OPProfileConfiguration-ClientAuthentication
Options common to OP profiles that support client authentication:
Name | Type | Default | Description |
---|---|---|---|
tokenEndpointAuthMethods | Collection<String> | client_secret_basic, | Enabled endpoint client authentication methods |
unregisteredClientPolicy 4.0 | Map<String, UnregisteredClientPolicy> | See wiki page | The policy used to verify unverified clients when this profile is enabled in the unverified RP config |
For convenience, this is also controllable globally via the idp.oidc.tokenEndpointAuthMethods property.
Since OP v3.4, the JWT-based client authentication methods (client_secret_jwt and private_key_jwt) accepts any of the following three audiences:
OP issuer value (profile responder ID)
The token flow endpoint URL value (even for introspection and revocation endpoints)
The flow endpoint URL value
Prior to V3.4, only the flow endpoint URL value could be used. Any custom bean for validating the audience can be set via idp.oauth2.jwtAuth.audienceValidator -property.
Â