From 18c3180c2405aa2173d674fd3a1d4c13b916e9a9 Mon Sep 17 00:00:00 2001 From: Mymoona Date: Wed, 22 Mar 2023 13:22:38 -0700 Subject: [PATCH] OKTA-584321 docs for pairwise --- .../docs/reference/api/apps/index.md | 46 ++++---- .../docs/reference/api/oauth-clients/index.md | 42 +++---- .../docs/reference/api/oidc/index.md | 110 +++++++++--------- 3 files changed, 102 insertions(+), 96 deletions(-) diff --git a/packages/@okta/vuepress-site/docs/reference/api/apps/index.md b/packages/@okta/vuepress-site/docs/reference/api/apps/index.md index 1e8c83f4d21..d4bf05165f2 100644 --- a/packages/@okta/vuepress-site/docs/reference/api/apps/index.md +++ b/packages/@okta/vuepress-site/docs/reference/api/apps/index.md @@ -1334,28 +1334,30 @@ Adds an OAuth 2.0 client application. This application is only available to the ##### Settings -| Parameter | Description | DataType | Nullable | Unique | Validation | -| :-------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------- | :--------- | :------- | :--------- | -| application_type | The type of client application | `web`, `native`, `browser`, or `service` | TRUE | FALSE | TRUE | -| client_uri | URL string of a web page providing information about the client | String | TRUE | FALSE | FALSE | -| consent_method | Indicates whether user consent is required or implicit. Valid values: `REQUIRED`, `TRUSTED`. Default value is `TRUSTED` | String | TRUE | FALSE | TRUE | -| grant_types | Array of OAuth 2.0 grant type strings | Array of `authorization_code`, `implicit`, `password`, `refresh_token`, `client_credentials`, `urn:ietf:params:oauth:grant-type:saml2-bearer`, `urn:openid:params:grant-type:ciba` | FALSE | FALSE | TRUE | -| initiate_login_uri | URL string that a third party can use to initiate a sign in by the client | String | TRUE | FALSE | TRUE | -| issuer_mode | Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client. See [Details](#details). | `CUSTOM_URL` or `ORG_URL` or `DYNAMIC` | TRUE | FALSE | TRUE | -| idp_initiated_login | The type of Idp-Initiated login that the client supports, if any | [Idp-Initiated Login](#idp-initiated-login-object) | TRUE | FALSE | TRUE | -| logo_uri | URL string that references a logo for the client. This value is used with the client consent dialog box during the client consent flow. See [Details](#details).| URL | TRUE | FALSE | FALSE | -| policy_uri | URL string of a web page providing the client's policy document | URL | TRUE | FALSE | FALSE | -| post_logout_redirect_uris | Array of redirection URI strings for relying party-initiated logouts | Array | TRUE | FALSE | FALSE | -| redirect_uris | Array of redirection URI strings for use in redirect-based flows | Array | TRUE | FALSE | TRUE | -| wildcard_redirect | Indicates if the client is allowed to use wildcard matching of `redirect_uris`. See [Details](#details) for matching rules. | String | TRUE | FALSE | `DISABLED`, `SUBDOMAIN`. Default value is `DISABLED`. | -| response_types | Array of OAuth 2.0 response type strings | Array of `code`, `token`, `id_token` | TRUE | FALSE | TRUE | -| tos_uri | URL string of a web page providing the client's terms of service document | URL | TRUE | FALSE | FALSE | -| refresh_token | Refresh token configuration | [Refresh Token object](#refresh-token-object) | TRUE | FALSE | TRUE | -| jwks_uri | URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta. | String | TRUE | FALSE | TRUE | -| backchannel_token_delivery_mode | The delivery mode for Client-Initiated Backchannel Authentication. Valid types include `poll`, `ping`, and `push`. Supported values: `poll`. | String | TRUE | FALSE | TRUE | -| backchannel_authentication_request_signing_alg | The signing algorithm for Client-Initiated Backchannel Authentication signed requests. If this value isn't set and a signed request is sent, the request fails. | String | TRUE | FALSE | TRUE | -| backchannel_custom_authenticator_id | The ID of the custom authenticator that authenticates the user. | String | TRUE | FALSE | TRUE | -| dpop_bound_access_tokens | Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If omitted, the default value is `false`. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. | Boolean | TRUE | FALSE | TRUE | +| Parameter | Description | DataType | Nullable | Unique | Validation | +|:------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| :--------- | :------- | :--------- | +| application_type | The type of client application | `web`, `native`, `browser`, or `service` | TRUE | FALSE | TRUE | +| client_uri | URL string of a web page providing information about the client | String | TRUE | FALSE | FALSE | +| consent_method | Indicates whether user consent is required or implicit. Valid values: `REQUIRED`, `TRUSTED`. Default value is `TRUSTED` | String | TRUE | FALSE | TRUE | +| grant_types | Array of OAuth 2.0 grant type strings | Array of `authorization_code`, `implicit`, `password`, `refresh_token`, `client_credentials`, `urn:ietf:params:oauth:grant-type:saml2-bearer`, `urn:openid:params:grant-type:ciba` | FALSE | FALSE | TRUE | +| initiate_login_uri | URL string that a third party can use to initiate a sign in by the client | String | TRUE | FALSE | TRUE | +| issuer_mode | Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client. See [Details](#details). | `CUSTOM_URL` or `ORG_URL` or `DYNAMIC` | TRUE | FALSE | TRUE | +| idp_initiated_login | The type of Idp-Initiated login that the client supports, if any | [Idp-Initiated Login](#idp-initiated-login-object) | TRUE | FALSE | TRUE | +| logo_uri | URL string that references a logo for the client. This value is used with the client consent dialog box during the client consent flow. See [Details](#details). | URL | TRUE | FALSE | FALSE | +| policy_uri | URL string of a web page providing the client's policy document | URL | TRUE | FALSE | FALSE | +| post_logout_redirect_uris | Array of redirection URI strings for relying party-initiated logouts | Array | TRUE | FALSE | FALSE | +| redirect_uris | Array of redirection URI strings for use in redirect-based flows | Array | TRUE | FALSE | TRUE | +| wildcard_redirect | Indicates if the client is allowed to use wildcard matching of `redirect_uris`. See [Details](#details) for matching rules. | String | TRUE | FALSE | `DISABLED`, `SUBDOMAIN`. Default value is `DISABLED`. | +| response_types | Array of OAuth 2.0 response type strings | Array of `code`, `token`, `id_token` | TRUE | FALSE | TRUE | +| tos_uri | URL string of a web page providing the client's terms of service document | URL | TRUE | FALSE | FALSE | +| refresh_token | Refresh token configuration | [Refresh Token object](#refresh-token-object) | TRUE | FALSE | TRUE | +| jwks_uri | URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta. | String | TRUE | FALSE | TRUE | +| backchannel_token_delivery_mode | The delivery mode for Client-Initiated Backchannel Authentication. Valid types include `poll`, `ping`, and `push`. Supported values: `poll`. | String | TRUE | FALSE | TRUE | +| backchannel_authentication_request_signing_alg | The signing algorithm for Client-Initiated Backchannel Authentication signed requests. If this value isn't set and a signed request is sent, the request fails. | String | TRUE | FALSE | TRUE | +| backchannel_custom_authenticator_id | The ID of the custom authenticator that authenticates the user. | String | TRUE | FALSE | TRUE | +| dpop_bound_access_tokens | Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If omitted, the default value is `false`. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. | Boolean | TRUE | FALSE | TRUE | +| sector_identifier_uri | URL that references a file with a single JSON array of redirect_uri values used in calculating Pseudonymous Identifiers when `subject_type` is `pairwise` . | URL | TRUE | FALSE | TRUE | +| subject_type | Array of OAuth 2.0 subject type strings. Default value: `public` | Array of `public`, `pairwise` | TRUE | FALSE | TRUE | ###### Details diff --git a/packages/@okta/vuepress-site/docs/reference/api/oauth-clients/index.md b/packages/@okta/vuepress-site/docs/reference/api/oauth-clients/index.md index 04995603314..ed818bdef85 100644 --- a/packages/@okta/vuepress-site/docs/reference/api/oauth-clients/index.md +++ b/packages/@okta/vuepress-site/docs/reference/api/oauth-clients/index.md @@ -761,26 +761,28 @@ Content-Type: application/json;charset=UTF-8 Client Applications have the following properties: -| Property | Description | DataType | Nullable | Unique | Readonly | -| :------------------------------------ | :--------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------- | :--------- | :------- | :-------- | -| application_type | The type of client application. Default value: `web` | `web`, `native`, `browser`, or `service` | TRUE | FALSE | TRUE | -| client_id | Unique key for the client application | String | FALSE | TRUE | TRUE | -| client_id_issued_at | Time at which the client_id was issued (measured in unix seconds) | Number | TRUE | FALSE | TRUE | -| client_name | Human-readable string name of the client application | String | FALSE | FALSE | FALSE | -| client_secret | OAuth 2.0 client secret string (used for confidential clients) | String | TRUE | TRUE | TRUE | -| client_secret_expires_at | Time at which the client_secret will expire or 0 if it will not expire(measured in unix seconds) | Number | TRUE | FALSE | TRUE | -| grant_types | Array of OAuth 2.0 grant type strings. Default value: `authorization_code` | Array of `authorization_code`, `client_credentials`, `implicit`, `interaction_code` , `password`, `refresh_token`, `urn:ietf:params:oauth:grant-type:device_code`, `urn:ietf:params:oauth:grant-type:saml2-bearer` , `urn:ietf:params:oauth:grant-type:token-exchange` | TRUE | FALSE | FALSE | -| initiate_login_uri | URL that a third party can use to initiate a login by the client | String | TRUE | FALSE | FALSE | -| jwks_uri | URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta. | String | TRUE | FALSE | FALSE | -| jwks | A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta. | [JSON Web Key Set](#json-web-key-set) | TRUE | FALSE | FALSE | -| logo_uri | URL string that references a logo for the client consent dialog box (not the sign-in dialog box). See [Add an OAuth 2.0 client application](/docs/reference/api/apps/#details) for more information on how the `logo_uri` is used. | String | TRUE | FALSE | FALSE | -| policy_uri | URL string of a web page providing the client's policy document | URL | TRUE | FALSE | FALSE | -| post_logout_redirect_uris | Array of redirection URI strings for use for relying party initiated logouts | Array | TRUE | FALSE | FALSE | -| redirect_uris | Array of redirection URI strings for use in redirect-based flows | Array | TRUE | FALSE | FALSE | -| request_object_signing_alg | The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects. | `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512` | TRUE | FALSE | FALSE | -| response_types | Array of OAuth 2.0 response type strings. Default value: `code` | Array of `code`, `token`, `id_token` | TRUE | FALSE | FALSE | -| token_endpoint_auth_method | Requested authentication method for the token endpoint. Default value: `client_secret_basic` | `none`, `client_secret_post`, `client_secret_basic`, or `client_secret_jwt` | TRUE | FALSE | FALSE | -| tos_uri | URL string of a web page providing the client's terms of service document | URL | TRUE | FALSE | FALSE | +| Property | Description | DataType | Nullable | Unique | Readonly | +|:-----------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------|:---------|:----------| +| application_type | The type of client application. Default value: `web` | `web`, `native`, `browser`, or `service` | TRUE | FALSE | TRUE | +| client_id | Unique key for the client application | String | FALSE | TRUE | TRUE | +| client_id_issued_at | Time at which the client_id was issued (measured in unix seconds) | Number | TRUE | FALSE | TRUE | +| client_name | Human-readable string name of the client application | String | FALSE | FALSE | FALSE | +| client_secret | OAuth 2.0 client secret string (used for confidential clients) | String | TRUE | TRUE | TRUE | +| client_secret_expires_at | Time at which the client_secret will expire or 0 if it will not expire(measured in unix seconds) | Number | TRUE | FALSE | TRUE | +| grant_types | Array of OAuth 2.0 grant type strings. Default value: `authorization_code` | Array of `authorization_code`, `client_credentials`, `implicit`, `interaction_code` , `password`, `refresh_token`, `urn:ietf:params:oauth:grant-type:device_code`, `urn:ietf:params:oauth:grant-type:saml2-bearer` , `urn:ietf:params:oauth:grant-type:token-exchange` | TRUE | FALSE | FALSE | +| initiate_login_uri | URL that a third party can use to initiate a login by the client | String | TRUE | FALSE | FALSE | +| jwks_uri | URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta. | String | TRUE | FALSE | FALSE | +| jwks | A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta. | [JSON Web Key Set](#json-web-key-set) | TRUE | FALSE | FALSE | +| logo_uri | URL string that references a logo for the client consent dialog box (not the sign-in dialog box). See [Add an OAuth 2.0 client application](/docs/reference/api/apps/#details) for more information on how the `logo_uri` is used. | String | TRUE | FALSE | FALSE | +| policy_uri | URL string of a web page providing the client's policy document | URL | TRUE | FALSE | FALSE | +| post_logout_redirect_uris | Array of redirection URI strings for use for relying party initiated logouts | Array | TRUE | FALSE | FALSE | +| redirect_uris | Array of redirection URI strings for use in redirect-based flows | Array | TRUE | FALSE | FALSE | +| request_object_signing_alg | The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects. | `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512` | TRUE | FALSE | FALSE | +| response_types | Array of OAuth 2.0 response type strings. Default value: `code` | Array of `code`, `token`, `id_token` | TRUE | FALSE | FALSE | +| sector_identifier_uri | URL that references a file with a single JSON array of redirect_uri values used in calculating Pseudonymous Identifiers when `subject_type` is `pairwise` . | URL | TRUE | FALSE | FALSE | +| subject_type | Array of OAuth 2.0 subject type strings. Default value: `public` | Array of `public`, `pairwise` | TRUE | FALSE | FALSE | +| token_endpoint_auth_method | Requested authentication method for the token endpoint. Default value: `client_secret_basic` | `none`, `client_secret_post`, `client_secret_basic`, or `client_secret_jwt` | TRUE | FALSE | FALSE | +| tos_uri | URL string of a web page providing the client's terms of service document | URL | TRUE | FALSE | FALSE | Property details diff --git a/packages/@okta/vuepress-site/docs/reference/api/oidc/index.md b/packages/@okta/vuepress-site/docs/reference/api/oidc/index.md index 68570855c63..092aca88a4f 100644 --- a/packages/@okta/vuepress-site/docs/reference/api/oidc/index.md +++ b/packages/@okta/vuepress-site/docs/reference/api/oidc/index.md @@ -1032,32 +1032,32 @@ curl -X GET \ #### Response properties -| Property | Description | Type | -| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| issuer | The complete URL for a custom authorization server. This becomes the `iss` claim in an access token. In the context of this document, this is your authorization server's [base URL](#composing-your-base-url). | String | -| authorization endpoint | URL of the authorization server's [authorization endpoint](#authorize). | String | -| device_authorization_endpoint | URL of the authorization server's [device authorize endpoint](#device-authorize). | String | -| token_endpoint | URL of the authorization server's [token endpoint](#token). | String | -| registration_endpoint | URL of the authorization server's [Dynamic Client Registration endpoint](/docs/reference/api/oauth-clients/#register-new-client). | String | -| jwks_uri | URL of the authorization server's [JSON Web Key Set](/docs/reference/api/authorization-servers/#certificate-json-web-key-object) document. | String | -| response_types_supported | JSON array that contains a list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. | Array | -| response_modes_supported | JSON array that containis a list of the `response_mode` values that this authorization server supports. More information in [parameter details](#parameter-details). | Array | -| grant_types_supported | JSON array that contains a list of the `grant_type` values that this authorization server supports. | Array | -| subject_types_supported | JSON array that contains a list of the Subject Identifier types that this authorization server supports. Valid types are `pairwise` and `public`. Supported values: `public`. See the [Subject Identifier Types] (https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. | Array | -| scopes_supported | JSON array that contains a list of the `scope` values that this authorization server supports. | Array | -| token_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this token endpoint. | Array | -| claims_supported | A list of the claims supported by this authorization server. | Array | -| code_challenge_methods_supported | JSON array that contains a list of [PKCE code challenge](/docs/guides/implement-grant-type/authcodepkce/main/) methods supported by this authorization server. | Array | -| introspection_endpoint | URL of the authorization server's [introspection endpoint](#introspect). | String | -| introspection_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this introspection endpoint. More info [here](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response). | Array | -| revocation_endpoint | URL of the authorization server's [revocation endpoint](#revoke). | String | -| revocation_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this revocation endpoint. More info [here](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response). | Array | -| end_session_endpoint | URL of the authorization server's [logout endpoint](#logout). | String | -| request_parameter_supported | Indicates if [request parameters](#parameter-details) are supported by this authorization server. | Boolean | -| request_object_signing_alg_values_supported | The signing algorithms that this authorization server supports for signed requests. | Array | -| backchannel_token_delivery_modes_supported | The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. Valid types include `poll`, `ping` and `push`. Supported values: `poll`. | Array | -| backchannel_authentication_request_signing_alg_values_supported | The signing algorithms that this authorization server supports for Client-Initiated Backchannel Authentication signed requests. | Array | -| dpop_signing_alg_values_supported | JSON array that contains a list of the JWS algorithm values supported by the authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. | Array | +| Property | Description | Type | +| ----------------------------------------------------------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------- | +| issuer | The complete URL for a custom authorization server. This becomes the `iss` claim in an access token. In the context of this document, this is your authorization server's [base URL](#composing-your-base-url). | String | +| authorization endpoint | URL of the authorization server's [authorization endpoint](#authorize). | String | +| device_authorization_endpoint | URL of the authorization server's [device authorize endpoint](#device-authorize). | String | +| token_endpoint | URL of the authorization server's [token endpoint](#token). | String | +| registration_endpoint | URL of the authorization server's [Dynamic Client Registration endpoint](/docs/reference/api/oauth-clients/#register-new-client). | String | +| jwks_uri | URL of the authorization server's [JSON Web Key Set](/docs/reference/api/authorization-servers/#certificate-json-web-key-object) document. | String | +| response_types_supported | JSON array that contains a list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. | Array | +| response_modes_supported | JSON array that containis a list of the `response_mode` values that this authorization server supports. More information in [parameter details](#parameter-details). | Array | +| grant_types_supported | JSON array that contains a list of the `grant_type` values that this authorization server supports. | Array | +| subject_types_supported | JSON array that contains a list of the Subject Identifier types that this authorization server supports. Valid types are `pairwise` and `public`. Supported values: `public` and `pairwise` . See the [Subject Identifier Types] (https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. | Array | +| scopes_supported | JSON array that contains a list of the `scope` values that this authorization server supports. | Array | +| token_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this token endpoint. | Array | +| claims_supported | A list of the claims supported by this authorization server. | Array | +| code_challenge_methods_supported | JSON array that contains a list of [PKCE code challenge](/docs/guides/implement-grant-type/authcodepkce/main/) methods supported by this authorization server. | Array | +| introspection_endpoint | URL of the authorization server's [introspection endpoint](#introspect). | String | +| introspection_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this introspection endpoint. More info [here](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response). | Array | +| revocation_endpoint | URL of the authorization server's [revocation endpoint](#revoke). | String | +| revocation_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this revocation endpoint. More info [here](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response). | Array | +| end_session_endpoint | URL of the authorization server's [logout endpoint](#logout). | String | +| request_parameter_supported | Indicates if [request parameters](#parameter-details) are supported by this authorization server. | Boolean | +| request_object_signing_alg_values_supported | The signing algorithms that this authorization server supports for signed requests. | Array | +| backchannel_token_delivery_modes_supported | The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. Valid types include `poll`, `ping` and `push`. Supported values: `poll`. | Array | +| backchannel_authentication_request_signing_alg_values_supported | The signing algorithms that this authorization server supports for Client-Initiated Backchannel Authentication signed requests. | Array | +| dpop_signing_alg_values_supported | JSON array that contains a list of the JWS algorithm values supported by the authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. | Array | #### Response example (success) @@ -1092,7 +1092,8 @@ curl -X GET \ "urn:openid:params:grant-type:ciba" ], "subject_types_supported": [ - "public" + "public", + "pairwise" ], "scopes_supported": [ "openid", @@ -1214,32 +1215,32 @@ curl -X GET \ #### Response properties -| Property | Description | Type | -| ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | -| authorization_endpoint | URL of the authorization server's [authorization endpoint](#authorize). | String | -| device_authorization_endpoint | URL of the authorization server's [device authorize endpoint](#device-authorize). | String | -| claims_supported | A list of the claims supported by this authorization server. | Array | -| code_challenge_methods_supported | JSON array that contains a list of [PKCE code challenge](/docs/guides/implement-grant-type/authcodepkce/main/) methods supported by this authorization server. | Array | -| end_session_endpoint | URL of the authorization server's [logout endpoint](#logout). | String | -| grant_types_supported | JSON array that contains a list of the grant type values that this authorization server supports. | Array | -| introspection_endpoint | URL of the authorization server's [introspection endpoint](#introspect). | String | -| introspection_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this introspection endpoint. | Array | -| issuer | The authorization server's issuer identifier. In the context of this document, this is your authorization server's [base URL](#composing-your-base-uRL). | String | -| jwks_uri | URL of the authorization server's JSON Web Key Set document. | String | -| registration_endpoint | URL of the authorization server's [Dynamic Client Registration endpoint](/docs/reference/api/oauth-clients/#register-new-client) | String | -| request_object_signing_alg_values_supported | The signing algorithms that this authorization server supports for signed requests. | Array | -| request_parameter_supported | Indicates if [Request Parameters](#parameter-details) are supported by this authorization server. | Boolean | -| response_modes_supported | JSON array that contains a list of the `response_mode` values that this authorization server supports. More information in [Parameter details](#parameter-details). | Array | -| response_types_supported | JSON array that contains a list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. | Array | -| revocation_endpoint | URL of the authorization server's [revocation endpoint](#revoke). | String | -| revocation_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this revocation endpoint. | Array | -| scopes_supported | JSON array that contains a list of the `scope` values that this authorization server supports. | Array | -| subject_types_supported | JSON array that contains a list of the Subject Identifier types that this authorization server supports. Valid types are `pairwise` and `public`. Supported values: `public`. See the [Subject Identifier Types] (https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. | Array | -| token_endpoint | URL of the authorization server's [token endpoint](#token). | String | -| token_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this token endpoint. | Array | -| backchannel_token_delivery_modes_supported | The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. Valid types include `poll`, `ping` and `push`. Supported values: `poll`. | Array | -| backchannel_authentication_request_signing_alg_values_supported | The signing algorithms that this authorization server supports for Client-Initiated Backchannel Authentication signed requests. | Array | -| dpop_signing_alg_values_supported | JSON array that contains a list of the JWS `alg` values supported by the authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. | Array | +| Property | Description | Type | +| ----------------------------------------------------------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------- | +| authorization_endpoint | URL of the authorization server's [authorization endpoint](#authorize). | String | +| device_authorization_endpoint | URL of the authorization server's [device authorize endpoint](#device-authorize). | String | +| claims_supported | A list of the claims supported by this authorization server. | Array | +| code_challenge_methods_supported | JSON array that contains a list of [PKCE code challenge](/docs/guides/implement-grant-type/authcodepkce/main/) methods supported by this authorization server. | Array | +| end_session_endpoint | URL of the authorization server's [logout endpoint](#logout). | String | +| grant_types_supported | JSON array that contains a list of the grant type values that this authorization server supports. | Array | +| introspection_endpoint | URL of the authorization server's [introspection endpoint](#introspect). | String | +| introspection_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this introspection endpoint. | Array | +| issuer | The authorization server's issuer identifier. In the context of this document, this is your authorization server's [base URL](#composing-your-base-uRL). | String | +| jwks_uri | URL of the authorization server's JSON Web Key Set document. | String | +| registration_endpoint | URL of the authorization server's [Dynamic Client Registration endpoint](/docs/reference/api/oauth-clients/#register-new-client) | String | +| request_object_signing_alg_values_supported | The signing algorithms that this authorization server supports for signed requests. | Array | +| request_parameter_supported | Indicates if [Request Parameters](#parameter-details) are supported by this authorization server. | Boolean | +| response_modes_supported | JSON array that contains a list of the `response_mode` values that this authorization server supports. More information in [Parameter details](#parameter-details). | Array | +| response_types_supported | JSON array that contains a list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. | Array | +| revocation_endpoint | URL of the authorization server's [revocation endpoint](#revoke). | String | +| revocation_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this revocation endpoint. | Array | +| scopes_supported | JSON array that contains a list of the `scope` values that this authorization server supports. | Array | +| subject_types_supported | JSON array that contains a list of the Subject Identifier types that this authorization server supports. Valid types are `pairwise` and `public`. Supported values: `public` and `pairwise` . See the [Subject Identifier Types] (https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. | Array | +| token_endpoint | URL of the authorization server's [token endpoint](#token). | String | +| token_endpoint_auth_methods_supported | JSON array that contains a list of [client authentication methods](/docs/reference/api/oidc/#client-authentication-methods/) supported by this token endpoint. | Array | +| backchannel_token_delivery_modes_supported | The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. Valid types include `poll`, `ping` and `push`. Supported values: `poll`. | Array | +| backchannel_authentication_request_signing_alg_values_supported | The signing algorithms that this authorization server supports for Client-Initiated Backchannel Authentication signed requests. | Array | +| dpop_signing_alg_values_supported | JSON array that contains a list of the JWS `alg` values supported by the authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. | Array | #### Response example (success) @@ -1275,7 +1276,8 @@ curl -X GET \ "urn:openid:params:grant-type:ciba" ], "subject_types_supported": [ - "public" + "public", + "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256"