Class Client
- Namespace
- Duende.IdentityServer.Models
- Assembly
- Duende.IdentityServer.Storage.dll
Models an OpenID Connect or OAuth2 client
public class Client- Inheritance
-
Client
- Inherited Members
Constructors
Client()
public Client()Properties
AbsoluteRefreshTokenLifetime
Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days
public int AbsoluteRefreshTokenLifetime { get; set; }Property Value
AccessTokenLifetime
Lifetime of access token in seconds (defaults to 3600 seconds / 1 hour)
public int AccessTokenLifetime { get; set; }Property Value
AccessTokenType
Specifies whether the access token is a reference token or a self contained JWT token (defaults to Jwt).
public AccessTokenType AccessTokenType { get; set; }Property Value
AllowAccessTokensViaBrowser
Controls whether access tokens are transmitted via the browser for this client (defaults to false).
This can prevent accidental leakage of access tokens when multiple response types are allowed.
public bool AllowAccessTokensViaBrowser { get; set; }Property Value
- bool
trueif access tokens can be transmitted via the browser; otherwise,false.
AllowOfflineAccess
Gets or sets a value indicating whether [allow offline access]. Defaults to false.
public bool AllowOfflineAccess { get; set; }Property Value
AllowPlainTextPkce
Specifies whether a proof key can be sent using plain method (not recommended and defaults to false.)
public bool AllowPlainTextPkce { get; set; }Property Value
AllowRememberConsent
Specifies whether user can choose to store consent decisions (defaults to true)
public bool AllowRememberConsent { get; set; }Property Value
AllowedCorsOrigins
Gets or sets the allowed CORS origins for JavaScript clients.
public ICollection<string> AllowedCorsOrigins { get; set; }Property Value
- ICollection<string>
The allowed CORS origins.
AllowedGrantTypes
Specifies the allowed grant types (legal combinations of AuthorizationCode, Implicit, Hybrid, ResourceOwner, ClientCredentials).
public ICollection<string> AllowedGrantTypes { get; set; }Property Value
AllowedIdentityTokenSigningAlgorithms
Signing algorithm for identity token. If empty, will use the server default signing algorithm.
public ICollection<string> AllowedIdentityTokenSigningAlgorithms { get; set; }Property Value
AllowedScopes
Specifies the api scopes that the client is allowed to request. If empty, the client can't access any scope
public ICollection<string> AllowedScopes { get; set; }Property Value
AlwaysIncludeUserClaimsInIdToken
When requesting both an id token and access token, should the user claims always be added to the id token instead of requiring the client to use the userinfo endpoint.
Defaults to false.
public bool AlwaysIncludeUserClaimsInIdToken { get; set; }Property Value
AlwaysSendClientClaims
Gets or sets a value indicating whether client claims should be always included in the access tokens - or only for client credentials flow.
Defaults to false
public bool AlwaysSendClientClaims { get; set; }Property Value
- bool
trueif claims should always be sent; otherwise,false.
AuthorizationCodeLifetime
Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes)
public int AuthorizationCodeLifetime { get; set; }Property Value
BackChannelLogoutSessionRequired
Specifies if the user's session id should be sent to the BackChannelLogoutUri. Defaults to true.
public bool BackChannelLogoutSessionRequired { get; set; }Property Value
BackChannelLogoutUri
Specifies logout URI at client for HTTP back-channel based logout.
public string? BackChannelLogoutUri { get; set; }Property Value
CibaLifetime
Gets or sets the backchannel authentication request lifetime in seconds.
public int? CibaLifetime { get; set; }Property Value
- int?
Claims
Allows settings claims for the client (will be included in the access token).
public ICollection<ClientClaim> Claims { get; set; }Property Value
- ICollection<ClientClaim>
The claims.
ClientClaimsPrefix
Gets or sets a value to prefix it on client claim types. Defaults to client_.
public string? ClientClaimsPrefix { get; set; }Property Value
- string
Any non empty string if claims should be prefixed with the value; otherwise,
null.
ClientId
Unique ID of the client
public string ClientId { get; set; }Property Value
ClientName
Client display name (used for logging and consent screen)
public string? ClientName { get; set; }Property Value
ClientSecrets
Client secrets - only relevant for flows that require a secret
public ICollection<Secret> ClientSecrets { get; set; }Property Value
ClientUri
URI to further information about client (used on consent screen)
public string? ClientUri { get; set; }Property Value
ConsentLifetime
Lifetime of a user consent in seconds. Defaults to null (no expiration)
public int? ConsentLifetime { get; set; }Property Value
- int?
CoordinateLifetimeWithUserSession
When enabled, the client's token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime. This means when the user logs out, any revokable tokens will be removed. If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be triggered. This client's setting overrides the global CoordinateTokensWithUserSession configuration setting.
public bool? CoordinateLifetimeWithUserSession { get; set; }Property Value
- bool?
DPoPClockSkew
Clock skew used in validating the client's DPoP proof token 'iat' claim value. Defaults to 5 minutes.
public TimeSpan DPoPClockSkew { get; set; }Property Value
DPoPValidationMode
Enum setting to control validation for the DPoP proof token expiration. This supports both the client generated 'iat' value and/or the server generated 'nonce' value. Defaults to only using the 'iat' value.
public DPoPTokenExpirationValidationMode DPoPValidationMode { get; set; }Property Value
Description
Description of the client.
public string? Description { get; set; }Property Value
DeviceCodeLifetime
Gets or sets the device code lifetime.
public int DeviceCodeLifetime { get; set; }Property Value
- int
The device code lifetime.
EnableLocalLogin
Gets or sets a value indicating whether the local login is allowed for this client. Defaults to true.
public bool EnableLocalLogin { get; set; }Property Value
- bool
trueif local logins are enabled; otherwise,false.
Enabled
Specifies if client is enabled (defaults to true)
public bool Enabled { get; set; }Property Value
FrontChannelLogoutSessionRequired
Specifies if the user's session id should be sent to the FrontChannelLogoutUri. Defaults to true.
public bool FrontChannelLogoutSessionRequired { get; set; }Property Value
FrontChannelLogoutUri
Specifies logout URI at client for HTTP front-channel based logout.
public string? FrontChannelLogoutUri { get; set; }Property Value
IdentityProviderRestrictions
Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty.
public ICollection<string> IdentityProviderRestrictions { get; set; }Property Value
IdentityTokenLifetime
Lifetime of identity token in seconds (defaults to 300 seconds / 5 minutes)
public int IdentityTokenLifetime { get; set; }Property Value
IncludeJwtId
Gets or sets a value indicating whether JWT access tokens should include an identifier. Defaults to true.
public bool IncludeJwtId { get; set; }Property Value
- bool
trueto add an id; otherwise,false.
InitiateLoginUri
Gets of sets a URI that can be used to initiate login from the IdentityServer host or a third party. See https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
public string? InitiateLoginUri { get; set; }Property Value
LogoUri
URI to client logo (used on consent screen)
public string? LogoUri { get; set; }Property Value
PairWiseSubjectSalt
Gets or sets a salt value used in pair-wise subjectId generation for users of this client.
public string? PairWiseSubjectSalt { get; set; }Property Value
PollingInterval
Gets or sets the maximum polling interval for this client in the CIBA and Device Code flows. If this client polls more frequently than the polling interval during those flows, it will receive a slow_down error response.
public int? PollingInterval { get; set; }Property Value
- int?
PostLogoutRedirectUris
Specifies allowed URIs to redirect to after logout
public ICollection<string> PostLogoutRedirectUris { get; set; }Property Value
Properties
Gets or sets the custom properties for the client.
public IDictionary<string, string> Properties { get; set; }Property Value
- IDictionary<string, string>
The properties.
ProtocolType
Gets or sets the protocol type.
public string ProtocolType { get; set; }Property Value
- string
The protocol type.
PushedAuthorizationLifetime
Lifetime of pushed authorization requests for this client. If this lifetime is set, it takes precedence over the global configuration in PushedAuthorizationOptions. Defaults to null, which means the global configuration will be used.
public int? PushedAuthorizationLifetime { get; set; }Property Value
- int?
RedirectUris
Specifies allowed URIs to return tokens or authorization codes to
public ICollection<string> RedirectUris { get; set; }Property Value
RefreshTokenExpiration
Absolute: the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime) Sliding: when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime.
public TokenExpiration RefreshTokenExpiration { get; set; }Property Value
RefreshTokenUsage
Specifies if tokens should be rotated when they are used. Defaults to reusable tokens.
ReUse: the refresh token handle will stay the same when refreshing tokens
OneTime: the refresh token handle will be updated when refreshing tokens
public TokenUsage RefreshTokenUsage { get; set; }Property Value
RequireClientSecret
If set to false, no client secret is needed to request tokens at the token endpoint (defaults to true)
public bool RequireClientSecret { get; set; }Property Value
RequireConsent
Specifies whether a consent screen is required (defaults to false)
public bool RequireConsent { get; set; }Property Value
RequireDPoP
Specifies whether a DPoP (Demonstrating Proof-of-Possession) token is requied to be used by this client (defaults to false).
public bool RequireDPoP { get; set; }Property Value
RequirePkce
Specifies whether a proof key is required for authorization code based token requests (defaults to true).
public bool RequirePkce { get; set; }Property Value
RequirePushedAuthorization
Specifies whether pushed authorization requests are required for this client. There is also a global configuration flag to require pushed authorization in PushedAuthorizationOptions. Pushed authorization is required for a client if either the global configuration flag is enabled or if this flag is set for that client.
public bool RequirePushedAuthorization { get; set; }Property Value
RequireRequestObject
Specifies whether the client must use a request object on authorize requests (defaults to false.)
public bool RequireRequestObject { get; set; }Property Value
SlidingRefreshTokenLifetime
Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days
public int SlidingRefreshTokenLifetime { get; set; }Property Value
UpdateAccessTokenClaimsOnRefresh
Specifies whether the access token (and its claims) should be updated on a refresh token request.
Defaults to false.
public bool UpdateAccessTokenClaimsOnRefresh { get; set; }Property Value
- bool
trueif the token should be updated; otherwise,false.
UserCodeType
Gets or sets the type of the device flow user code.
public string? UserCodeType { get; set; }Property Value
- string
The type of the device flow user code.
UserSsoLifetime
The maximum duration (in seconds) since the last time the user authenticated.
public int? UserSsoLifetime { get; set; }Property Value
- int?
Methods
ValidateGrantTypes(IEnumerable<string>)
Validates the grant types.
public static void ValidateGrantTypes(IEnumerable<string> grantTypes)Parameters
grantTypesIEnumerable<string>The grant types.
Exceptions
- InvalidOperationException
Grant types list is empty or Grant types cannot contain spaces or Grant types list contains duplicate values