Application Configuration

General information related to application configuration.

Basic Information

  • Name - The name of the application will be used for logging and the consent screen.

  • Application Type - The type of application for which the settings are configured.

  • Client ID - Unique ID of the application.

  • Client Secrets - List of client secrets credentials to access the token endpoint.

  • Secret Type - Some string that gives the secret validator a hint what type of secret to expect (e.g. "SharedSecret" or "X509CertificateThumbprint").

  • Secret Value - The value of the secret. This is being interpreted by the secret validator (e.g. a "password"-like share secret or something else that identifies a credential).

  • Hash Type - Hashing Algorithm Type. HashType will be applicable only for the SharedSecret type.

  • Expiration - A point in time, where this secret will expire.

  • Description - The description of the secret - useful for attaching some extra information to the secret.

  • Properties - Dictionary to hold any custom client-specific values as needed.

  • Key - Key

  • Value - Value

  • Description - A free text description of the application.

Application Properties

  • Application logo - Logo of the application that will be shown inside the admin and Login of the user.

  • Identity Provider Restrictions - List of IdP-s to allow users to use them.

Advanced Settings

  • Require Request Object - Specifies whether this client needs to wrap the authorized request parameters in a JWT (defaults to false).

  • Require PKCE - Specifies whether clients using an authorization code-based grant type must send a proof key.

  • Allow Plain Text PKCE- Specifies whether clients using PKCE can use a plain text code challenge (not recommended - and default to false).

  • Allow Offline Access - Specifies whether this client can request refresh tokens (be requesting the offline_access scope).

  • Allow Access Token Via Browser - Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser.

  • Font Channel Logout URL - Specifies whether this client needs to wrap the authorized request parameters in a JWT (defaults to false).

  • Front Channel Logout Session Required - Specifies if the user's session id should be sent to the FrontChannelLogoutUri. Defaults to true.

  • Back Channel Logout URL - Specifies logout URI at the client for HTTP-based back-channel logout. See the OIDC Back-Channel spec for more details.

  • Back Channel Logout Session Required - Specifies if the user's session id should be sent to the BackChannelLogoutUri. Defaults to true.

  • Enable Local Login - Specifies if this client can use local accounts or external IdPs only. Defaults to true.

  • Authorization Code Lifetime - Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes).

  • Absolute Refresh Token Lifetime - Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days.

  • Sliding Refresh Token Lifetime - Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days.

  • Refresh Token Usage:

    1. ReUse - the refresh token handle will stay the same when refreshing tokens.

    2. OneTime - the refresh token handle will be updated when refreshing tokens.

  • Refresh Token Expiration:

    1. Absolute - the refresh token will expire at a fixed point in time (specified by the AbsoluteRefreshTokenLifetime).

    2. Sliding - when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed AbsoluteRefreshTokenLifetime.

Application URL's

  • Application Callback URL's - After the user authenticates we will only call back to any of these URLs. You can specify multiple valid URL's by writing their names on input and pressing Enter. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.

  • Application Logout URL's - A set of URLs that are valid to redirect to after logout from Porta. After a user logs out from Porta you can redirect them with the returnTo query parameter. The URL that you use in returnTo must be listed here. You can specify multiple valid URLs by comma-separating them. You can use the star symbol as a wildcard for subdomains (*.google.com). Query strings and hash information are not taken into account when validating these URLs.

  • Allowed Origins (CORS) - Allowed Origins are URLs that will be allowed to make requests from JavaScript to Porta API (typically used with CORS). By default, all your callback URLs will be allowed. This field allows you to enter other origins if you need to. You can specify multiple valid URLs by comma-separating them or one by line. Query strings and hash information are not taken into account when validating these URLs. CORS Origin URLs must use protocol https:// without any additional characters (e.g. 'https://porta.com/' would be invalid).

Tokens

  • ID Token Expiration - Lifetime of identity token in seconds (defaults to 300 seconds / 5 minutes).

  • Allowed Identity Token Signing Algorithms - List of allowed signing algorithms for identity token. If empty will use the server default signing algorithm.

  • User SSO Lifetime - The maximum duration (in seconds) since the last time the user authenticated. Defaults to null.

  • Access Token Lifetime - Lifetime of identity token in seconds (defaults to 300 seconds / 5 minutes).

  • Access Token Type - Specifies whether the access token is a reference token or a self-contained JWT token (defaults to JWT).

Properties

  • Update Access Token Claims on Refresh - Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request.

  • Include JWT ID - Specifies whether JWT access tokens should have an embedded unique ID (via the JTI claim).

  • Always Send Application Claims - If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is false).

  • Always Include User Claims ID Token - Always include user claims in IdToken.

  • Client Claims Prefix - If set, the prefix client claim types will be prefixed with. Defaults to 'client_'. The intent is to make sure they don't accidentally collide with user claims.

  • Pair Wise Subject Salt - Salt value used in pair-wise subjectId generation for users of this client.

Consent Screen

  • Require Consent - Specifies whether a consent screen is required. Defaults to true.

  • Allow Remember Consent - Specifies whether the user can choose to store consent decisions. Defaults to true.

  • Client URL - URI to further information about the client (used on consent screen).

  • Logo URL - URI to client logo (used on consent screen).

Device Flow

  • User Code Type - Specifies the type of user code to use for the client. Otherwise falls back to default.

  • Device Code Lifetime - Lifetime to device code in seconds (defaults to 300 seconds / 5 minutes).

Related topics

Porta - © GjirafaTech 2022