Introduction
Each application may consist of multiple clients. For example a online web shop might have a native iOS application, an Android APP, a web based version and an API for external suppliers. Each of those represent a client which can have different settings and different security settings. Be sure to identify your clients correctly and not to reuse the same client for multiple clients. It’s possible to use the same client in multiple parts of your software, but always keep in mind that this will affect your overall security structure as you loose the ability to change client secrets for a single part, authentication redirect URLs can not be restricted to the minimum and so on.
Parameters
General
Name | Datatype | Mandatory | Example | Description | ||
|---|---|---|---|---|---|---|
Token specification | Drop Down | ✅ | oidc | Choose any of the supported token specification
| ||
Client identificator | String | ✅ | webshop_android | Each client must be uniquely identified. Provide a value that you also must use in the clients configuration later on. Choose either something self explanatory or a random value if you wanna hide the purpose of the client as a security measurement. | ||
Name | String | ✅ | Android Webshop Application | Identifies your client in a technical way in the system | ||
Displayname | String | ✅ | Android Webshop Application | Non technical name used to display the application in various places such as the Self-Service Portal Version 7 and above | ||
Logout URI | URL | https://www.webshop.com/logout | If no logout URL will be provided by the client, the user will be redirected to this URL after a logout. | |||
Redirect Uri (Regex) * | REGEX Pattern | ✅ | regex:^https:\/\/webshop\.ch$ | The client will provide an URL where the user will be redirected to after a successful authentication. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system.
| ||
Scope | Multi Value | profile email | A list of scopes that the client can request. If the client requests a scope that is not part of this configuration, he will not be able to perform an authentication.
| |||
Default level of authentication entry | Drop Down | ✅ | Default | Select a default level of authentication entry that will be used to determinate the authentication flow for the user. |
Token
For an in detail description of the various tokens, see the Tokens documentation.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Identity Token Life Time | Seconds | ✅ | 3003600 | Defines the lifetime of the identity token that will be issues for a user. |
Access token life time | Seconds | ✅ | 3600 | Defines the lifetime of that access token that will be issued for a user and a specific client. |
Authorization code life time | Seconds | ✅ | 30060 | Defines the lifetime of the authorization code that will be used in some authentication processes. Less is more secure! |
Refresh token expiration type | Drop Down | ✅ | Absolute |
|
Sliding refresh token life time | Seconds | ✅ | 1296000 | Sliding lifetime of a refresh token in seconds. |
Absolute refresh token life time | Seconds | ✅ | 2592000 | Maximum lifetime of a refresh token in seconds |
Always include user claims in id token | Checkbox | ✅ | false | When both tokens, the id and the access token, are requested, this defines if the user claims should be included in the id token or not. If set to false, the client must get the info by using the user info endpoint. |
Update access token claims on refresh | Checkbox | ✅ | true | Defines whether or not the access token should be refreshed when a refresh token is requested |
Include JSON web tokens | Checkbox | ✅ | true | Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim). |
Refresh token usage type | Drop Down | ✅ | OneTime |
|
Access token type | Drop Down | ✅ | JWT | Specifies whether the access token is a reference token or a self contained JWT token |
...