Property methods: subject_typeDisplayToLogical(), subject_typeGet(), subject_typeGetStored(), subject_typeIsValid(), subject_typeLogicalToDisplay(), subject_typeLogicalToOdbc(), subject_typeNormalize(), subject_typeSet()
property token_endpoint_auth_method as %String;
OPTIONAL. Requested Client Authentication method for the Token Endpoint.
The options are client_secret_post, client_secret_basic,
client_secret_jwt, private_key_jwt, and none, as described in Section 9 of OpenID Connect Core.
Other authentication methods MAY be defined by extensions.
If omitted, the default is client_secret_basic the HTTP Basic Authentication Scheme specified in
Section 2.3.1 of RFC6749.
Property methods: token_endpoint_auth_methodDisplayToLogical(), token_endpoint_auth_methodGet(), token_endpoint_auth_methodGetStored(), token_endpoint_auth_methodIsValid(), token_endpoint_auth_methodLogicalToDisplay(), token_endpoint_auth_methodLogicalToOdbc(), token_endpoint_auth_methodNormalize(), token_endpoint_auth_methodSet()
property token_endpoint_auth_signing_alg as %String (VALUELIST = ",RS256,RS384,RS512,HS256,HS384,HS512,ES256,ES384,ES512");
OPTIONAL. JWS algorithm that MUST be used for signing
the JWT used to authenticate the Client at the Token Endpoint for the
private_key_jwt and client_secret_jwt authentication methods.
This JWS algorithm is also used to sign the JWT used for JWT Auhtorization grant.
All Token Requests using these authentication methods from this Client MUST be
rejected, if the JWT is not signed with this algorithm. Servers SHOULD support RS256.
The value none MUST NOT be used. The default, if omitted, is
that any algorithm supported by the OP and the RP MAY be used.
Property methods: token_endpoint_auth_signing_algDisplayToLogical(), token_endpoint_auth_signing_algGet(), token_endpoint_auth_signing_algGetStored(), token_endpoint_auth_signing_algIsValid(), token_endpoint_auth_signing_algLogicalToDisplay(), token_endpoint_auth_signing_algLogicalToOdbc(), token_endpoint_auth_signing_algNormalize(), token_endpoint_auth_signing_algSet()
property tos_uri as %OAuth2.uri;
OPTIONAL. URL that the Relying Party Client provides to the EndUser to
read about the Relying Party's terms of service. The value of this field MUST
point to a valid web page. The OpenID Provider SHOULD display this URL to
the EndUser if it is given.
Property methods: tos_uriDisplayToLogical(), tos_uriGet(), tos_uriGetStored(), tos_uriIsValid(), tos_uriLogicalToDisplay(), tos_uriLogicalToOdbc(), tos_uriNormalize(), tos_uriSet()
property userinfo_encrypted_response_alg as %String (VALUELIST = ",none,RSA1_5,RSA-OAEP,A128KW,A192KW,A256KW,dir");
OPTIONAL. JWE alg algorithm REQUIRED for encrypting UserInfo Responses.
If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT.
The default, if omitted, is that no encryption is performed.
Property methods: userinfo_encrypted_response_algDisplayToLogical(), userinfo_encrypted_response_algGet(), userinfo_encrypted_response_algGetStored(), userinfo_encrypted_response_algIsValid(), userinfo_encrypted_response_algLogicalToDisplay(), userinfo_encrypted_response_algLogicalToOdbc(), userinfo_encrypted_response_algNormalize(), userinfo_encrypted_response_algSet()
property userinfo_encrypted_response_enc as %String (VALUELIST = ",none,A128CBC-HS256,A192CBC-HS384,A256CBC-HS512");
OPTIONAL. JWE enc algorithm REQUIRED for encrypting UserInfo Responses.
If userinfo_encrypted_response_alg is specified, the default for this value is A128CBC-HS256.
When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
Property methods: userinfo_encrypted_response_encDisplayToLogical(), userinfo_encrypted_response_encGet(), userinfo_encrypted_response_encGetStored(), userinfo_encrypted_response_encIsValid(), userinfo_encrypted_response_encLogicalToDisplay(), userinfo_encrypted_response_encLogicalToOdbc(), userinfo_encrypted_response_encNormalize(), userinfo_encrypted_response_encSet()
property userinfo_signed_response_alg as %String (VALUELIST = ",none,RS256,RS384,RS512,HS256,HS384,HS512,ES256,ES384,ES512");
OPTIONAL. JWS alg algorithm REQUIRED for signing UserInfo Responses.
If this is specified, the response will be JWT serialized, and signed using JWS.
The default, if omitted, is for the UserInfo Response to return the Claims as a UTF8 encoded
JSON object using the application/json contenttype.
Property methods: userinfo_signed_response_algDisplayToLogical(), userinfo_signed_response_algGet(), userinfo_signed_response_algGetStored(), userinfo_signed_response_algIsValid(), userinfo_signed_response_algLogicalToDisplay(), userinfo_signed_response_algLogicalToOdbc(), userinfo_signed_response_algNormalize(), userinfo_signed_response_algSet()
Methods
method CheckAlgorithm(property As %String, supportedAlgs As %List) as %OAuth2.Error
Check that the algorithm that is sent to the server is valid for the server
method CheckEncAlgorithm(propertyBase As %String) as %OAuth2.Error
Check that the encryption and key algorithms are consistent
Indexes
index (IDKEY on ) [IdKey, Type = key];
Index methods: IDKEYCheck(), IDKEYDelete(), IDKEYExists(), IDKEYOpen(), IDKEYSQLCheckUnique(), IDKEYSQLExists(), IDKEYSQLFindPKeyByConstraint(), IDKEYSQLFindRowIDByConstraint()
Inherited Members
Inherited Methods
- %%CLASSNAMELogicalToStorage()
- %%CLASSNAMEStorageToLogical()
- %AddToSaveSet()
- %AddToSyncSet()
- %BMEBuilt()
- %BuildIndicesAsync()
- %BuildIndicesAsyncResponse()
- %CheckConstraints()
- %CheckConstraintsForExtent()
- %ClassIsLatestVersion()
- %ClassName()
- %ComposeOid()
- %ConstructClone()
- %Delete()
- %DeleteExtent()
- %DeleteId()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Exists()
- %ExistsId()
- %Extends()
- %GUID()
- %GUIDSet()
- %GetLock()
- %GetParameter()
- %GetSwizzleObject()
- %Id()
- %InsertBatch()
- %IsA()
- %IsModified()
- %IsNull()
- %KillExtent()
- %KillExtentData()
- %LoadFromMemory()
- %LockExtent()
- %LockId()
- %New()
- %NormalizeObject()
- %ObjectIsNull()
- %ObjectModified()
- %Oid()
- %OnBeforeAddToSync()
- %OnDeleteFinally()
- %OnDetermineClass()
- %OnOpenFinally()
- %OnSaveFinally()
- %Open()
- %OpenId()
- %OriginalNamespace()
- %PackageName()
- %PhysicalAddress()
- %PurgeIndices()
- %Reload()
- %RemoveFromSaveSet()
- %ResolveConcurrencyConflict()
- %RollBack()
- %Save()
- %SaveDirect()
- %SaveIndices()
- %SerializeObject()
- %SetModified()
- %SortBegin()
- %SortEnd()
- %SyncObjectIn()
- %SyncTransport()
- %UnlockExtent()
- %UnlockId()
- %ValidateIndices()
- %ValidateObject()
- %ValidateTable()
Storage
Storage Model: Storage (OAuth2.Client.Metadata)
^OAuth2.Client.MetadataD(ID) |
= | %%CLASSNAME
client_id
client_secret
registration_access_token
registration_client_uri
client_id_issued_at
client_secret_expires_at
redirect_uris
response_types
grant_types
application_type
contacts
client_name
logo_uri
client_uri
policy_uri
tos_uri
jwks_uri
jwks
sector_identifier_uri
subject_type
id_token_signed_response_alg
id_token_encrypted_response_alg
id_token_encrypted_response_enc
userinfo_signed_response_alg
userinfo_encrypted_response_alg
userinfo_encrypted_response_enc
access_token_signed_response_alg
access_token_encrypted_response_alg
access_token_encrypted_response_enc
request_object_signing_alg
request_object_encryption_alg
request_object_encryption_enc
token_endpoint_auth_method
token_endpoint_auth_signing_alg
default_max_age
default_acr_values
initiate_login_uri
request_uris
require_auth_time
frontchannel_logout_uri
frontchannel_logout_session_required
post_logout_redirect_uris
|