There are 3 ways to designate the standard endpoints for the system
Any that you set will be taken as overrides, so you could, e.g., set the well-known and set a custom token endpoint that would be used. Note that the getcert endpoint is not an OIDC or OAuth standard and is used by only certain servers (CILogon in particular), so that must be set if used.
These are values that the client needs to supply to identify itself. These are
Required? | Default | Description | |
accessTokenUri | Y | ServiceUri + /token | The address which the client should use for getting the access token. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
assetUri | Y | ServiceUri + /getcert | The address from which the client will get the certificate. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
authorizeUri | Y | ServiceUri + /authorize | The address which the client should use for authorization. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
callbackUri | Y | N/A | The redirect address to which the user is sent after authorization. Note that this can be reset at runtime before the call is made, should you want to customize it per user. |
deviceAuthorizationUri | Y | ServiceUri + /device_authorization | The address which the client should use for initiating the device authorization flow (RFC 8628). Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
enableAssetCleanup | N | false | Whether the service will automatically remove old assets in the store. |
id | Y | N/A | The unique identifier generated by the server during the registration process. |
keypairLifetime | N | 0 | The maximum age, in seconds, for the client-side generated keypair to be cached. Keypair caching reduces key generation load on heavily used clients by re-using a keypair across OAuth sessions. This functionality should only be used if the keypair remains secured in the OAuth client and is not externally exposed. It affects the keypair used to generate certificate requests and is not the same as the OAuth keypair created at registration. Setting the value to zero forces the client to generate a new keypair with each request. This keypair is stored in the asset for the request. |
lifetime | N | 43200 | The requested lifetime in seconds this certificate should last. The service will always apply its own policies to any request. The default is 12 hours. |
maxAssetLifetime | N | 2592000 (one calendar month in seconds) | The maximum age, in seconds, that an asset may be in the store. This only applies if the cleanup facility is enabled and the OAuth version is 1.0a. In the OAuth 2.0 version this is ignored, since cleanup of old assets is determined by the lifetime of the refresh token. |
secret | Y | N/A | The secret that is given to the client at registration. This should be cut and pasted with no blanks or other characters into the configuration file. Note that the server does not store this! It will only store a hash of it so if you lose it, you must re-register. |
serviceUri | Y | N/A | The address of the service this client uses. |
showRedirectPage | N | false | Whether to pause the exchange to show a page containing the redirect URL and the private key. Set this to true to enable. Generally this is rather useful in debugging but should not be enabled in production systems. Note that this only applies to OAuth 1.0a since the protocol under OAuth 2.0 is different. |
skin | N | N/A | The skin that the site will display for this client. This lets OA4MP servers mimic the look and feel of the client site. You should contact the server administration to set this up with you if you are interested. |
userInfoUri | Y | ServiceUri + /userinfo | The address from which the client will get user information. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
wellKnownUri | Y | N/A | The address of the well-known page for the server. |
If any of the required parameters are omitted, then an exception will be raised. The certificate lifetime may be omitted. If present, it will be processed in accordance with the service's cert lifetime policies and there is no requirement that the requested lifetime be honored.
<config> <client> <callbackUri>http://client.example.org/client2/ready</callbackUri> <secret>bwM9YgIMM4oMeOTZdJLyp8shgfuzrwWHxS401pEx8w2_BOk5ip46zJL_bsTj2bU5iuS7QsiGmze44pA2k3MhYuPGOkSSMpUEkpXI9KZqY_OVGOI8B3JYj8q0ZWP80hkmshwzYQiHOz5IJW7KZpMOQSKVG5lbmP0_iSwPim74WwH9akuc_3pocIntA5OfVtRKl0LCAz1WkXUSbF5sH6-xx8SWPJvaU0rc95jmxXqUxib3iXwYgheo1yyrvK4RHsStppZD9RmcwgyhLxvgUDap-23tm</secret> <serviceUri>https://server.example.org/oauth2</serviceUri> <id>myproxy:delegation,2011:/client/c43d987fedbf7c3258973fdedc8</id> <fileStore path="/path/to/asset/store/"> <assetStore/> </fileStore> <enableAssetCleanup>true</enableAssetCleanup> </client> </config>
The secret that is sent to the server is put in without linebreaks. The keypair lifetime is omitted which means that the client will take the default (currently a new keypair will be generated once every 24 hours.) There is no maxAssetLifetime parameter here since that is not needed in OAuth 2.0-based clients. However, asset cleanup is still enabled.