--- title: ClientRegistration description: A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider. component: pinggateway version: 2026 page_id: pinggateway:reference:ClientRegistration canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/ClientRegistration.html revdate: 2025-07-03T11:49:01Z section_ids: ClientRegistration-usage: Usage ClientRegistration-properties: Properties ClientRegistration-clientId: clientId ClientRegistration-issuer: issuer ClientRegistration-pkceMethod: pkceMethod ClientRegistration-scopes: scopes ClientRegistration-registrationHandler: registrationHandler ClientRegistration-authenticatedRegistrationHandler: authenticatedRegistrationHandler ClientRegistration-clientSecretId: clientSecretId ClientRegistration-secretsProvider: secretsProvider ClientRegistration-skipSignatureVerification: skipSignatureVerification ClientRegistration-example: Example ClientRegistration-moreinfo: More information --- # ClientRegistration A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider. The configuration includes the client credentials that are used to authenticate to the identity provider. The client credentials can be included directly in the configuration, or retrieved in some other way using an expression, described in [Expressions](Expressions.html#Expressions). ## Usage ```none { "name": string, "type": "ClientRegistration", "config": { "clientId": configuration expression, "issuer": Issuer reference, "pkceMethod": configuration expression, "scopes": [ configuration expression, …​], "registrationHandler": Handler reference, "authenticatedRegistrationHandler": Handler reference, "clientSecretId": configuration expression, "secretsProvider": SecretsProvider reference, "skipSignatureVerification": configuration expression } } ``` ## Properties ### clientId `"clientId"`: *configuration expression<[string](preface.html#definition-string)>, required* The `client_id` obtained when registering with the Authorization Server. [PingGateway expressions](Expressions.html) describes alternatives to setting this to a literal string. When using a login page with an [AuthorizationCodeOAuth2ClientFilter](AuthorizationCodeOAuth2ClientFilter.html), the link to the `/login` endpoint must refer to a valid `clientId` identified by this property. ### issuer `"issuer"`: *Issuer [reference](preface.html#definition-reference), required* The provider configuration to use for this client registration. Provide the name of an [Issuer](Issuer.html) defined in the heap or an inline Issuer configuration object. ### pkceMethod `"pkceMethod"`: *configuration expression<[string](preface.html#definition-string)>, optional* The [Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html) code challenge method; one of: * `S256`: Use a SHA256-based encoding of the code verifier. * `none`: Disable PKCE. Default: `S256` ### scopes `"scopes"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional* Array of scope strings to present to the user for approval and to include in tokens for decisions about access to protected resources. Default: Empty ### registrationHandler `"registrationHandler"`: *Handler [reference](preface.html#definition-reference), optional* HTTP client handler to invoke during client registration, to access endpoints that don't require client authentication. Provide either the name of a [Handler](Handlers.html) defined in the heap or an inline Handler configuration object. Usually set this to the name of a [ClientHandler](ClientHandler.html) configured in the heap or a [Chain](Chain.html) that ends in a ClientHandler. Default: [ClientHandler](ClientHandler.html) ### authenticatedRegistrationHandler `"authenticatedRegistrationHandler"`: *Handler [reference](preface.html#definition-reference), optional* HTTP client handler to invoke during client registration to access endpoints that require client authentication. Configure this property as a [Chain](Chain.html) with one of the following filters for client authentication: * [ClientSecretBasicAuthenticationFilter](ClientSecretBasicAuthenticationFilter.html) * [ClientSecretPostAuthenticationFilter](ClientSecretPostAuthenticationFilter.html) * [EncryptedPrivateKeyJwtClientAuthenticationFilter](EncryptedPrivateKeyJwtClientAuthenticationFilter.html) * [PrivateKeyJwtClientAuthenticationFilter](PrivateKeyJwtClientAuthenticationFilter.html) The following example relies on server-side TLS to protect the client credentials: ```json { "name": "AuthenticatedRegistrationHandler", "type": "Chain", "config": { "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "service-client", "clientSecretId": "client.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } } ``` The following example uses a [ClientSecretBasicAuthenticationFilter](ClientSecretBasicAuthenticationFilter.html) with a [ClientHandler](ClientHandler.html) to add transaction IDs to requests and configure mutual TLS (mTLS). In the [ClientTlsOptions](ClientTlsOptions.html) configuration, the `SecretsKeyManager` holds the client keys and the `SecretsTrustManager` trusts the server CA certificates. ```json { "name": "AuthenticatedRegistrationHandler", "type": "Chain", "config": { "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "service-client", "clientSecretId": "client.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": { "name": "mTlsClientHandler", "type": "Chain", "config": { "filters": [ "TransactionIdOutboundFilter" ], "handler": { "type": "ClientHandler", "config": { "tls": { "type": "ClientTlsOptions", "config": { "keyManager": [ "SecretsKeyManager" ], "trustManager": [ "SecretsTrustManager" ] } } } } } } } } ``` Default: `registrationHandler` with no authentication filter ### clientSecretId `"clientSecretId"`: *configuration expression\, required to verify ID tokens with HMAC-based signatures* The secret ID of the client secret. Set this for ID token validation when the OpenID provider signs ID tokens using an HMAC algorithm. In addition, use a `"secretsProvider"` to access the client secret. This secret ID must point to a [GenericSecret](../security-guide/keys.html#secret-types). ### secretsProvider `"secretsProvider"`: *SecretsProvider reference, required to verify ID tokens with HMAC-based signatures* The [SecretsProvider](SecretsProvider.html) to query for the client's [GenericSecret](../security-guide/keys.html#secret-types). When the OpenID provider signs ID tokens using an HMAC algorithm, use this provider to access the `"clientSecretId"`. ### skipSignatureVerification `"skipSignatureVerification"`: *configuration expression<[boolean](preface.html#definition-boolean)>, optional* A flag for signature validation of OpenID Connect ID tokens: * `true`: Don't validate signatures. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Before using the value `true`, consider the security impact on your deployment. Use only when the connection between the Issuer and Client is direct and well secured. | * `false`: Validate signatures. Default: `false` ## Example Learn more in [AM as OIDC provider](../gateway-guide/oidc-am.html). ## More information [org.forgerock.openig.filter.oauth2.client.ClientRegistration](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/client/ClientRegistration.html) [Issuer](Issuer.html) [The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749) [The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) [OpenID Connect](https://openid.net/developers/how-connect-works//)