Signicat OIDC Config API (v1)

Client identifier (Globally unique).

If not provided a new ID will be generated.

Client name.

Client account id.

Salt value used in pair-wise subjectId generation for users of this client.

URI to further information about client (used on consent screen).

URI to client logo (used on consent screen).

Must be an absolute URI and Https.

Enable/Disable IDTokens encryption.

If enabled requires public keys allowed to encrypt.

Specifies whether this client needs a secret to request tokens from the token endpoint.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'.

Specifies whether clients using an authorization code based grant type must send a proof key.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce).

Specifies whether this client needs to wrap the authorize request parameters in a JWT.

When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'.

Specifies whether should use reference tokens or not.

Specifies the allowed URIs to return tokens or authorization codes to.

Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost.

Specifies the allowed resources that client as access.

Specifies whether this client can request refresh tokens.

Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser).

Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details.

Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details.

The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost.

Specifies if the user’s session id should be sent to the FrontChannelLogoutUri.

Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed).

Defaults to empty.

The maximum duration (in seconds) since the last time the user authenticated.

You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds.

Lifetime to identity token in seconds.

The default value is 600 seconds.

Lifetime of access token in seconds.

The default value is 600 seconds.

Lifetime of authorization code in seconds.

The default value is 15 seconds.

Maximum lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on.

Sliding lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on.

Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens.

If set to false (default value) then the refresh token handle will be updated when refreshing tokens.

Specifies whether refresh token should expire or not.

Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0.

Lifetime to device code in seconds.

The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type.

Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients.

Specifies the primary grant type the client is allowed to use.

Content encryption algorithm for ID tokens and the UserInfo response.

Defaults to A256CBC-HS512.

Defines the IdToken user data level.

User info response type.

Defaults to 'Json'.

Internal version of the client (Read only).

Specifies whether a consent screen is required.

Defines when the client was created (Read only).

Defines the last change on the client (Read only).

Indicates if after a logout, the client should be redirected automatically.

Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed.

External reference for transaction provided by the customer.

Used to group transactions together for the customer.orderid:121232

Enables the Enterprise Subject Lookup migration feature.

Note: You need admin permissions to enable this feature.

Enables the Client to not use cookies.

Note: You need admin permissions to enable this feature.

Enables the Client to require pushed authorization requests.

Specifies whether the client is a workload client.

Client identifier (Globally unique).

If not provided a new ID will be generated.

Client name.

Client account id.

Salt value used in pair-wise subjectId generation for users of this client.

URI to further information about client (used on consent screen).

URI to client logo (used on consent screen).

Must be an absolute URI and Https.

Enable/Disable IDTokens encryption.

If enabled requires public keys allowed to encrypt.

Specifies whether this client needs a secret to request tokens from the token endpoint.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'.

Specifies whether clients using an authorization code based grant type must send a proof key.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce).

Specifies whether this client needs to wrap the authorize request parameters in a JWT.

When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'.

Specifies whether should use reference tokens or not.

Specifies the allowed URIs to return tokens or authorization codes to.

Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost.

Specifies the allowed resources that client as access.

Specifies whether this client can request refresh tokens.

Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser).

Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details.

Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details.

The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost.

Specifies if the user’s session id should be sent to the FrontChannelLogoutUri.

Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed).

Defaults to empty.

The maximum duration (in seconds) since the last time the user authenticated.

You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds.

Lifetime to identity token in seconds.

The default value is 600 seconds.

Lifetime of access token in seconds.

The default value is 600 seconds.

Lifetime of authorization code in seconds.

The default value is 15 seconds.

Maximum lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on.

Sliding lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on.

Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens.

If set to false (default value) then the refresh token handle will be updated when refreshing tokens.

Specifies whether refresh token should expire or not.

Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0.

Lifetime to device code in seconds.

The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type.

Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients.

Specifies the primary grant type the client is allowed to use.

Content encryption algorithm for ID tokens and the UserInfo response.

Defaults to A256CBC-HS512.

Defines the IdToken user data level.

User info response type.

Defaults to 'Json'.

Internal version of the client (Read only).

Specifies whether a consent screen is required.

Defines when the client was created (Read only).

Defines the last change on the client (Read only).

Indicates if after a logout, the client should be redirected automatically.

Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed.

External reference for transaction provided by the customer.

Used to group transactions together for the customer.orderid:121232

Enables the Enterprise Subject Lookup migration feature.

Note: You need admin permissions to enable this feature.

Enables the Client to not use cookies.

Note: You need admin permissions to enable this feature.

Enables the Client to require pushed authorization requests.

Specifies whether the client is a workload client.

Client name.

Salt value used in pair-wise subjectId generation for users of this client.

URI to further information about client (used on consent screen).

URI to client logo (used on consent screen).

Must be an absolute URI and Https.

Enable/Disable IDTokens encryption.

If enabled requires public keys allowed to encrypt.

Specifies whether this client needs a secret to request tokens from the token endpoint.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'.

Specifies whether clients using an authorization code based grant type must send a proof key.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce).

Specifies whether this client needs to wrap the authorize request parameters in a JWT.

When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'.

Specifies whether should use reference tokens or not.

Specifies the allowed URIs to return tokens or authorization codes to.

Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost.

Specifies the allowed resources that client as access.

Specifies whether this client can request refresh tokens.

Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser).

Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details.

Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details.

The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost.

Specifies if the user’s session id should be sent to the FrontChannelLogoutUri.

Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed).

Defaults to empty.

The maximum duration (in seconds) since the last time the user authenticated.

You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds.

Lifetime to identity token in seconds.

The default value is 600 seconds.

Lifetime of access token in seconds.

The default value is 600 seconds.

Lifetime of authorization code in seconds.

The default value is 15 seconds.

Maximum lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on.

Sliding lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on.

Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens.

If set to false (default value) then the refresh token handle will be updated when refreshing tokens.

Specifies whether refresh token should expire or not.

Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0.

Lifetime to device code in seconds.

The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type.

Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients.

Specifies the primary grant type the client is allowed to use.

Content encryption algorithm for ID tokens and the UserInfo response.

Defaults to A256CBC-HS512.

Defines the IdToken user data level.

User info response type.

Defaults to 'Json'.

Internal version of the client (Read only).

Specifies whether a consent screen is required.

Defines the last change on the client (Read only).

Indicates if after a logout, the client should be redirected automatically.

Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed.

External reference for transaction provided by the customer.

Used to group transactions together for the customer.orderid:121232

Enables the Enterprise Subject Lookup migration feature.

Note: You need admin permissions to enable this feature.

Enables the Client to not use cookies.

Note: You need admin permissions to enable this feature.

Enables the Client to require pushed authorization requests.

The custom claim identifier

The claim to set an alias to

The alias to the claim