OAuthClient

Represents an OAuth 2.0 client application requesting access to protected resources. Manages client credentials, allowed grant types, redirect URIs, permitted scopes, and security policies. Supports confidential clients, public clients with PKCE, and service accounts for enterprise, mobile, and API platforms.

36 properties

Schema

Properties

Property	Type	Mode	Description	Required
name	string	stored	Human-readable name for this OAuth client application Example: `"Partner Portal Web App"`	Required
clientId	string	stored	Unique public identifier for this OAuth client (used in authorization requests) Example: `"client_a1b2c3d4e5f6g7h8"`	Required
clientSecret	string	stored	Confidential secret for client authentication (only for confidential clients) Example: `"secret_x1y2z3w4v5u6t7s8r9q0p1o2n3m4l5k6"`	Optional
clientType	string	stored	Type of OAuth client based on its ability to maintain credential confidentiality Values: `confidential, public, service` Example: `"confidential"`	Required
applicationType	string	stored	Application platform type Values: `web, spa, mobile, native, service, device` Example: `"web"`	Required
status	string	stored	Current operational status of this client Values: `active, inactive, suspended, revoked` Example: `"active"`	Required
description	string	stored	Detailed description of the client application and its purpose Example: `"Partner integration web application for accessing customer data"`	Optional
owner	User	stored	Reference to the User or service account who registered/owns this client	Optional
organization	Organization	stored	Reference to the Organization that owns this client application	Optional
allowedGrantTypes	string[]	stored	OAuth 2.0 grant types permitted for this client Example: `["authorization_code","refresh_token","client_credentials"]`	Required
redirectUris	string[]	stored	Whitelisted redirect URIs where authorization responses can be sent (must match exactly during authorization) Example: `["https://app.example.com/callback","https://app.example.com/oauth/callback"]`	Required
allowedScopes	string[]	stored	OAuth scopes this client is authorized to request Example: `["openid","profile","email","api:read","api:write"]`	Required
defaultScopes	string[]	stored	Default scopes granted if no specific scopes are requested Example: `["openid","profile"]`	Optional
audience	string[]	stored	Target resource servers/APIs this client can access (OAuth 2.0 Resource Indicators) Example: `["https://api.example.com","https://data.example.com"]`	Optional
tokenEndpointAuthMethod	string	stored	Authentication method used at the token endpoint Values: `client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, none` Example: `"client_secret_basic"`	Required
requirePkce	boolean	stored	Whether PKCE (Proof Key for Code Exchange) is required for authorization code flows Example: `true`	Required
requireConsent	boolean	stored	Whether user consent screen must be shown (false for first-party trusted clients)	Required
isFirstParty	boolean	stored	Whether this is a first-party trusted application (owned by the same organization as the authorization server) Example: `true`	Required
accessTokenLifetimeSeconds	number	stored	Lifetime of access tokens issued to this client (in seconds) Example: `3600`	Optional
refreshTokenLifetimeSeconds	number	stored	Lifetime of refresh tokens issued to this client (in seconds, null for no refresh tokens) Example: `2592000`	Optional
idTokenLifetimeSeconds	number	stored	Lifetime of OpenID Connect ID tokens issued to this client (in seconds) Example: `3600`	Optional
allowRefreshToken	boolean	stored	Whether refresh tokens can be issued to this client Example: `true`	Optional
allowOfflineAccess	boolean	stored	Whether this client can request offline_access scope (long-lived refresh tokens) Example: `true`	Optional
logoUri	string	stored	URL to client application logo (displayed during consent) Example: `"https://app.example.com/logo.png"`	Optional
homepageUri	string	stored	URL to client application homepage Example: `"https://app.example.com"`	Optional
privacyPolicyUri	string	stored	URL to privacy policy (required for consent screen) Example: `"https://app.example.com/privacy"`	Optional
termsOfServiceUri	string	stored	URL to terms of service (required for consent screen) Example: `"https://app.example.com/terms"`	Optional
allowedOrigins	string[]	stored	Allowed CORS origins for this client (for SPAs making direct token requests) Example: `["https://app.example.com","https://staging.app.example.com"]`	Optional
postLogoutRedirectUris	string[]	stored	Whitelisted URIs where user can be redirected after logout (OIDC RP-initiated logout) Example: `["https://app.example.com/logout","https://app.example.com/goodbye"]`	Optional
registeredAt	datetime	stored	Date/time when this client was registered Example: `"2024-01-15T10:00:00Z"`	Required
lastUsedAt	datetime	stored	Date/time when this client was last used for authentication/authorization Example: `"2024-11-22T14:30:00Z"`	Optional
metadata	json	stored	Additional client metadata including custom attributes, integration details, or environment-specific settings	Optional
activeGrantsCount	number	calculated	Number of active authorization grants for this client (via AuthorizationGrant)	Optional
activeSessionsCount	number	calculated	Number of active authentication sessions using this client	Optional
totalUsersCount	number	calculated	Total number of unique users who have authorized this client	Optional
daysSinceLastUse	number	calculated	Number of days since this client was last used	Optional

Examples

Example 1

{
  "@type": "OAuthClient",
  "name": "Main Web Application",
  "clientId": "webapp_abc123def456",
  "clientSecret": "secret_confidential_x1y2z3w4v5u6t7s8",
  "clientType": "confidential",
  "applicationType": "web",
  "status": "active",
  "description": "Primary web application for customer portal access",
  "owner": {
    "@type": "User",
    "username": "system.admin"
  },
  "allowedGrantTypes": [
    "authorization_code",
    "refresh_token"
  ],
  "redirectUris": [
    "https://app.example.com/auth/callback",
    "https://app.example.com/oauth/callback"
  ],
  "allowedScopes": [
    "openid",
    "profile",
    "email",
    "api:read",
    "api:write",
    "offline_access"
  ],
  "defaultScopes": [
    "openid",
    "profile",
    "email"
  ],
  "audience": [
    "https://api.example.com"
  ],
  "tokenEndpointAuthMethod": "client_secret_post",
  "requirePkce": true,
  "requireConsent": false,
  "isFirstParty": true,
  "accessTokenLifetimeSeconds": 3600,
  "refreshTokenLifetimeSeconds": 2592000,
  "idTokenLifetimeSeconds": 3600,
  "allowRefreshToken": true,
  "allowOfflineAccess": true,
  "logoUri": "https://app.example.com/logo.png",
  "homepageUri": "https://app.example.com",
  "privacyPolicyUri": "https://app.example.com/privacy",
  "termsOfServiceUri": "https://app.example.com/terms",
  "postLogoutRedirectUris": [
    "https://app.example.com/logout"
  ],
  "registeredAt": "2024-01-15T10:00:00Z",
  "lastUsedAt": "2024-11-22T14:30:00Z"
}

Example 2

{
  "@type": "OAuthClient",
  "name": "Mobile App iOS",
  "clientId": "mobile_ios_xyz789",
  "clientType": "public",
  "applicationType": "mobile",
  "status": "active",
  "description": "iOS mobile application for customer access",
  "allowedGrantTypes": [
    "authorization_code",
    "refresh_token"
  ],
  "redirectUris": [
    "com.example.app://callback",
    "com.example.app://oauth/callback"
  ],
  "allowedScopes": [
    "openid",
    "profile",
    "email",
    "api:read",
    "offline_access"
  ],
  "defaultScopes": [
    "openid",
    "profile",
    "email"
  ],
  "audience": [
    "https://api.example.com"
  ],
  "tokenEndpointAuthMethod": "none",
  "requirePkce": true,
  "requireConsent": false,
  "isFirstParty": true,
  "accessTokenLifetimeSeconds": 3600,
  "refreshTokenLifetimeSeconds": 7776000,
  "idTokenLifetimeSeconds": 3600,
  "allowRefreshToken": true,
  "allowOfflineAccess": true,
  "logoUri": "https://cdn.example.com/mobile-logo.png",
  "homepageUri": "https://example.com/mobile",
  "privacyPolicyUri": "https://example.com/privacy",
  "termsOfServiceUri": "https://example.com/terms",
  "registeredAt": "2024-02-01T14:00:00Z",
  "lastUsedAt": "2024-11-22T15:10:00Z",
  "metadata": {
    "appStoreId": "123456789",
    "bundleId": "com.example.app",
    "minimumVersion": "2.0.0"
  }
}

Example 3

{
  "@type": "OAuthClient",
  "name": "Backend Data Sync Service",
  "clientId": "service_datasync_def789",
  "clientSecret": "secret_service_a9b8c7d6e5f4g3h2",
  "clientType": "service",
  "applicationType": "service",
  "status": "active",
  "description": "Background service for data synchronization with partner systems",
  "allowedGrantTypes": [
    "client_credentials"
  ],
  "redirectUris": [],
  "allowedScopes": [
    "api:read",
    "api:write",
    "data:sync"
  ],
  "defaultScopes": [
    "api:read"
  ],
  "audience": [
    "https://api.example.com"
  ],
  "tokenEndpointAuthMethod": "client_secret_basic",
  "requirePkce": false,
  "requireConsent": false,
  "isFirstParty": true,
  "accessTokenLifetimeSeconds": 7200,
  "refreshTokenLifetimeSeconds": null,
  "allowRefreshToken": false,
  "allowOfflineAccess": false,
  "registeredAt": "2024-03-10T09:00:00Z",
  "lastUsedAt": "2024-11-22T15:45:00Z",
  "metadata": {
    "serviceType": "background-worker",
    "environment": "production"
  }
}

Example 4

{
  "@type": "OAuthClient",
  "name": "Partner Integration - Acme Corp",
  "clientId": "partner_acme_ghi012",
  "clientSecret": "secret_partner_z1y2x3w4v5u6t7s8",
  "clientType": "confidential",
  "applicationType": "web",
  "status": "active",
  "description": "Third-party partner application for Acme Corp integration",
  "organization": {
    "@type": "Organization",
    "name": "Acme Corporation"
  },
  "allowedGrantTypes": [
    "authorization_code",
    "refresh_token"
  ],
  "redirectUris": [
    "https://acme.com/oauth/callback"
  ],
  "allowedScopes": [
    "openid",
    "profile",
    "email",
    "api:read"
  ],
  "defaultScopes": [
    "openid",
    "profile"
  ],
  "audience": [
    "https://api.example.com"
  ],
  "tokenEndpointAuthMethod": "client_secret_post",
  "requirePkce": true,
  "requireConsent": true,
  "isFirstParty": false,
  "accessTokenLifetimeSeconds": 1800,
  "refreshTokenLifetimeSeconds": 604800,
  "idTokenLifetimeSeconds": 1800,
  "allowRefreshToken": true,
  "allowOfflineAccess": false,
  "logoUri": "https://acme.com/logo.png",
  "homepageUri": "https://acme.com",
  "privacyPolicyUri": "https://acme.com/privacy",
  "termsOfServiceUri": "https://acme.com/terms",
  "postLogoutRedirectUris": [
    "https://acme.com/logout"
  ],
  "registeredAt": "2024-05-20T11:30:00Z",
  "lastUsedAt": "2024-11-21T10:15:00Z",
  "metadata": {
    "partnerType": "reseller",
    "partnerId": "ACME-001"
  }
}

Example 5

{
  "@type": "OAuthClient",
  "name": "Single Page App - Dashboard",
  "clientId": "spa_dashboard_jkl345",
  "clientType": "public",
  "applicationType": "spa",
  "status": "active",
  "description": "Single-page application for analytics dashboard",
  "allowedGrantTypes": [
    "authorization_code"
  ],
  "redirectUris": [
    "https://dashboard.example.com/callback"
  ],
  "allowedScopes": [
    "openid",
    "profile",
    "email",
    "analytics:read"
  ],
  "defaultScopes": [
    "openid",
    "profile"
  ],
  "audience": [
    "https://api.example.com"
  ],
  "tokenEndpointAuthMethod": "none",
  "requirePkce": true,
  "requireConsent": false,
  "isFirstParty": true,
  "accessTokenLifetimeSeconds": 900,
  "refreshTokenLifetimeSeconds": null,
  "idTokenLifetimeSeconds": 900,
  "allowRefreshToken": false,
  "allowOfflineAccess": false,
  "logoUri": "https://dashboard.example.com/logo.svg",
  "homepageUri": "https://dashboard.example.com",
  "allowedOrigins": [
    "https://dashboard.example.com"
  ],
  "postLogoutRedirectUris": [
    "https://dashboard.example.com/"
  ],
  "registeredAt": "2024-06-15T13:00:00Z",
  "lastUsedAt": "2024-11-22T15:20:00Z",
  "metadata": {
    "frameworkVersion": "React 18.2.0",
    "deploymentType": "static-hosting"
  }
}