OPProfileConfiguration-ClientAuthentication

Owned by Scott Cantor
Last updated: Sept 12, 2023 by Henri Mikkonen
1 min read

Options common to OP profiles that support client authentication:

Name

Type

Default

Description

Name

Type

Default

Description

tokenEndpointAuthMethods

Collection<String>

client_secret_basic,
client_secret_post,
client_secret_jwt,
private_key_jwt

Enabled endpoint client authentication methods

unregisteredClientPolicy 4.0

Map<String, UnregisteredClientPolicy>

See wiki page

The policy used to verify unverified clients when this profile is enabled in the unverified RP config

For convenience, this is also controllable globally via the idp.oidc.tokenEndpointAuthMethods property.

Since OP v3.4, the JWT-based client authentication methods (client_secret_jwt and private_key_jwt) accepts any of the following three audiences:

  1. OP issuer value (profile responder ID)

  2. The token flow endpoint URL value (even for introspection and revocation endpoints)

  3. The flow endpoint URL value

Prior to V3.4, only the flow endpoint URL value could be used. Any custom bean for validating the audience can be set via idp.oauth2.jwtAuth.audienceValidator -property.