Format
IDs
snapshotId
Format: XXXXXXXXXXXXXXXXXXXXXXXXX
Example: 3b1d1fd97f0b6255356dacf130bb997a
setupId
Format: XXXXXXXXXXXXXXXXXXXXXXXXX
Example: 3b1d1fd97f0b6255356dacf130bb9976
clientId
Format: XXXXXXXXXXXXXXXXXXXXXXXXX
Example: 3b1d1fd97f0b6255356dacf130bb997e
resourceServerId
Format: XXXXXXXXXXXXXXXXXXXXXXXXX
Example: 3b1d1fd97f0b6255356dacf130bb997f
oAuthClientId
Format: Characters from the following list:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Example: %21%22%23%24%25%26%27%28%29%2A%2B%2C
Value should be in URL-Encoded format.
Setup resource
Attribute (V2) | Data type | Example value | Possible values/constraints | Required | Remark |
---|---|---|---|---|---|
name | string | Not blank | X | Pretty name of setup | |
owner | string | <current user> | UserId of owner/creator | ||
valid_from | date (ISO-8601) | <now> | Not in the past | Activation date/time, set to current date and time if not set. | |
comment | string | Individual comment | |||
client_defaults | see table below | X | |||
resource_defaults | see table below | X | |||
metadata | metadatadata structure:name, value, locale (all string) | Default Metadata |
client_defaults
Attribute (V2) | Data type | Example value | Possible values/constraints | Required | Remark |
---|---|---|---|---|---|
grant_types | list of strings | authorization_code, client_credentials, implicit, refresh_token, jwt_bearer | X | OAuth2 flows | |
force_reauthentication | boolean | false | X | Default setting if client forces re-authentication | |
access_token_ttl | number | 3600 | positive or zero | X | Default TTL access token, in seconds |
refresh_token_ttl | number | 15552000 | positive or zero | X | Default TTL refresh token (offline access), in seconds |
id_token_ttl | number | 3600 | positive or zero | X | Default TTL ID token, in seconds |
persisted_consent_ttl | number | 31104000 | positive or zero | X | Default TTL persisted consent, in seconds |
resource_defaults
Attribute (V2) | Data type | Example | Possible values/constraints | Remark |
---|---|---|---|---|
scope_policy_implicit_flow | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for scopes during implicit flow |
scope_policy_authorization_code_flow | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for scopes during authorization code flow |
scope_policy_refresh_token | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for refresh token |
scope_policy_jwt_bearer | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for jwt bearer |
scope_policy_force_reauthentication | boolean | false | Default setting if scope requests should force reauthentication |
Client resource
name
Data type: string
Possible values and constraints: Not blank.
Required.
Pretty name of client.
owner
Data type: string
<current user>
UserId of owner/creator.
contacts
Data type: list of strings
Contact information.
valid_from
Data type: date (ISO-8601)
Example: <now>
Possible values and constraints: Not in the past.
Activation date/time, set to current date and time if not set.
comment
Data type: string
Individual comment.
client_id
Data type: string
Possible values and constraints: empty (= regenerate)
If not empty:
When editing an existing client, the client_id must match the client_id of the existing client.
When creating a new client, the client_id must be unique (within the relevant setup) and contain characters from the following list:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
OAuth2 client ID.
client_secret
Data type: string
Possible values and constraints: empty (= regenerate)
If not empty, the client_secret must contain characters from the following list:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
OAuth2 client secret.
redirect_uris
Data type: list of strings
OAuth2 redirect URLs.
grant_types
Data type: list of strings
Possible values and constraints: authorization_code
, client_credentials
, implicit
, jwt_bearer
OAuth2 flows.
authorization_code
: If you select this value, set the attribute response_types
to code
.
implicit
: If you select this value, set the attribute response_types
to token
or id_token
.
scopes
Data type: list of strings
Possible values and constraints: all defined scopes of resource servers in the according setup
OAuth2 scopes.
force_reauthentication
Data type: boolean
Example: false
Default setting.
confidentiality_type
Data type: string
Example: public
Possible values and constraints: public
, confidential
Required.
response_types
Data type: list of strings
Possible values and constraints: code
, token
, id_token
code
: If you select this value, set the attribute grant_types to authorization_code
.
token
, id_token
: If you select one of these values, set the attribute grant_types to implicit
.
pkce_mode
Data type: string
Example: required
Possible values and constraints: allowed
, required
, s256-required
Defines whether the client requires the use of PKCE in the authorization flow. The following types of PKCE modes are supported:
allowed
(default): If the client sends PKCE information in the form of a code challenge in the authorization request, the code challenge will be validated. If the code challenge is not valid, the authorization will fail. But if no code challenge is included in the authorization request, the authorization will not fail.
required
: The client must send valid PKCE information. If no code challenge is included in the authorization request, the authorization will fail.
s256-required
: The client must send valid PKCE information using the S256 code challenge method. The authorization will fail if no code challenge is included in the authorization request, or if the code challenge does not use the S256 code challenge method.
access_token_ttl
Data type: number
Example: 3600
In seconds.
refresh_token_ttl
Data type: number
Example: 15552000
In seconds.
id_token_ttl
Data type: number
Example: 3600
In seconds.
persisted_consent_ttl
Data type: number
Example: 31104000
In seconds.
metadata
Data type: metadataData, structure:name, value, locale (all string).
Resource server resource
Attribute (V2) | Data type | Example value | Possible values/constraints | Required | Remark |
---|---|---|---|---|---|
name | string | Not blank | X | Pretty name of client | |
owner | string | <current user> | UserId of owner/creator | ||
uri | string | Resource (Server) URL | |||
valid_from | date (ISO-8601) | <now> | Not in the past | Activation date/time, set to current date/time if not set | |
comment | string | Individual comment | |||
scopes | see table below | Must contain one or more elements | X | OAuth2 scopes of the according resource (server) | |
metadata | metadataData structure:name, value, locale (all string) |
scopes
Attribute (V2) | Data type | Example value | Possible values | Remark |
---|---|---|---|---|
policy_implicit_flow | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for scopes during implicit flow |
policy_authorization_code_flow | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for scopes during authorization code flow |
policy_refresh_token | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for refresh token |
policy_jwt_bearer | string | consent | consent_required, consent_persisted, no_consent_required, disallowed | Default consent policy for jwt bearer |
policy_force_reauthentication | boolean | false | Default setting if scope requests should force reauthentication | |
metadata | metadataData structure:name, value, locale (all string) | |||
custom_claims | Mapping between custom scope and custom openid/oauth2 claim configurated in neivsAuth | test_claim | Default OAuth 2.0/OpenId Connect scopes cannot set custom claims |