Configuring OIDC dynamic client registration settings

Configure OpenID Connect dynamic client registration settings.

About this task

Procedure

  1. Navigate to Applications > Application settings > Dynamic client registration .
  2. Provide Verify with basic information about the general settings.
    Table 1. Settings for Dynamic client registration
    Field Description
    Grant types A list of default grant types. The valid values are
    • Authorization code
    • Implicit
    • Password
    • Device code
    • JWT bearer
    • Refresh token
    • Client credentials
    Note: For more information, see Grant types
    ID token claims A list of default claims for ID token and user information.
    Token claims A list of default claims for introspection and JWT access token.
    Access token type A type of access token to be generated. Verify supports the following access token types:
    • Default
    • JWT
    ID token signing algorithm The algorithm used to sign ID tokens. Verify supports the following signing algorithms:
    • RS256
    • HS256
    • PS256
    • ES256
    • RS384
    • HS384
    • PS384
    • ES384
    • RS512
    • HS512
    • PS512
    • ES512
    User consent Select whether to ask for user consent. Verify provides the following options:
    • Ask for consent
    • Do not ask for consent
    Access token lifetime The access token lifetime in seconds. The default is 7200 seconds. Maximum 2147483647, minimum 1.
    Refresh token lifetime The refresh token lifetime in seconds. The default is 64800 seconds. Maximum 2147483647, minimum 1.
    Enforce PKCE verification Proof key for code exchange (PKCE) is used to mitigate authorization code interception attacks. It requires a code challenge before the authorization code flow can proceed.
    Entitle to all users Determine whether all users are entitled to use this client. If it is not provided, value is set to false
    Request object validity period The request object validity period in seconds. Maximum 2147483647, minimum 1.
    Require "exp" for request object Determines whether the ‘exp’ attribute is required in the request object.
    Allow custom client credentials Determines whether custom client credentials are allowed. If it is not provided, the value is set to false.
    Allowed request object signing algorithms A list of allowed signing algorithms for the signed request JWT.
    Request transform rule Enter the rule to modify the dynamic client registration request.
    Open Banking recipe The Open Banking recipe to apply to all dynamic client registrations. Verify supports the following open banking recipes:
    • FAPI 1 Advanced Finals (Generic)
    • UK Open Banking
    • Australia Consumer Data Right (CDR)
  3. Provide Verify with basic information about the software statement settings.
    Table 2. Settings for software statement
    Field Description
    Require a software statement for dynamic client registration Determines whether a software statement is required for dynamic client registration.
    Require a software statement for updating dynamically registered clients Determines whether a software statement is required for modifying dynamically registered clients.
    Allowed software statement signature verification keys A list of allowed key IDs for the signed software statement assertion. Verify supports the following software statement signature verification keys:
    • RS256
    • HS256
    • PS256
    • ES256
    • RS384
    • HS384
    • PS384
    • ES384
    • RS512
    • HS512
    • PS512
    • ES512
    Allowed software statement signing algorithms A list of allowed signing algorithms for the signed software statement assertion.
    Software statement JWKS URI The JWKS URI validates the signed software statement assertion.
  4. Provide Verify with basic information about the request authorization settings.
    Table 3. Settings for request authorization
    Field Description
    Require MTLS for dynamic client registration Determines whether MTLS client authentication is required for dynamic client registration.
    Require bearer token authentication for dynamic client registration Determines whether bearer token authentication is required for dynamic client registration.
    Require MTLS for managing dynamically registered clients Determines whether MTLS client authentication is required for managing dynamically registered clients.
    Require bearer token authentication for managing dynamically registered clients Determines whether bearer token authentication is required for managing dynamically registered clients.
  5. Provide Verify with basic information about the register access token settings.
    Table 4. Settings for registration access token
    Field Description
    Generate a registration access token for a client registration response Determines whether to generate the registration access token for client registration response.
    Registration access token lifetime The registration access token lifetime in seconds. The default is 7200 seconds. Maximum 2147483647, minimum 1.
    Registration access token scopes A list of scopes for registration access token.
  6. Click Save changes.