PingFederate Server

Configuring a Response Type Constraints instance

The Response Type Constraints policy plugin allows administrators to control which flows are allowed for clients created through the OAuth 2.0 Dynamic Client Registration protocol.

About this task

Configure an instance of the Response Type Constraints policy to limit which of the following response_types parameter values are allowed:

  • code

  • code id_token

  • code id_token token

  • code token

  • id_token

  • id_token token

  • token

For more information about flows and response types, see the OpenID Connect specification.

Steps

  1. Go to System → OAuth Settings → Client Registration Policies.

    Choose from:

    • To configure a new instance, click Create New Instance.

    • To modify an existing instance, select it under Instance Name.

  2. On the Type tab, enter a name and an ID for a new instance, and then select Response Type Constraints from the Type list.

    When modifying an existing policy plugin instance, you can only change the Instance Name field.

  3. On the Instance Configuration tab, clear the applicable check boxes to remove the unwanted response types.

    All response types are allowed by default.

  4. On the Summary tab, review the plugin configuration. Click Done.

  5. In the Client Registration Policy Instances window, click Save.

Result

Like other Client Registration Policy plugins, an instance of the Response Type Constraints policy plugin is not enforced, or executed as part of the dynamic client registration process, until it is selected in System → OAuth Settings → Client Registration Policies

  1. If it is selected in the Client Registration Policies window, PingFederate discards all restricted response types when processing client registrations. If no response type is allowed, PingFederate rejects the registration and returns an error message to the originator.