PingGateway 2025.3

ClientRegistration

A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider.

The configuration includes the client credentials that are used to authenticate to the identity provider. The client credentials can be included directly in the configuration, or retrieved in some other way using an expression, described in Expressions.

Usage

{
  "name": string,
  "type": "ClientRegistration",
  "config": {
    "clientId": configuration expression<string>,
    "issuer": Issuer reference,
    "pkceMethod": configuration expression<string>,
    "scopes": [ configuration expression<string>, …​],
    "registrationHandler": Handler reference,
    "authenticatedRegistrationHandler": Handler reference,
    "clientSecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference,
    "skipSignatureVerification": configuration expression<boolean>
  }
}

Properties

clientId

"clientId": configuration expression<string>, required

The client_id obtained when registering with the Authorization Server. Expressions describes alternatives to setting this to a literal string.

When using a login page with an AuthorizationCodeOAuth2ClientFilter, the link to the /login endpoint must refer to a valid clientId identified by this property.

issuer

"issuer": Issuer reference, required

The provider configuration to use for this client registration. Provide the name of an Issuer defined in the heap or an inline Issuer configuration object.

pkceMethod

"pkceMethod": configuration expression<string>, optional

The Proof Key for Code Exchange (PKCE) code challenge method; one of:

  • S256: Use a SHA256-based encoding of the code verifier.

  • none: Disable PKCE.

Default: S256

scopes

"scopes": array of configuration expression<strings>, optional

Array of scope strings to present to the user for approval and to include in tokens for decisions about access to protected resources.

Default: Empty

registrationHandler

"registrationHandler": Handler reference, optional

HTTP client handler to invoke during client registration, to access endpoints that don’t require client authentication. Provide either the name of a Handler defined in the heap or an inline Handler configuration object.

Usually set this to the name of a ClientHandler configured in the heap or a Chain that ends in a ClientHandler.

Default: ClientHandler

authenticatedRegistrationHandler

"authenticatedRegistrationHandler": Handler reference, optional

HTTP client handler to invoke during client registration to access endpoints that require client authentication. Configure this property as a Chain with one of the following filters for client authentication:

For example:

{
  "name": "AuthenticatedRegistrationHandler",
  "type": "Chain",
  "config": {
    "handler": "ForgeRockClientHandler",
    "filters": [
      {
        "type": "ClientSecretBasicAuthenticationFilter",
        "config": {
          "clientId": "service-client",
          "clientSecretId": "client.secret.id",
          "secretsProvider" : "SystemAndEnvSecretStore-1"
        }
      }
    ]
  }
}
json

Default: registrationHandler with no authentication filter

clientSecretId

"clientSecretId": configuration expression<secret-id>, required to verify ID tokens with HMAC-based signatures

The secret ID of the client secret.

Set this for ID token validation when the OpenID provider signs ID tokens using an HMAC algorithm. In addition, use a "secretsProvider" to access the client secret.

This secret ID must point to a GenericSecret.

secretsProvider

"secretsProvider": SecretsProvider reference, required to verify ID tokens with HMAC-based signatures

The SecretsProvider to query for the client’s GenericSecret.

When the OpenID provider signs ID tokens using an HMAC algorithm, use this provider to access the "clientSecretId".

skipSignatureVerification

"skipSignatureVerification": configuration expression<boolean>, optional

A flag for signature validation of OpenID Connect ID tokens:

  • true: Don’t validate signatures.

    Before using the value true, consider the security impact on your deployment. Use only when the connection between the Issuer and Client is direct and well secured.

  • false: Validate signatures.

Default: false

Example

Learn more in AM as OIDC provider.

More information

org.forgerock.openig.filter.oauth2.client.ClientRegistration

Issuer

The OAuth 2.0 Authorization Framework

The OAuth 2.0 Authorization Framework: Bearer Token Usage

OpenID Connect