Skip to content

Latest commit

 

History

History
160 lines (99 loc) · 4.5 KB

ClientMetadata.md

File metadata and controls

160 lines (99 loc) · 4.5 KB
Raw

Interface: ClientMetadata

💗 Help the project

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.

A subset of the IANA OAuth Client Metadata registry that has an effect on how the Client functions

Properties

client_id

client_id: string

Client identifier.

[clockSkew]?

optional [clockSkew]: number

See clockSkew.

[clockTolerance]?

optional [clockTolerance]: number

See clockTolerance.

authorization_signed_response_alg?

optional authorization_signed_response_alg: string

JWS alg algorithm required for signing authorization responses. When not configured the default is to allow only algorithms listed in as.authorization_signing_alg_values_supported and fall back to RS256 when the authorization server metadata is not set.

client_secret?

optional client_secret: string

Client secret.

default_max_age?

optional default_max_age: number

Default Maximum Authentication Age.

id_token_signed_response_alg?

optional id_token_signed_response_alg: string

JWS alg algorithm required for signing the ID Token issued to this Client. When not configured the default is to allow only algorithms listed in as.id_token_signing_alg_values_supported and fall back to RS256 when the authorization server metadata is not set.

introspection_signed_response_alg?

optional introspection_signed_response_alg: string

JWS alg algorithm REQUIRED for signed introspection responses. When not configured the default is to allow only algorithms listed in as.introspection_signing_alg_values_supported and fall back to RS256 when the authorization server metadata is not set.

require_auth_time?

optional require_auth_time: boolean

Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. Default is false.

use_mtls_endpoint_aliases?

optional use_mtls_endpoint_aliases: boolean

Indicates the requirement for a client to use mutual TLS endpoint aliases indicated by the Authorization Server Metadata. Default is false.

When combined with customFetch (to use a Fetch API implementation that supports client certificates) this can be used to target security profiles that utilize Mutual-TLS for either client authentication or sender constraining.

Examples

(Node.js) Using nodejs/undici for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.

import * as undici from 'undici'

let config!: client.Configuration
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate

let agent = new undici.Agent({ connect: { key, cert } })

config[client.customFetch] = (...args) =>
  // @ts-expect-error
  undici.fetch(args[0], { ...args[1], dispatcher: agent })

(Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.

let config!: client.Configuration
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate

// @ts-expect-error
let agent = Deno.createHttpClient({ key, cert })

config[client.customFetch] = (...args) =>
  // @ts-expect-error
  fetch(args[0], { ...args[1], client: agent })

See

RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

userinfo_signed_response_alg?

optional userinfo_signed_response_alg: string

JWS alg algorithm REQUIRED for signing UserInfo Responses. When not configured the default is to allow only algorithms listed in as.userinfo_signing_alg_values_supported and fail otherwise.