Skip to main content

Clients configuration | General configuration

Client attributes help manage the authorization capabilities for OAuth 2.0 and satellites flows. They provide a high level of customization helping the server to be integrated within infrastructures seamlessly. Those configuration help the flows to be both business and technically adapted for the addressed use case.

Parameters sections

OAuth clients can be customized through either the Administration API or the user interface providing 4 categories of settings:

  • General configuration
  • Authentication
  • Security
  • Grant types

General configuration parameters

Id would be the identifier of the client, it will be used as the OAuth client_id parameter. Note that once the client is created this value can't be changed.

Public client ID would be the identifier of the public client, linked to the issuer, to be active it must have the BORUTA_OAUTH_BASE_URL environment variable value.

public clients

Public clients are used in Verifiable Credentials presentations. They are identified by a DID as the provided client_id in authorization requests and do not require authentication as the identified resource owner is represented by the wallet that is cryptographically verified.

Secret would be used as the client_secret parameter in OAuth flows.

Name would be accessible in the consent template to highlight for which client the resource owner delegates access to the requested scopes

Access token TTL would be the access tokens time to live.

Authorization code TTL would be the time to live of codes during authorization code grant.

Refresh token TTL would be the time to live of refresh tokens helping to obtain newly generated access tokens.

Id token TTL would be the time to live of ID tokens expressed in exp JWT claim.

Authorization request TTL would be the time to live of the requests as described in RFC 9126 - OAuth 2.0 Pushed Authorization Requests.

Redirect URIs would be the allowed redirect URIs in OAuth / OpenID Connect flows.

Response mode enables to determine if Verifiables Credentials issuance and presentation deeplinks are redirections (same device) or displayed within an interface:

  • direct_post the user is redirected with an HTTP 302
  • post a QR code and a link is displayed to the user

User interface

client form