Skip to main content
Version: 8.2411.x.x RR

Format

IDs

snapshotId

Format: XXXXXXXXXXXXXXXXXXXXXXXXX

Example: 3b1d1fd97f0b6255356dacf130bb997a

setupId

Format: XXXXXXXXXXXXXXXXXXXXXXXXX

Example: 3b1d1fd97f0b6255356dacf130bb9976

clientId

Format: XXXXXXXXXXXXXXXXXXXXXXXXX

Example: 3b1d1fd97f0b6255356dacf130bb997e

resourceServerId

Format: XXXXXXXXXXXXXXXXXXXXXXXXX

Example: 3b1d1fd97f0b6255356dacf130bb997f

oAuthClientId

Format: Characters from the following list:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Example: %21%22%23%24%25%26%27%28%29%2A%2B%2C

Value should be in URL-Encoded format.

Setup resource

Attribute (V2)Data typeExample valuePossible values/constraintsRequiredRemark
namestringNot blankXPretty name of setup
ownerstring<current user>UserId of owner/creator
valid_fromdate (ISO-8601)<now>Not in the pastActivation date/time, set to current date and time if not set.
commentstringIndividual comment
client_defaultssee table belowX
resource_defaultssee table belowX
metadatametadatadata structure:name, value, locale (all string)Default Metadata

client_defaults

Attribute (V2)Data typeExample valuePossible values/constraintsRequiredRemark
grant_typeslist of stringsauthorization_code, client_credentials, implicit, refresh_token, jwt_bearerXOAuth2 flows
force_reauthenticationbooleanfalseXDefault setting if client forces re-authentication
access_token_ttlnumber3600positive or zeroXDefault TTL access token, in seconds
refresh_token_ttlnumber15552000positive or zeroXDefault TTL refresh token (offline access), in seconds
id_token_ttlnumber3600positive or zeroXDefault TTL ID token, in seconds
persisted_consent_ttlnumber31104000positive or zeroXDefault TTL persisted consent, in seconds

resource_defaults

Attribute (V2)Data typeExamplePossible values/constraintsRemark
scope_policy_implicit_flowstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for scopes during implicit flow
scope_policy_authorization_code_flowstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for scopes during authorization code flow
scope_policy_refresh_tokenstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for refresh token
scope_policy_jwt_bearerstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for jwt bearer
scope_policy_force_reauthenticationbooleanfalseDefault setting if scope requests should force reauthentication

Client resource

name

Data type: string

Possible values and constraints: Not blank.

Required.

Pretty name of client.

owner

Data type: string

<current user>

UserId of owner/creator.

contacts

Data type: list of strings

Contact information.

valid_from

Data type: date (ISO-8601)

Example: <now>

Possible values and constraints: Not in the past.

Activation date/time, set to current date and time if not set.

comment

Data type: string

Individual comment.

client_id

Data type: string

Possible values and constraints: empty (= regenerate)

If not empty:

When editing an existing client, the client_id must match the client_id of the existing client.

When creating a new client, the client_id must be unique (within the relevant setup) and contain characters from the following list:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

OAuth2 client ID.

client_secret

Data type: string

Possible values and constraints: empty (= regenerate)

If not empty, the client_secret must contain characters from the following list:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

OAuth2 client secret.

redirect_uris

Data type: list of strings

OAuth2 redirect URLs.

grant_types

Data type: list of strings

Possible values and constraints: authorization_code, client_credentials, implicit, jwt_bearer

OAuth2 flows.

authorization_code: If you select this value, set the attribute response_types to code.

implicit: If you select this value, set the attribute response_types to token or id_token.

scopes

Data type: list of strings

Possible values and constraints: all defined scopes of resource servers in the according setup

OAuth2 scopes.

force_reauthentication

Data type: boolean

Example: false

Default setting.

confidentiality_type

Data type: string

Example: public

Possible values and constraints: public, confidential

Required.

response_types

Data type: list of strings

Possible values and constraints: code, token, id_token

code: If you select this value, set the attribute grant_types to authorization_code.

token, id_token: If you select one of these values, set the attribute grant_types to implicit.

pkce_mode

Data type: string

Example: required

Possible values and constraints: allowed, required, s256-required

Defines whether the client requires the use of PKCE in the authorization flow. The following types of PKCE modes are supported:

allowed (default): If the client sends PKCE information in the form of a code challenge in the authorization request, the code challenge will be validated. If the code challenge is not valid, the authorization will fail. But if no code challenge is included in the authorization request, the authorization will not fail.

required: The client must send valid PKCE information. If no code challenge is included in the authorization request, the authorization will fail.

s256-required: The client must send valid PKCE information using the S256 code challenge method. The authorization will fail if no code challenge is included in the authorization request, or if the code challenge does not use the S256 code challenge method.

access_token_ttl

Data type: number

Example: 3600

In seconds.

refresh_token_ttl

Data type: number

Example: 15552000

In seconds.

id_token_ttl

Data type: number

Example: 3600

In seconds.

Data type: number

Example: 31104000

In seconds.

metadata

Data type: metadataData, structure:name, value, locale (all string).

Resource server resource

Attribute (V2)Data typeExample valuePossible values/constraintsRequiredRemark
namestringNot blankXPretty name of client
ownerstring<current user>UserId of owner/creator
uristringResource (Server) URL
valid_fromdate (ISO-8601)<now>Not in the pastActivation date/time, set to current date/time if not set
commentstringIndividual comment
scopessee table belowMust contain one or more elementsXOAuth2 scopes of the according resource (server)
metadatametadataData structure:name, value, locale (all string)

scopes

Attribute (V2)Data typeExample valuePossible valuesRemark
policy_implicit_flowstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for scopes during implicit flow
policy_authorization_code_flowstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for scopes during authorization code flow
policy_refresh_tokenstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for refresh token
policy_jwt_bearerstringconsentconsent_required, consent_persisted, no_consent_required, disallowedDefault consent policy for jwt bearer
policy_force_reauthenticationbooleanfalseDefault setting if scope requests should force reauthentication
metadatametadataData structure:name, value, locale (all string)
custom_claimsMapping between custom scope and custom openid/oauth2 claim configurated in neivsAuthtest_claimDefault OAuth 2.0/OpenId Connect scopes cannot set custom claims