Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
class Duende.IdentityServer.Models.Client
Assembly: Duende.IdentityServer.Storage
Inheritance: object → Client
Models an OpenID Connect or OAuth2 client
Properties
public
bool
Enabled
Specifies if client is enabled (defaults to <c>true</c> )
public
string
ClientId
Unique ID of the client
public
string
ProtocolType
Gets or sets the protocol type.
ClientSecrets
Client secrets - only relevant for flows that require a secret
public
bool
RequireClientSecret
If set to false, no client secret is needed to request tokens at the token endpoint (defaults to <c>true</c> )
public
string
ClientName
Client display name (used for logging and consent screen)
public
string
Description
Description of the client.
public
string
ClientUri
URI to further information about client (used on consent screen)
public
string
LogoUri
URI to client logo (used on consent screen)
public
bool
RequireConsent
Specifies whether a consent screen is required (defaults to <c>false</c> )
public
bool
AllowRememberConsent
Specifies whether user can choose to store consent decisions (defaults to <c>true</c> )
public
System.Collections.Generic.ICollection<string>
AllowedGrantTypes
Specifies the allowed grant types (legal combinations of AuthorizationCode, Implicit, Hybrid, ResourceOwner, ClientCredentials).
public
bool
RequirePkce
Specifies whether a proof key is required for authorization code based token requests (defaults to <c>true</c> ).
public
bool
AllowPlainTextPkce
Specifies whether a proof key can be sent using plain method (not recommended and defaults to <c>false</c> .)
public
bool
RequireRequestObject
Specifies whether the client must use a request object on authorize requests (defaults to <c>false</c> .)
public
bool
AllowAccessTokensViaBrowser
Controls whether access tokens are transmitted via the browser for this client (defaults to <c>false</c> ).
This can prevent accidental leakage of access tokens when multiple response types are allowed.
public
bool
RequireDPoP
Specifies whether a DPoP (Demonstrating Proof-of-Possession) token is requied to be used by this client (defaults to <c>false</c> ).
DPoPValidationMode
Enum setting to control validation for the DPoP proof token expiration.
This supports both the client generated 'iat' value and/or the server generated 'nonce' value.
Defaults to only using the 'iat' value.
public
System.TimeSpan
DPoPClockSkew
Clock skew used in validating the client's DPoP proof token 'iat' claim value. Defaults to 5 minutes.
public
System.Collections.Generic.ICollection<string>
RedirectUris
Specifies allowed URIs to return tokens or authorization codes to
public
System.Collections.Generic.ICollection<string>
PostLogoutRedirectUris
Specifies allowed URIs to redirect to after logout
public
string
FrontChannelLogoutUri
Specifies logout URI at client for HTTP front-channel based logout.
public
bool
FrontChannelLogoutSessionRequired
Specifies if the user's session id should be sent to the FrontChannelLogoutUri. Defaults to <c>true</c> .
public
string
BackChannelLogoutUri
Specifies logout URI at client for HTTP back-channel based logout.
public
bool
BackChannelLogoutSessionRequired
Specifies if the user's session id should be sent to the BackChannelLogoutUri. Defaults to <c>true</c> .
public
bool
AllowOfflineAccess
Gets or sets a value indicating whether [allow offline access]. Defaults to <c>false</c> .
public
System.Collections.Generic.ICollection<string>
AllowedScopes
Specifies the api scopes that the client is allowed to request. If empty, the client can't access any scope
public
bool
AlwaysIncludeUserClaimsInIdToken
When requesting both an id token and access token, should the user claims always be added to the id token instead of requiring the client to use the userinfo endpoint.
Defaults to <c>false</c> .
public
int
IdentityTokenLifetime
Lifetime of identity token in seconds (defaults to 300 seconds / 5 minutes)
public
System.Collections.Generic.ICollection<string>
AllowedIdentityTokenSigningAlgorithms
Signing algorithm for identity token. If empty, will use the server default signing algorithm.
public
int
AccessTokenLifetime
Lifetime of access token in seconds (defaults to 3600 seconds / 1 hour)
public
int
AuthorizationCodeLifetime
Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes)
public
int
AbsoluteRefreshTokenLifetime
Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days
public
int
SlidingRefreshTokenLifetime
Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days
public
int?
ConsentLifetime
Lifetime of a user consent in seconds. Defaults to null (no expiration)
public
int?
PushedAuthorizationLifetime
Lifetime of pushed authorization requests for this client. If this lifetime is set, it takes precedence over
the global configuration in PushedAuthorizationOptions. Defaults to null, which means the global
configuration will be used.
public
bool
RequirePushedAuthorization
Specifies whether pushed authorization requests are required for this client. There is also a global
configuration flag to require pushed authorization in PushedAuthorizationOptions. Pushed authorization is
required for a client if either the global configuration flag is enabled or if this flag is set for that client.
public
TokenUsage
RefreshTokenUsage
Specifies if tokens should be rotated when they are used. Defaults to
reusable tokens.
<para>
ReUse: the refresh token handle will stay the same when refreshing
tokens
</para> <para>
OneTime: the refresh token handle will be updated when refreshing tokens
</para>
public
bool
UpdateAccessTokenClaimsOnRefresh
Specifies whether the access token (and its claims) should be updated on a refresh token request.
Defaults to <c>false</c> .
public
TokenExpiration
RefreshTokenExpiration
Absolute: the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime)
Sliding: when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime.
public
AccessTokenType
AccessTokenType
Specifies whether the access token is a reference token or a self contained JWT token (defaults to Jwt).
public
bool
EnableLocalLogin
Gets or sets a value indicating whether the local login is allowed for this client. Defaults to <c>true</c> .
public
System.Collections.Generic.ICollection<string>
IdentityProviderRestrictions
Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty.
public
bool
IncludeJwtId
Gets or sets a value indicating whether JWT access tokens should include an identifier. Defaults to <c>true</c> .
Claims
Allows settings claims for the client (will be included in the access token).
public
bool
AlwaysSendClientClaims
Gets or sets a value indicating whether client claims should be always included in the access tokens - or only for client credentials flow.
Defaults to <c>false</c>
public
string
ClientClaimsPrefix
Gets or sets a value to prefix it on client claim types. Defaults to <c>client_</c> .
public
string
PairWiseSubjectSalt
Gets or sets a salt value used in pair-wise subjectId generation for users of this client.
public
int?
UserSsoLifetime
The maximum duration (in seconds) since the last time the user authenticated.
public
string
UserCodeType
Gets or sets the type of the device flow user code.
public
int
DeviceCodeLifetime
Gets or sets the device code lifetime.
public
int?
CibaLifetime
Gets or sets the backchannel authentication request lifetime in seconds.
public
int?
PollingInterval
Gets or sets the maximum polling interval for this client in the CIBA
and Device Code flows. If this client polls more frequently than the
polling interval during those flows, it will receive a slow_down error
response.
public
bool?
CoordinateLifetimeWithUserSession
When enabled, the client's token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime.
This means when the user logs out, any revokable tokens will be removed.
If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be triggered.
This client's setting overrides the global CoordinateClientLifetimesWithUserSession configuration setting.
public
System.Collections.Generic.ICollection<string>
AllowedCorsOrigins
Gets or sets the allowed CORS origins for JavaScript clients.
public
string
InitiateLoginUri
Gets of sets a URI that can be used to initiate login from the
IdentityServer host or a third party. See
https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
public
System.Collections.Generic.IDictionary<string, string>
Properties
Gets or sets the custom properties for the client.
Methods
public static
void
ValidateGrantTypes(System.Collections.Generic.IEnumerable<string> grantTypes)
Validates the grant types.
grantTypes
The grant types.
public
bool
Equals(object obj)
Inherited from object
protected
void
Finalize()
Inherited from object
public
int
GetHashCode()
Inherited from object
protected
object
MemberwiseClone()
Inherited from object
public
string
ToString()
Inherited from object