Register Endpoint

400

BAD REQUEST

No client found

401

UNAUTHORIZED

Invalid_token

403

FORBIDDEN

insufficient_scope

409

CONFLICT

duplicate_client

redirect_uris

Array of URIs to which the response of the authorization request will be sent, and which must match one that has been registered during client registration. For further information, see the OpenID Connect Dynamic Client Registration specification – section 3.

client_name

This is could be description of the client.

If present, and client_id is not passed as a parameter, it is used (combined with redirect_uris) to generate the unique client_id.

client_id

Must be unique. If present, the client is registered with this client_id. If not present, a unique id is generated by server and returned in the response.

token_endpoint_auth_method

Supported values are:

• client_secret_basic
• client_secret_post
• client_secret_pki
• private_key_jwt
• self_signed_tls_client_auth
• none

jwks

If token_endpoint_auth_method is private_key_jwt, it can contain a list of public keys/certificates. The one for PKI credential should have no specified key use. It can contain key/certificate with key use “sig” or “enc”.

jwks_uri

If token_endpoint_auth_method is private_key_jwt, this parameter or jwks is required. One of the two parameters must be present and the uri present must be accessible from server.

client_secret

Only used when performing an UPDATE to reset a client password.

id_token_encrypted_response_alg

Algorithm to encrypt id_token in token endpoint. If empty, id_token is not encrypted.

The recommended algorithm is RSA-OAEP-256.

userinfo_encrypted_response_alg

Algorithm to encrypt the UserInfo response. If empty, the response is not encrypted.

The recommended algorithm is RSA-OAEP-256.

userinfo_signed_response_alg

Algorithm to sign the UserInfo response:

• If empty, the JWT response is not signed.
• If set to RS256, the JWT response is signed by the Identity Provider’s signature key (that is advertised in the JWKS endpoint) with RS256 algorithm.
• If set to none, the response is returned in the plain JSON format (unsigned).

backchannel_token_delivery_mode

Defines if CIBA feedback is sent using the push (default) or poll mode.

For further information about the modes, see the OpenID Connect CIBA Core specifications - section 5 .

require_pushed_authorization_requests

Defines if PAR is required in HID Authentication Service

Possible values are:

• true

• false (default)

post_logout_redirect_uris

Array of URIs checked when the post_logout_redirect_uri is present in the logout request.

• If no exact match is found with the URIs in the list, the logout request is rejected

• If missing, the URIs defined for redirect_uris are checked and, if no exact match is found, the logout request is rejected

Not applicable

Whitelist of IP addresses allowed to authenticate the OpenID client

The supported value is a comma-separated list containing individual, or a range of, IP addresses as a string:

• Individual IP - supports the IPv4 or IPv6 protocols (for example, 10.16.125.223)

• IP range - defined by CIDR block allocation (for example, 10.16.124.0/32)

The value can contain both individual and ranges.

For example:

"10.16.125.223,10.16.124.0/32"

If the parameter is not present or undefined, no IP restriction will be applied for OpenID client authentication

Not applicable

hid_federation_audiences

Defines the valid audiences (using a regular expression based on the syntax format described in https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html).

If the audiences are OpenID clients and the SSO is enabled for these clients (as defined in hid_sso_session_validity), they are allowed to access the SSO session of the current client.

Add the OpenID client ID of the application(s) allowed to use the user's authenticated session, where the format of the value should be a regular expression.

As examples for the following use cases:

• To allow access for one or more applications, use the format client_ID1|client_ID2

• To allow access for all clients with a specific ID (for example, starting with 'HID', set the value as ^HID.*

hid_federation_roles

Defines the filter of roles (using a regular expression) that will be sent to the Managed Domains as part of the JWT access token.

hid_federation_atttype

Attribute type created previously to publish dedicated identities per Oauth2 client application.

hid_federation_channel

Post-authentication channel(s) for domain federation. Values can be a single channel or list of channels separated by | (for example, "CH_IIS|CH_VPN").

hid_refresh_token_validity

Lifetime of a refresh token (in seconds)

If it is not present in the request, the value of hid_sessiontransfer_type is used as the refresh token validity, (that is, if hid_sessiontransfer_type is “NUM001”, the validity is 600 seconds).

hid_ciba_callback_format_plain

Defines if the ID Token in the CIBA the response should be signed (or signed/encrypted) and use the updated format that complies with the CIBA specifications.

By default (or if not present), this parameter is set to false so the ID Token will be signed or signed/encrypted and use the updated format.

To disable the signature or signature/encryption of the ID Token and use the plain format, set the parameter to true.

Optionally, you can also configure the OpenID client for ID Token encryption using the id_token_encrypted_response_alg and jwks parameters (where the currently supported algorithm is RSA-OAEP-256).

pushed_authorization_request_validity

Defines the validity period of the PAR request in seconds

The default value is 600 (seconds)

initiate_login_uri

Define the URI where the login page will be redirected (optional)

• If present, the value must be the URI of interface handling the IdP flow.

  Note: This parameter is reserved for future use and should be left empty to allow use of the default HID portal.

  HID Authentication Service checks it is a valid URI format (should be absolute URI path) and the login page will be redirected to this URI.

• If empty, the new portal URL will be computed with the deployment URI and tenant

authn_portal_configuration

An array of the IdP parameter in the JSON format (the format is validated during the register and update operations).

• If the parameters are present, the new IdP will be used based on the defined values

• If empty, (set the value to " " when empty), the standard HID Authentication Serviceinterface is displayed

It contains the following parameters:

workflow_id - the unique identifier of the authentication configuration definition to be used for the client (mandatory)

The content of configuration defines the flow and authentication factors. See Create the Authentication Workflow.

If absent or contains an incorrect ID, the OpenID client registration returns error.

theme_id - the unique identifier for theme definition (optional)

The content of the theme defines the customization for application interface such as titles and labels. See Customizing the Identity Portal.

If empty, the default theme is used.

hid_sso_session_validity

For the client application(s) that will use an SSO session of another client, define the maximum age limit of the existing SSO session (in seconds and greater than 0).

If a user tries to log on after this limit is reached, and even if the initial authenticated session is still valid, they will be required to re-authenticate.

The default value is 0 and if the parameter is not present (or set to 0), SSO support is disabled.

You must also set the allowed client IDs in the hid_federation_audiences parameter.