OAuth2Clients

Realm Operations

Agents handler that is responsible for managing agents

Resource path: /realm-config/agents/OAuth2Client

Resource version: 1.0

create

Usage:

am> create OAuth2Clients --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "coreOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26000,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "agentgroup" : {
          "title" : "Group",
          "description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
          "propertyOrder" : 100,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientName" : {
          "title" : "Client Name",
          "description" : "This value is a readable name for this client.",
          "propertyOrder" : 25300,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "userpassword" : {
          "title" : "Client secret",
          "description" : "Client secret. Used when the client authenticates to AM.",
          "propertyOrder" : 23000,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authorizationCodeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 25800,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "loopbackInterfaceRedirection" : {
          "title" : "Allow wildcard ports in redirect URIs",
          "description" : "This flag indicates whether wildcards can be used for port numbers in redirect URIs. When this toggle is set to true and a wildcard is used the only allowed combinations of protocols and hosts are: http://127.0.0.1, https://127.0.0.1, http://[::1], https://[::1], http://localhost, https://localhost The wild cards are permitted only for the port values. For example - <code>http://localhost:80*</code>, <code>http://localhost:80?0/{path}</code>, <code>http://localhost:80[8-9]0/{path}</code>",
          "propertyOrder" : 23150,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : false
            }
          }
        },
        "status" : {
          "title" : "Status",
          "description" : "Status of the agent configuration.",
          "propertyOrder" : 200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "clientType" : {
          "title" : "Client type",
          "description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
          "propertyOrder" : 23100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
          "propertyOrder" : 25900,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "scopes" : {
          "title" : "Scope(s)",
          "description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23300,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "redirectionUris" : {
          "title" : "Redirection URIs",
          "description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "defaultScopes" : {
          "title" : "Default Scope(s)",
          "description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23700,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        }
      }
    },
    "advancedOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "isConsentImplied" : {
          "title" : "Implied consent",
          "description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
          "propertyOrder" : 26200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "subjectType" : {
          "title" : "Subject Type",
          "description" : "The subject type added to responses for this client. This value must be included in \"Subject Type Supported\" in OAuth2Provider service setting.",
          "propertyOrder" : 24400,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "contacts" : {
          "title" : "Contacts",
          "description" : "Email addresses of users who can administrate this client.",
          "propertyOrder" : 23900,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "mixUpMitigation" : {
          "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
          "description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
          "propertyOrder" : 26300,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "policyUri" : {
          "title" : "Privacy Policy URI",
          "description" : "The URI for the client's privacy policy, for use in user-facing consent pages.",
          "propertyOrder" : 25375,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "name" : {
          "title" : "Display name",
          "description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
          "propertyOrder" : 23500,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured then AUTHORIZATION_CODE flow would be permitted by default.",
          "propertyOrder" : 23800,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : true
            }
          }
        },
        "updateAccessToken" : {
          "title" : "Access Token",
          "description" : "The access token used to update the client.",
          "propertyOrder" : 25100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "descriptions" : {
          "title" : "Display description",
          "description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
          "propertyOrder" : 23600,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "tokenEndpointAuthMethod" : {
          "title" : "Token Endpoint Authentication Method",
          "description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
          "propertyOrder" : 24000,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "responseTypes" : {
          "title" : "Response Types",
          "description" : "Response types this client will support and use.",
          "propertyOrder" : 23800,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : true
            }
          }
        },
        "javascriptOrigins" : {
          "title" : "JavaScript Origins",
          "description" : "",
          "propertyOrder" : 23650,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "clientUri" : {
          "title" : "Client URI",
          "description" : "The URI for finding further information about the client from user-facing UIs.",
          "propertyOrder" : 25325,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "sectorIdentifierUri" : {
          "title" : "Sector Identifier URI",
          "description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
          "propertyOrder" : 24300,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "requestUris" : {
          "title" : "Request uris",
          "description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters and MUST use either HTTP or HTTPS. Otherwise the value will be ignored.",
          "propertyOrder" : 23700,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "logoUri" : {
          "title" : "Logo URI",
          "description" : "The URI for the client's logo, for use in user-facing UIs such as consent pages and application pages.",
          "propertyOrder" : 25350,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        }
      }
    },
    "signEncOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Signing and Encryption",
      "propertyOrder" : 3,
      "properties" : {
        "publicKeyLocation" : {
          "title" : "Public key selector",
          "description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
          "propertyOrder" : 25700,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "requestParameterEncryptedEncryptionAlgorithm" : {
          "title" : "Request parameter encryption method",
          "description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27700,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "idTokenEncryptionMethod" : {
          "title" : "ID Token Encryption Method",
          "description" : "Encryption method the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24800,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "idTokenPublicEncryptionKey" : {
          "title" : "Client ID Token Public Encryption Key",
          "description" : "A Base64 encoded public key for encrypting ID Tokens.",
          "propertyOrder" : 24900,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "clientJwtPublicKey" : {
          "title" : "Client JWT Bearer Public Key",
          "description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
          "propertyOrder" : 25400,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwksCacheTimeout" : {
          "title" : "JWKs URI content cache timeout in ms",
          "description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
          "propertyOrder" : 24110,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "userinfoEncryptedResponseAlg" : {
          "title" : "User info encrypted response algorithm",
          "description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
          "propertyOrder" : 27300,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "userinfoEncryptedResponseEncryptionAlgorithm" : {
          "title" : "User info encrypted response encryption algorithm",
          "description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27400,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "requestParameterEncryptedAlg" : {
          "title" : "Request parameter encryption algorithm",
          "description" : "JWE algorithm for encrypting the request parameter.",
          "propertyOrder" : 27600,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwksUri" : {
          "title" : "Json Web Key URI",
          "description" : "The uri that contains the client's public keys in Json Web Key format.",
          "propertyOrder" : 24100,
          "type" : "object",
          "exampleValue" : "https://{{jwks-www}}/oauth2/{{realm}}/connect/jwk_uri",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "idTokenEncryptionAlgorithm" : {
          "title" : "ID Token Encryption Algorithm",
          "description" : "Algorithm the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24700,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "tokenIntrospectionResponseFormat" : {
          "title" : "Token introspection response format",
          "description" : "The token introspection endpoint offers different output format. see https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03",
          "propertyOrder" : 27800,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm" : {
          "title" : "Token introspection encrypted response encryption algorithm",
          "description" : "JWE 'enc' algorithm REQUIRED for encrypting token introspection responses. Sets the algorithm that will be used to encrypt the Plaintext of a JWE when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27830,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "mTLSCertificateBoundAccessTokens" : {
          "title" : "Use Certificate-Bound Access Tokens",
          "description" : "Whether access tokens issued to this client should be bound to the X.509 certificate it uses to authenticate to the token endpoint. If enabled (and the provider supports it) then an x5t#S256 confirmation key will be added to all access tokens with the SHA-256 hash of the client's certificate.",
          "propertyOrder" : 25507,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "idTokenEncryptionEnabled" : {
          "title" : "Enable ID Token Encryption",
          "description" : "Select to enable ID token encryption.",
          "propertyOrder" : 24600,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "idTokenSignedResponseAlg" : {
          "title" : "ID Token Signing Algorithm",
          "description" : "Algorithm the ID Token for this client must be signed with.",
          "propertyOrder" : 24500,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "requestParameterSignedAlg" : {
          "title" : "Request parameter signing algorithm",
          "description" : "JWS algorithm for signing the request parameter.",
          "propertyOrder" : 27500,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwkStoreCacheMissCacheTime" : {
          "title" : "JWKs URI content cache miss cache time",
          "description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
          "propertyOrder" : 24120,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "mTLSSubjectDN" : {
          "title" : "mTLS Subject DN",
          "description" : "Expected Subject DN of certificate used for mTLS client certificate authentication. Defaults to CN=&lt;client_id&gt;. Only applicable when using CA-signed certificates.",
          "propertyOrder" : 25406,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "tokenIntrospectionEncryptedResponseAlg" : {
          "title" : "Token introspection response encryption algorithm",
          "description" : "JWE \"alg\" algorithm REQUIRED for encrypting introspection responses. Sets the algorithm that will be used to encrypt the Content Encryption Key when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27820,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "mTLSTrustedCert" : {
          "title" : "mTLS Self-Signed Certificate",
          "description" : "Self-signed PEM-encoded X.509 certificate for mTLS client certificate authentication.",
          "propertyOrder" : 25405,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwkSet" : {
          "title" : "Json Web Key",
          "description" : "Raw JSON Web Key value containing the client's public keys.",
          "propertyOrder" : 24200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "tokenIntrospectionSignedResponseAlg" : {
          "title" : "Token introspection response signing algorithm",
          "description" : "Algorithm used for signing the introspection JWT response.",
          "propertyOrder" : 27810,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "userinfoResponseFormat" : {
          "title" : "User info response format.",
          "description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
          "propertyOrder" : 27100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "tokenEndpointAuthSigningAlgorithm" : {
          "title" : "Token Endpoint Authentication Signing Algorithm",
          "description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
          "propertyOrder" : 24130,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "userinfoSignedResponseAlg" : {
          "title" : "User info signed response algorithm",
          "description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
          "propertyOrder" : 27200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        }
      }
    },
    "coreOpenIDClientConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 2,
      "properties" : {
        "postLogoutRedirectUri" : {
          "title" : "Post Logout Redirect URIs",
          "description" : "URIs that can be redirected to after the client logout process.",
          "propertyOrder" : 25000,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "defaultMaxAgeEnabled" : {
          "title" : "Default Max Age Enabled",
          "description" : "Whether or not the default max age is enforced.",
          "propertyOrder" : 25600,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "claims" : {
          "title" : "Claim(s)",
          "description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
          "propertyOrder" : 23400,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "clientSessionUri" : {
          "title" : "Client Session URI",
          "description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
          "propertyOrder" : 25200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "defaultAcrValues" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 25650,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "defaultMaxAge" : {
          "title" : "Default Max Age",
          "description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
          "propertyOrder" : 25500,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        }
      }
    },
    "coreUmaClientConfig" : {
      "type" : "object",
      "title" : "UMA",
      "propertyOrder" : 4,
      "properties" : {
        "claimsRedirectionUris" : {
          "title" : "Claims Redirection URIs",
          "description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        }
      }
    }
  }
}

delete

Usage:

am> delete OAuth2Clients --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action OAuth2Clients --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action OAuth2Clients --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action OAuth2Clients --realm Realm --actionName nextdescendents

query

Querying the agents of a specific type

Usage:

am> query OAuth2Clients --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage:

am> read OAuth2Clients --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

update

Usage:

am> update OAuth2Clients --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "coreOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : 0,
      "properties" : {
        "accessTokenLifetime" : {
          "title" : "Access Token Lifetime (seconds)",
          "description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26000,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "agentgroup" : {
          "title" : "Group",
          "description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
          "propertyOrder" : 100,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientName" : {
          "title" : "Client Name",
          "description" : "This value is a readable name for this client.",
          "propertyOrder" : 25300,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "userpassword" : {
          "title" : "Client secret",
          "description" : "Client secret. Used when the client authenticates to AM.",
          "propertyOrder" : 23000,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authorizationCodeLifetime" : {
          "title" : "Authorization Code Lifetime (seconds)",
          "description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 25800,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "loopbackInterfaceRedirection" : {
          "title" : "Allow wildcard ports in redirect URIs",
          "description" : "This flag indicates whether wildcards can be used for port numbers in redirect URIs. When this toggle is set to true and a wildcard is used the only allowed combinations of protocols and hosts are: http://127.0.0.1, https://127.0.0.1, http://[::1], https://[::1], http://localhost, https://localhost The wild cards are permitted only for the port values. For example - <code>http://localhost:80*</code>, <code>http://localhost:80?0/{path}</code>, <code>http://localhost:80[8-9]0/{path}</code>",
          "propertyOrder" : 23150,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : false
            }
          }
        },
        "status" : {
          "title" : "Status",
          "description" : "Status of the agent configuration.",
          "propertyOrder" : 200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "clientType" : {
          "title" : "Client type",
          "description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
          "propertyOrder" : 23100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "refreshTokenLifetime" : {
          "title" : "Refresh Token Lifetime (seconds)",
          "description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
          "propertyOrder" : 25900,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "scopes" : {
          "title" : "Scope(s)",
          "description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23300,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "redirectionUris" : {
          "title" : "Redirection URIs",
          "description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "defaultScopes" : {
          "title" : "Default Scope(s)",
          "description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
          "propertyOrder" : 23700,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        }
      }
    },
    "advancedOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Advanced",
      "propertyOrder" : 1,
      "properties" : {
        "isConsentImplied" : {
          "title" : "Implied consent",
          "description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
          "propertyOrder" : 26200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "subjectType" : {
          "title" : "Subject Type",
          "description" : "The subject type added to responses for this client. This value must be included in \"Subject Type Supported\" in OAuth2Provider service setting.",
          "propertyOrder" : 24400,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "contacts" : {
          "title" : "Contacts",
          "description" : "Email addresses of users who can administrate this client.",
          "propertyOrder" : 23900,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "mixUpMitigation" : {
          "title" : "OAuth 2.0 Mix-Up Mitigation enabled",
          "description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
          "propertyOrder" : 26300,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "policyUri" : {
          "title" : "Privacy Policy URI",
          "description" : "The URI for the client's privacy policy, for use in user-facing consent pages.",
          "propertyOrder" : 25375,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "name" : {
          "title" : "Display name",
          "description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
          "propertyOrder" : 23500,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "grantTypes" : {
          "title" : "Grant Types",
          "description" : "The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.<br><br>If no Grant Types (OAuth2 Flows) are configured then AUTHORIZATION_CODE flow would be permitted by default.",
          "propertyOrder" : 23800,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : true
            }
          }
        },
        "updateAccessToken" : {
          "title" : "Access Token",
          "description" : "The access token used to update the client.",
          "propertyOrder" : 25100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "descriptions" : {
          "title" : "Display description",
          "description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
          "propertyOrder" : 23600,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "tokenEndpointAuthMethod" : {
          "title" : "Token Endpoint Authentication Method",
          "description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
          "propertyOrder" : 24000,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "responseTypes" : {
          "title" : "Response Types",
          "description" : "Response types this client will support and use.",
          "propertyOrder" : 23800,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : true
            }
          }
        },
        "javascriptOrigins" : {
          "title" : "JavaScript Origins",
          "description" : "",
          "propertyOrder" : 23650,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "clientUri" : {
          "title" : "Client URI",
          "description" : "The URI for finding further information about the client from user-facing UIs.",
          "propertyOrder" : 25325,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "sectorIdentifierUri" : {
          "title" : "Sector Identifier URI",
          "description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
          "propertyOrder" : 24300,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "requestUris" : {
          "title" : "Request uris",
          "description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters and MUST use either HTTP or HTTPS. Otherwise the value will be ignored.",
          "propertyOrder" : 23700,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "logoUri" : {
          "title" : "Logo URI",
          "description" : "The URI for the client's logo, for use in user-facing UIs such as consent pages and application pages.",
          "propertyOrder" : 25350,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        }
      }
    },
    "signEncOAuth2ClientConfig" : {
      "type" : "object",
      "title" : "Signing and Encryption",
      "propertyOrder" : 3,
      "properties" : {
        "publicKeyLocation" : {
          "title" : "Public key selector",
          "description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
          "propertyOrder" : 25700,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "requestParameterEncryptedEncryptionAlgorithm" : {
          "title" : "Request parameter encryption method",
          "description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27700,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "idTokenEncryptionMethod" : {
          "title" : "ID Token Encryption Method",
          "description" : "Encryption method the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24800,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "idTokenPublicEncryptionKey" : {
          "title" : "Client ID Token Public Encryption Key",
          "description" : "A Base64 encoded public key for encrypting ID Tokens.",
          "propertyOrder" : 24900,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "clientJwtPublicKey" : {
          "title" : "Client JWT Bearer Public Key",
          "description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
          "propertyOrder" : 25400,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwksCacheTimeout" : {
          "title" : "JWKs URI content cache timeout in ms",
          "description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
          "propertyOrder" : 24110,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "userinfoEncryptedResponseAlg" : {
          "title" : "User info encrypted response algorithm",
          "description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
          "propertyOrder" : 27300,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "userinfoEncryptedResponseEncryptionAlgorithm" : {
          "title" : "User info encrypted response encryption algorithm",
          "description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
          "propertyOrder" : 27400,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "requestParameterEncryptedAlg" : {
          "title" : "Request parameter encryption algorithm",
          "description" : "JWE algorithm for encrypting the request parameter.",
          "propertyOrder" : 27600,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwksUri" : {
          "title" : "Json Web Key URI",
          "description" : "The uri that contains the client's public keys in Json Web Key format.",
          "propertyOrder" : 24100,
          "type" : "object",
          "exampleValue" : "https://{{jwks-www}}/oauth2/{{realm}}/connect/jwk_uri",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "idTokenEncryptionAlgorithm" : {
          "title" : "ID Token Encryption Algorithm",
          "description" : "Algorithm the ID Token for this client must be encrypted with.",
          "propertyOrder" : 24700,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "tokenIntrospectionResponseFormat" : {
          "title" : "Token introspection response format",
          "description" : "The token introspection endpoint offers different output format. see https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03",
          "propertyOrder" : 27800,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "tokenIntrospectionEncryptedResponseEncryptionAlgorithm" : {
          "title" : "Token introspection encrypted response encryption algorithm",
          "description" : "JWE 'enc' algorithm REQUIRED for encrypting token introspection responses. Sets the algorithm that will be used to encrypt the Plaintext of a JWE when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27830,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "mTLSCertificateBoundAccessTokens" : {
          "title" : "Use Certificate-Bound Access Tokens",
          "description" : "Whether access tokens issued to this client should be bound to the X.509 certificate it uses to authenticate to the token endpoint. If enabled (and the provider supports it) then an x5t#S256 confirmation key will be added to all access tokens with the SHA-256 hash of the client's certificate.",
          "propertyOrder" : 25507,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "idTokenEncryptionEnabled" : {
          "title" : "Enable ID Token Encryption",
          "description" : "Select to enable ID token encryption.",
          "propertyOrder" : 24600,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "idTokenSignedResponseAlg" : {
          "title" : "ID Token Signing Algorithm",
          "description" : "Algorithm the ID Token for this client must be signed with.",
          "propertyOrder" : 24500,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "requestParameterSignedAlg" : {
          "title" : "Request parameter signing algorithm",
          "description" : "JWS algorithm for signing the request parameter.",
          "propertyOrder" : 27500,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwkStoreCacheMissCacheTime" : {
          "title" : "JWKs URI content cache miss cache time",
          "description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
          "propertyOrder" : 24120,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "mTLSSubjectDN" : {
          "title" : "mTLS Subject DN",
          "description" : "Expected Subject DN of certificate used for mTLS client certificate authentication. Defaults to CN=&lt;client_id&gt;. Only applicable when using CA-signed certificates.",
          "propertyOrder" : 25406,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "tokenIntrospectionEncryptedResponseAlg" : {
          "title" : "Token introspection response encryption algorithm",
          "description" : "JWE \"alg\" algorithm REQUIRED for encrypting introspection responses. Sets the algorithm that will be used to encrypt the Content Encryption Key when the chosen introspection response format is 'signed then encrypted'.",
          "propertyOrder" : 27820,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "mTLSTrustedCert" : {
          "title" : "mTLS Self-Signed Certificate",
          "description" : "Self-signed PEM-encoded X.509 certificate for mTLS client certificate authentication.",
          "propertyOrder" : 25405,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "jwkSet" : {
          "title" : "Json Web Key",
          "description" : "Raw JSON Web Key value containing the client's public keys.",
          "propertyOrder" : 24200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "tokenIntrospectionSignedResponseAlg" : {
          "title" : "Token introspection response signing algorithm",
          "description" : "Algorithm used for signing the introspection JWT response.",
          "propertyOrder" : 27810,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "userinfoResponseFormat" : {
          "title" : "User info response format.",
          "description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
          "propertyOrder" : 27100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "tokenEndpointAuthSigningAlgorithm" : {
          "title" : "Token Endpoint Authentication Signing Algorithm",
          "description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
          "propertyOrder" : 24130,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : true
            }
          }
        },
        "userinfoSignedResponseAlg" : {
          "title" : "User info signed response algorithm",
          "description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
          "propertyOrder" : 27200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        }
      }
    },
    "coreOpenIDClientConfig" : {
      "type" : "object",
      "title" : "OpenID Connect",
      "propertyOrder" : 2,
      "properties" : {
        "postLogoutRedirectUri" : {
          "title" : "Post Logout Redirect URIs",
          "description" : "URIs that can be redirected to after the client logout process.",
          "propertyOrder" : 25000,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "defaultMaxAgeEnabled" : {
          "title" : "Default Max Age Enabled",
          "description" : "Whether or not the default max age is enforced.",
          "propertyOrder" : 25600,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "jwtTokenLifetime" : {
          "title" : "OpenID Connect JWT Token Lifetime (seconds)",
          "description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
          "propertyOrder" : 26100,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        },
        "claims" : {
          "title" : "Claim(s)",
          "description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
          "propertyOrder" : 23400,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "clientSessionUri" : {
          "title" : "Client Session URI",
          "description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
          "propertyOrder" : 25200,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "string",
              "required" : false
            }
          }
        },
        "defaultAcrValues" : {
          "title" : "Default ACR values",
          "description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
          "propertyOrder" : 25650,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        },
        "defaultMaxAge" : {
          "title" : "Default Max Age",
          "description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
          "propertyOrder" : 25500,
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "integer",
              "required" : true
            }
          }
        }
      }
    },
    "coreUmaClientConfig" : {
      "type" : "object",
      "title" : "UMA",
      "propertyOrder" : 4,
      "properties" : {
        "claimsRedirectionUris" : {
          "title" : "Claims Redirection URIs",
          "description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
          "propertyOrder" : 23200,
          "items" : {
            "type" : "string"
          },
          "type" : "object",
          "exampleValue" : "",
          "properties" : {
            "inherited" : {
              "type" : "boolean",
              "required" : true
            },
            "value" : {
              "type" : "array",
              "required" : false
            }
          }
        }
      }
    }
  }
}
Read a different version of :