Fields

• errorCode :: Text
   
• errorDescription :: Maybe Text
   

Fields

• redirectUris :: NonEmpty URI

  Array of Redirection URI values used by the Client.

• responseTypes :: Maybe (NonEmpty Text)

  JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using.

• grantTypes :: Maybe (NonEmpty Text)

  JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using.

• applicationType :: Maybe Text

  Kind of the application. The default, if omitted, is web. The defined values are native or web.

• contacts :: Maybe (NonEmpty Text)

  Array of e-mail addresses of people responsible for this Client.

• clientName :: Maybe Text

  Name of the Client to be presented to the End-User.

• logoUri :: Maybe URI

  URL that references a logo for the Client application.

• clientUri :: Maybe URI

  URL of the home page of the Client.

• policyUri :: Maybe URI

  URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.

• tosUri :: Maybe URI

  URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.

• jwksUri :: Maybe URI

  URL for the Client's JSON Web Key Set document.

• jwks :: Maybe JWKSet

  Client's JSON Web Key Set [JWK] document, passed by value.

• sectorIdentifierUri :: Maybe URI

  URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP.

• subjectType :: Maybe Text

  subject_type requested for responses to this Client.

• idTokenSignedResponseAlg :: Maybe Alg

  JWS alg algorithm required for signing the ID Token issued to this Client.

• idTokenEncryptedResponseAlg :: Maybe Alg

  JWE alg algorithm required for encrypting the ID Token issued to this Client.

• idTokenEncryptedResponseEnc :: Maybe Alg

  JWE enc algorithm required for encrypting the ID Token issued to this Client.

• userinfoSignedResponseAlg :: Maybe Alg

  JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses.

• userinfoEncryptedResponseAlg :: Maybe Alg

  JWE alg algorithm required for encrypting UserInfo Responses.

• userinfoEncryptedResponseEnc :: Maybe Alg

  JWE enc algorithm required for encrypting UserInfo Responses.

• requestObjectSigningAlg :: Maybe Alg

  JWS alg algorithm that must be used for signing Request Objects sent to the OP.

• requestObjectEncryptionAlg :: Maybe Alg

  JWE alg algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in JWT. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.

• requestObjectEncryptionEnc :: Maybe Alg

  JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.

• tokenEndpointAuthMethod :: ClientAuthentication

  Requested Client Authentication method for the Token Endpoint.

• tokenEndpointAuthSigningAlg :: Maybe Alg

  JWS alg algorithm that must be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.

• defaultMaxAge :: Maybe Int

  Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds.

• requireAuthTime :: Maybe Bool

  Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true. (If this is false, the auth_time Claim can still be dynamically requested as an individual Claim for the ID Token using the claims request parameter described in Section 5.5.1 of OpenID Connect Core 1.0.) If omitted, the default value is false.

• defaultAcrValues :: Maybe (NonEmpty Text)

  Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.

• initiateLoginUri :: Maybe URI

  URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0. The URI MUST accept requests via both GET and POST. The Client MUST understand the login_hint and iss parameters and SHOULD support the target_link_uri parameter.

• requestUris :: Maybe (NonEmpty URI)

  Array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request. OPs can require that request_uri values used be pre-registered with the require_request_uri_registration discovery parameter.

Fields

• clientId :: Text

  Unique Client Identifier.

• clientSecret :: Maybe Text

  Client Secret. This value is used by Confidential Clients to authenticate to the Token Endpoint, as described in Section 2.3.1 of OAuth 2.0, and for the derivation of symmetric encryption key values.

• registrationAccessToken :: Maybe Text

  Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration.

• registrationClientUri :: Maybe URI

  Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration. Implementations MUST either return both a Client Configuration Endpoint and a Registration Access Token or neither of them.

• clientIdIssuedAt :: Maybe NumericDate

  Time at which the Client Identifier was issued.

• clientSecretExpiresAt :: Maybe NumericDate

  If client_secret is issued. Time at which the client_secret will expire or 0 if it will not expire.

Fields

• getURI :: URI