--- title: Supported client metadata description: PingFederate supports various client metadata, as described in the following table. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_supp_client_metadata canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_supp_client_metadata.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: May 23, 2023 section_ids: related-links: Related links --- # Supported client metadata PingFederate supports various client metadata, as described in the following table. | Metadata field | Metadata description | | -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | client\_name | A descriptive name for the client instance. This name appears when the user is prompted for authorization | | token\_endpoint\_auth\_method | The client authentication method.PingFederate accepts the following values:- `none` - `client_secret_basic` - `client_secret_post` - `tls_client_auth` Learn more in [Mutual TLS Profiles for OAuth clients](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-01). - `private_key_jwt` For more information, see [Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). - `client_secret_jwt` For more information, see [Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). | | tls\_client\_auth\_subject\_dn | The subject DN of the client certificate.This field is required if `tls_client_auth` is the value of the `token_endpoint_auth_method` parameter. | | token\_endpoint\_auth\_signing\_alg | The signing algorithm that the client must use to sign the JSON Web Token (JWT) *(tooltip: \
\

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

\
)* for client authentication.This field applies only when the `token_endpoint_auth_method` parameter is provided with a value of `private_key_jwt` or `client_secret_jwt`.For `private_key_jwt`, PingFederate accepts the following values:- `RS256` - RSA using SHA-256 - `RS384` - RSA using SHA-384 - `RS512` - RSA using SHA-512 - `ES256` - ECDSA using P256 Curve and SHA-256 - `ES384` - ECDSA using P384 Curve and SHA-384 - `ES512` - ECDSA using P521 Curve and SHA-512 - `PS256` - RSASSA-PSS using SHA-256 - `PS384` - RSASSA-PSS using SHA-384 - `PS512` - RSASSA-PSS using SHA-512 RSASSA-PSS signing algorithms require a Java 8 or Java 11 runtime environment, or an integration with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect. For more information on HSM integration and static keys, see Supported hardware security modules and Keys for OAuth and OpenID Connect, respectively.For `client_secret_jwt`, PingFederate accepts the following values:- `HS256` - HMAC using SHA-256 - `HS384` - HMAC using SHA-384 - `HS512` - HMAC using SHA-512If this parameter is not provided, the client can use any of the supported signing algorithms. | | request\_object\_signing\_alg | The signing algorithm that the client must use to sign its request objects for transmission of request parameters.Applicable only when the client might send its authorization requests using request objects.PingFederate accepts the following values:- `RS256` - RSA using SHA-256 - `RS384` - RSA using SHA-384 - `RS512` - RSA using SHA-512 - `HS256` - HMAC using SHA-256 - `HS384` - HMAC using SHA-384 - `HS512` - HMAC using SHA-512 - `ES256` - ECDSA using P256 Curve and SHA-256 - `ES384` - ECDSA using P384 Curve and SHA-384 - `ES512` - ECDSA using P521 Curve and SHA-512 - `PS256` - RSASSA-PSS using SHA-256 - `PS384` - RSASSA-PSS using SHA-384 - `PS512` - RSASSA-PSS using SHA-512 RSASSA-PSS signing algorithms require a Java 8 or Java 11 runtime environment, or an integration with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect. For more information on HSM integration and static keys, see Supported hardware security modules and Keys for OAuth and OpenID Connect, respectively.When this parameter is not provided, the client can use any of the supported signing algorithms.For more information about request objects, see [RFC 9101: JWT Secured Authorization Request (JAR)](https://datatracker.ietf.org/doc/rfc9101/). | | jwks\_uri, and jwks | The URL of the JSON Web Key Set (JWKS) or the actual JWKS from the client.If the client is configured to use the `private_key_jwt` or `client_secret_jwt` client authentication method, to transmit request parameters in signed request objects, or to transmit CIBA request parameters in signed request objects, only one of the previous values is required for PingFederate to verify the authenticity of the JWTs.Either value can be defined even if the client is not configured to use JWTs for authentication or transmission of request parameters.This flexibility allows the client to transmit request parameters in signed request objects for some requests and without the use of signed request objects for some other transactions.You can find more information on runtime processing in [Authorization endpoint](../developers_reference_guide/pf_authorization_endpoint.html).If the client signs its JWTs using an RSASSA-PSS signing algorithm, PingFederate must be deployed to run in a Java 8 or Java 11 runtime environment, or integrated with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect.You can find more information on HSM integration and static keys in [Supported hardware security modules](../getting_started_with_pingfederate/pf_supported_hardware_security_modules.html) and [Keys for OAuth and OpenID Connect](help_jwksendpointtasklet_jwksendpointkeysstate.html), respectively.If the client is configured to encrypt ID tokens using an asymmetric encryption algorithm, either the JWKS URL or the actual JWKS must be provided. See the **ID Token Key Management Encryption Algorithm** setting. | | redirect\_uris | An array of one or more redirect URIs where the OAuth AS may redirect the resource owner's user agent after authorization is obtained. The authorization code and implicit grant types require at least one redirect URI | | logo\_uri | The location of the logo used on user-facing OAuth grant authorization and revocation pages. For best results with the installed HTML templates, the recommended size is 72 x 72 pixels. | | scope | A space-separated list of one or more scopes, which a client can request. | | grant\_types | An array of one or more grant types, which a client can request.PingFederate accepts the following values:- `authorization_code` - `implicit` - `refresh_token` - `client_credentials` - `urn:ietf:params:oauth:grant-type:device_code` - `urn:openid:params:grant-type:ciba` - `password` - `extension` (JWT Bearer Token or SAML 2.0 Bearer Assertion)You can find more information about each grant type in [Grant types](../introduction_to_pingfederate/pf_grant_types.html). | | response\_types | An array of one or more response types, which a client can request.PingFederate accepts the following values:- `code` - `code id_token` - `code id_token token` - `code token` - `id_token` - `id_token token` - `none` - `token`You can find more information about these response types in [Definitions of Multiple-Valued Response Type Combinations](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations).If one or more response types are specified, the resulting client is only allowed to send one of the specified response types at runtime. Requests from this client with other response types will be rejected.Response type and grant type parameters must be provided in tandem because certain response types require one or more grant types, and vice versa. The following table provides a summary of their relationship.response type grant types code authorization\_code code id\_token authorization\_code and implicit code id\_token token authorization\_code and implicit code token authorization\_code and implicit id\_token implicit id\_token token implicit token implicit | | id\_token\_signed\_response\_alg | The JSON Web Signature (JWS) *(tooltip: \
\

A signed instance of a JSON Web Token (JWT) based on IETF standard syntax and used for the exchange of signed content.\

\
)* algorithm required for the OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* tokens.Allowed values:- `none` - No signing algorithm - `HS256` - HMAC using SHA-256 - `HS384` - HMAC using SHA-384 - `HS512` - HMAC using SHA-512 - `ES256` - ECDSA using P256 Curve and SHA-256 - `ES384` - ECDSA using P384 Curve and SHA-384 - `ES512` - ECDSA using P521 Curve and SHA-512 - `RS256` - RSA using SHA-256 - `RS384` - RSA using SHA-384 - `RS512` - RSA using SHA-512 - `PS256` - RSASSA-PSS using SHA-256 - `PS384` - RSASSA-PSS using SHA-384 - `PS512` - RSASSA-PSS using SHA-512 RSASSA-PSS signing algorithms require a Java 8 or Java 11 runtime environment, or an integration with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect. For more information on HSM integration and static keys, see Supported hardware security modules and Keys for OAuth and OpenID Connect, respectively. If static keys for OAuth and OpenID Connect are enabled, use either an RSA algorithm or an EC algorithm that has been configured with an active static key. | | id\_token\_encrypted\_response\_alg | The algorithm used to encrypt or otherwise determine the value of the content encryption key.Allowed values:- `dir` - Direct Encryption with symmetric key - `A128KW` - AES-128 Key Wrap - `A192KW` - AES-192 Key Wrap - `A256KW` - AES-256 Key Wrap - `A128GCMKW` - AES-GCM-128 key encryption - `A192GCMKW` - AES-GCM-192 key encryption - `A256GCMKW` - AES-GCM-256 key encryption - `ECDH-ES` - ECDH-ES - `ECDH-ES+A128KW` - ECDH-ES with AES-128 Key Wrap - `ECDH-ES+A192KW` - ECDH-ES with AES-192 Key Wrap - `ECDH-ES+A256KW` - ECDH-ES with AES-256 Key Wrap - `RSA-OAEP` - RSAES-OAEP - `RSA-OAEP-256` - RSAES OAEP using SHA-256 and MGF1 with SHA-256 | | id\_token\_encrypted\_response\_enc | The content encryption algorithm used to perform authenticated encryption on the plain text payload of the token.Required if an algorithm is provided through the `id_token_encrypted_response_alg` parameter.Allowed values:- `A128CBC-HS256` - Composite AES-CBC-128 HMAC-SHA-256 - `A192CBC-HS384` - Composite AES-CBC-192 HMAC-SHA-384 - `A256CBC-HS512` - Composite AES-CBC-256 HMAC-SHA-512 - `AES-GCM-128` - A128GCM - `AES-GCM-192` - A192GCM - `AES-GCM-256` - A256GCM | | introspection\_signing\_alg\_values (optional) | The JSON Web Signature (JWS) algorithm used to sign the token introspection response.Allowed values:- `HS256` HMAC using SHA-256 - `HS384` - HMAC using SHA-384 - `HS512` - HMAC using SHA-512 - `RS256` - RSA using SHA-256 - `RS384` - RSA using SHA-384 - `RS512` - RSA using SHA-512 - `ES256` - ECDSA using P256 Curve and SHA-256 - `ES384` - ECDSA using P384 Curve and SHA-384 - `ES512` - ECDSA using P521 Curve and SHA-512 - `PS256` - RSASSA-PSS using SHA-256 - `PS384` - RSASSA-PSS using SHA-384 - `PS512` - RSASSA-PSS using SHA-512 RSASSA-PSS signing algorithms require a Java 8 or Java 11 runtime environment, or an integration with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect. For more information on HSM integration and static keys, see Supported hardware security modules and Keys for OAuth and OpenID Connect, respectively.The default value is `RS256`.**None** is not an allowed value. | | introspection\_encryption\_alg\_values (optional) | The JSON Web Encryption (JWE) algorithm used to encrypt the content- encryption key of the token introspection response.Allowed Values:- `DIR` - Direct Encryption with symmetric key - `A128KW` - ES-128 Key Wrap - `A192KW` - AES-192 Key Wrap - `A256KW` - AES-256 Key Wrap - `A128GCMKW` - AES-GCM-128 key encryption - `A192GCMKW` - AES-GCM-192 key encryption - `A256GCMKW` - AES-GCM-256 key encryption - `ECDH_ES` - ECDH-ES - `ECDH_ES_A128KW` - ECDH-ES with AES-128 Key Wrap - `ECDH_ES_A192KW` - ECDH-ES with AES-192 Key Wrap - `ECDH_ES_A256KW` - ECDH-ES with AES-256 Key Wrap - `RSA_OAEP` - RSAES-OAEP - `RSA_OAEP_256` - RSAES-OAEP using SHA-256If asymmetric type, a JWKS or JWKS URL is required and must be valid.If symmetric type, the reversible secret is required. | | introspection\_encryption\_enc\_values | The JSON Web Encryption (JWE) content-encryption algorithm for the token introspection response.Allowed values:- `AES_128_CBC_HMAC_SHA_256` - Composite AES-CBC-128 HMAC-SHA-256 - `AES_192_CBC_HMAC_SHA_384` - Composite AES-CBC-192 HMAC-SHA-384 - `AES_256_CBC_HMAC_SHA_512` - Composite AES-CBC-256 HMAC-SHA-512 - `AES_128_GCM` - Composite A128GCM - `AES_192_GCM` - Composite A192GCM - `AES_256_GCM` - Composite A256GCM This field is required if introspection\_signing\_alg\_values\_supported is specified. This field must be empty if introspection\_signing\_alg\_values\_supported is not specified. | | backchannel\_token\_delivery\_mode | The token delivery method that the client supports. PingFederate supports poll and ping.Set to `poll` if the client can check for the authorization results periodically at the token endpoint.Set to `ping` if the client prefers to wait for a ping callback message from PingFederate as a signal that the authorization result is ready for pickup.If this parameter is not provided and the CIBA grant type is enabled, the poll method is assumed. | | backchannel\_client\_notification\_endpoint | The client's notification endpoint, to which PingFederate sends its ping call back messages.Required only if `ping` is the configured token delivery method. | | backchannel\_authentication\_request\_signing\_alg | The signing algorithm that the client must use to sign its request objects for transmission of request parameters.PingFederate accepts the following values:- `RS256` - RSA using SHA-256 - `RS384` - RSA using SHA-384 - `RS512` - RSA using SHA-512 - `HS256` - HMAC using SHA-256 - `HS384` - HMAC using SHA-384 - `HS512` - HMAC using SHA-512 - `ES256` - ECDSA using P256 Curve and SHA-256 - `ES384` - ECDSA using P384 Curve and SHA-384 - `ES512` - ECDSA using P521 Curve and SHA-512 - `PS256` - RSASSA-PSS using SHA-256 - `PS384` - RSASSA-PSS using SHA-384 - `PS512` - RSASSA-PSS using SHA-512 RSASSA-PSS signing algorithms require a Java 8 or Java 11 runtime environment, or an integration with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect. For more information on HSM integration and static keys, see Supported hardware security modules and Keys for OAuth and OpenID Connect, respectively.If this parameter is not provided and the CIBA grant type is enabled, the client can use any of the allowed signing algorithms. | | backchannel\_user\_code\_parameter | Indicates whether the client supports user code.The purpose of this code is to authorize the transmission of an authentication request to the user's authentication device.A valid value is either `true` or `false`.If this parameter is not provided and the CIBA grant type is enabled, user code support is not enabled. When user code support is enabled, the associated CIBA request policy must also be user code enabled. | | sector\_identifier\_uri | A URL using the HTTPS scheme that references a JSON file containing an array of `redirect_uri` values. For more information, see ["sector\_identifier\_uri" Validation](https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation). | | subject\_type | The type of subject used by the sector identifier, such as `public` or `pairwise`. | ## Related links * [OAuth 2.0 Dynamic Client Registration Protocol, Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591/#autoid-5) * [OpenID Connect Dynamic Client Registration, Client Metadata (openid.net/specs/openid-connect-registration-1\_0.html#ClientMetadata)](https://openid.net/specs/openid-connect-registration-1_0.html) * [Managing client configuration defaults](help_clientsettingstasklet_oauthdynamicclientregistrationdefaultsstate.html)