クライアント

ClientクラスモデルOpenIDの接続やOAuth 2.0のクライアント-例えばネイティブアプリケーション、WebアプリケーションやJSベースのアプリケーション。

基本

Enabled
クライアントが有効かどうかを指定します。デフォルトはtrueです。
ClientId
クライアントの一意のID
ClientSecrets
クライアントシークレットのリスト - トークンエンドポイントにアクセスするための信任状。
RequireClientSecret
トークンエンドポイントにトークンを要求するためにこのクライアントにシークレットが必要かどうかを指定します(デフォルト値true)。
AllowedGrantTypes
クライアントが使用できる許可タイプを指定します。GrantTypes共通の組み合わせにはクラスを使用します。
RequirePkce
認可コードベースの認可タイプを使用するクライアントがプルーフキーを送信する必要があるかどうかを指定します
AllowPlainTextPkce
PKCEを使用するクライアントがプレーンテキストコードチャレンジを使用できるかどうかを指定します(推奨されていない - デフォルトfalse)
RedirectUris
許可されたURIがトークンまたは認証コードを返すように指定します
AllowedScopes
デフォルトでは、クライアントはリソースへのアクセス権がありません。対応するスコープ名を追加することによって、許可されたリソースを指定します
AllowOfflineAccess
Specifies whether this client can request refresh tokens (be requesting the offline_access scope)
AllowAccessTokensViaBrowser
Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser.
Properties
Dictionary to hold any custom client-specific values as needed.

Authentication/Logout

PostLogoutRedirectUris
Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec for more details.
FrontChannelLogoutUri
Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec for more details.
FrontChannelLogoutSessionRequired
Specifies if the user's session id should be sent to the FrontChannelLogoutUri. Defaults to true.
BackChannelLogoutUri
Specifies logout URI at client for HTTP based back-channel logout. See the OIDC Back-Channel spec for more details.
BackChannelLogoutSessionRequired
Specifies if the user's session id should be sent in the request to the BackChannelLogoutUri. Defaults to true.
EnableLocalLogin
Specifies if this client can use local accounts, or external IdPs only. Defaults to true.
IdentityProviderRestrictions
Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty.
UserSsoLifetime added in 2.3
The maximum duration (in seconds) since the last time the user authenticated. Defaults to null.

Token

IdentityTokenLifetime
Lifetime to identity token in seconds (defaults to 300 seconds / 5 minutes)
AccessTokenLifetime
Lifetime of access token in seconds (defaults to 3600 seconds / 1 hour)
AuthorizationCodeLifetime
Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes)
AbsoluteRefreshTokenLifetime
Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days
SlidingRefreshTokenLifetime
Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days
RefreshTokenUsage

ReUse the refresh token handle will stay the same when refreshing tokens

OneTime the refresh token handle will be updated when refreshing tokens. This is the default.

RefreshTokenExpiration

Absolute the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime)

Sliding when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime.

UpdateAccessTokenClaimsOnRefresh
Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request.
AccessTokenType
Specifies whether the access token is a reference token or a self contained JWT token (defaults to Jwt).
IncludeJwtId
Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim).
AllowedCorsOrigins
If specified, will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients.
Claims
Allows settings claims for the client (will be included in the access token).
AlwaysSendClientClaims
If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is false)
AlwaysIncludeUserClaimsInIdToken
When requesting both an id token and access token, should the user claims always be added to the id token instead of requring the client to use the userinfo endpoint. Default is false.
ClientClaimsPrefix
If set, the prefix client claim types will be prefixed with. Defaults to client_. The intent is to make sure they don't accidentally collide with user claims.
PairWiseSubjectSalt
Salt value used in pair-wise subjectId generation for users of this client.

Device flow

UserCodeType
Specifies the type of user code to use for the client. Otherwise falls back to default.
DeviceCodeLifetime
Lifetime to device code in seconds (defaults to 300 seconds / 5 minutes)