Skip to content

Commit e880a11

Browse files
bloomseibloomsei
committed
Document the Oauth2AuthorizationServer client settings
Added documentation to describe the possible client configuration options when setting up an Oauth2 Authorization Server. Signed-off-by: Elayne Bloom <5840349+bloomsei@users.noreply.github.com>
1 parent a8b5c8f commit e880a11

1 file changed

Lines changed: 26 additions & 0 deletions

File tree

docs/modules/ROOT/pages/servlet/oauth2/authorization-server/core-model-components.adoc

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,32 @@ public class RegisteredClient implements Serializable {
9292
<12> `clientSettings`: The custom settings for the client – for example, require https://datatracker.ietf.org/doc/html/rfc7636[PKCE], require authorization consent, and others.
9393
<13> `tokenSettings`: The custom settings for the OAuth2 tokens issued to the client – for example, access/refresh token time-to-live, reuse refresh tokens, and others.
9494

95+
[[oauth2AuthorizationServer-client-settings]]
96+
== ClientSettings
97+
98+
`ClientSettings` is a configuration object that contains custom settings for a client. The following example shows the available settings and their default values:
99+
100+
[source,java]
101+
----
102+
ClientSettings.builder()
103+
.requireProofKey() <1>
104+
.requireAuthorizationConsent() <2>
105+
.jwkSetUrl() <3>
106+
.tokenEndpointAuthenticationSigningAlgorithm() <4>
107+
.x509CertificateSubjectDN() <5>
108+
.build();
109+
----
110+
<1> `requireProofKey`: If `true`, the client is required to provide a proof key challenge and verifier when performing the Authorization Code Grant flow (PKCE). The default is `true`.
111+
<2> `requireAuthorizationConsent`: If `true`, authorization consent is required when the client requests access. The default is `false`.
112+
<3> `jwkSetUrl`: Sets the the URL for the client's JSON Web Key Set. Used for `client_secret_jwt` and `private_key_jwt` client authentication methods, as well as for Self-Signed Certificate Mutual-TLS.
113+
<4> `tokenEndpointAuthenticationSigningAlgorithm`: The JWS algorithm that must be used for signing the JWT used to authenticate the client at the Token Endpoint for `private_key_jwt` and `client_secret_jwt` authentication methods.
114+
<5> `x509CertificateSubjectDN`: The expected subject distinguished name in the client X509Certificate received during client authentication when using the `tls_client_auth` method.
115+
116+
[NOTE]
117+
====
118+
https://datatracker.ietf.org/doc/html/rfc7636[Proof Key for Code Exchange (PKCE)] is enabled by default for all clients using the Authorization Code grant. To disable PKCE, set `requireProofKey` to `false`
119+
====
120+
95121
[[oauth2AuthorizationServer-registered-client-repository]]
96122
== RegisteredClientRepository
97123

0 commit comments

Comments
 (0)