On the Client Configuration Defaults screen, specify the default settings that are proprietary to PingFederate for clients created via the OAuth 2.0 Dynamic Client Registration protocol.

While these settings are shared among all clients created through dynamic client registration, they can be overridden by client registration policies enforced during dynamic client registration. Alternatively, you may modify the client configuration using the administrative console, the administrative API, or the OAuth Client Management Service after the client has been created.

  1. Go to the OAuth Server > Client Settings > Client Configuration Defaults screen.
  2. Optional: Modify the default values as needed.

    Refer to the following table for detailed information about each field.

    Field Description
    Private Key JWT - Replay Prevention Determines whether PingFederate mandates a unique signed JWT from the client for each request when the client is configured to authenticate via the private_key_jwt client authentication method, to transmit request parameters using in signed request objects, or to do both.

    This check box is not selected by default.

    Note:

    The underlying Assertion Replay Prevention Service is cluster-aware (see Assertion Replay Prevention Service).

    Require Signed Request Indicates whether the client must transmit request parameters in a single, self-contained parameter. The parameter name is request. The value of the request parameter is a signed JWT whose claims represent the request parameters of the authorization request. The OpenID Connect specification calls this JWT a request object.

    This check box is not selected by default.

    Default Access Token Manager The default Access Token Management (ATM) instance for this client.
    Persistent Grants Max Lifetime Overrides the Persistent Grant Max Lifetime field value set globally in the OAuth Server > Authorization Server Settings screen.
    Options are:
    • Use Global Setting (the default selection)
    • Grants Do Not Expire
    • A custom value in days, hours, or minutes.
    Note:

    This setting can be overridden per grant-mapping configuration through the use of an extended persistent grant attribute PERSISTENT_GRANT_LIFETIME. The PERSISTENT_GRANT_LIFETIME attribute is defined on the OAuth Server > Authorization Server Settings screen. Once added, the lifetime of persistent grants can be set based on the outcome of attribute mapping expressions in individual grant-mapping configurations. For grant-mapping configurations that do not require this fine-grain control, they can be configured to use the default value.

    Persistent Grants Idle Timeout Overrides the Persistent Grant Idle Timeout field value set globally in the OAuth Server > Authorization Server Settings screen.
    Options are:
    • Use Global Setting (the default selection)
    • Grants Do Not Timeout Due To Inactivity
    • A custom value in days, hours, or minutes.

    If an idle timeout value is configured, the idle timeout window slides when a persistent grant is updated (see Persistent versus transient grants).

    When an idle timeout value is configured without a maximum lifetime, persistent grants remain valid until they expire due to inactivity, or are revoked or removed. When an idle timeout value is configured with a maximum lifetime, persistent grants remain valid until they expire (due to inactivity or lifetime expiration) or are removed from the grant storage.

    Client Authentication Certificate Issuer DN Select a trusted CA from the list. (These are CA certificates imported into PingFederate. You can review them on the Security > Trusted CAs screen.) Alternatively, you may select Trust Any to trust all the issuers found in the list.

    The default selection is None (Client TLS Certificate Authentication Disabled), which does not allow developers to submit client registrations with a token_endpoint_auth_method parameter value of tls_client_auth.

    Refresh Token Rolling Policy Overrides the Roll Refresh Token Values setting configured globally in the OAuth Server > Authorization Server Settings screen.
    Options are:
    • Use Global Setting (the default selection)
    • Roll

      Note that this selection does not override the Minimum Interval to Roll Refresh Tokens (Hours) value set on the Authorization Server Settings screen.

    • Don't Roll
    OpenID Connect
    Note: These options are displayed only when the OpenID Connect protocol is enabled in System > Protocol Settings > Roles & Protocols screen.
    ID Token Signing Algorithm

    Select the signing algorithm for the ID tokens from the list. The default algorithm is RSA using SHA-256.

    If PingFederate is either deployed to run in a Java 11 runtime environment or integrated with a hardware security module (HSM) and configured to use static keys for OAuth and OpenID Connect, additional RSASSA-PSS signing algorithms become available for selection. (For more information on HSM integration and static keys, see Supported hardware security modules and Managing keys for OAuth and OpenID Connect, respectively.)

    Note:

    If static keys for OAuth and OpenID Connect are enabled, EC algorithms that have not been configured with an active static keys are hidden.

    Changes made in the static-key configuration may affect runtime transactions and require additional changes here. For more information, see Managing keys for OAuth and OpenID Connect.

    Note:

    While all settings on this screen can be overridden by client registration policies enforced during the registration, ID Token Signing Algorithm is the only default setting that can also be overridden by including a different id_token_signed_response_alg client metadata value in the client registration.

    For a list of supported signing algorithm, developers can refer to the id_token_signing_alg_values_supported parameter values returned by the PingFederate OpenID Provider configuration endpoint at /.well-known/openid-configuration.

    Policy

    Select a specific OpenID Connect policy from the list.

    Device Authorization This field controls whether to use global device authorization grant settings defined on the OAuth Server > Authorization Server Settings screen.

    The default selection is Use Global Settings.

    Select Override and configure any of the following settings.

    User Authorization URL
    This field controls whether PingFederate should use a different URL, perhaps for ease of use or branding purposes, when formulating the verification URLs to be included in its device authorization responses (see Device authorization endpoint).
    For example, if this field is configured with a value of https://www.example.org/welcome, PingFederate returns https://www.example.org/welcome and https://www.example.org/welcome?user_code=<activationcode> as the verification URIs.
    After processing the device authorization response, which includes the verification URIs, the device presents one of them to the user. The user is expected to browse to the presented verification URI on a second device.
    Important:

    The target web server must redirect the browser to PingFederate at its user authorization endpoint (see User authorization endpoint). Moreover, it must also preserve the user_code parameter value (if provided).

    For instance, if the base URL of your PingFederate server is https://www.example.com and this field is configured with a value of https://www.example.org/welcome, the target web server must redirect as follows:
    • https://www.example.org/welcome to https://www.example.com/as/user_authz.oauth2
    • https://www.example.org/welcome?user_code=<activationcode> to https://www.example.com/as/user_authz.oauth2?user_code=<activationcode>
    This field has no default value.
    Pending Authorization Timeout (seconds)
    The lifetime of an activation code (the user_code parameter value) in seconds.
    This field has no default value.
    Device Polling Interval (seconds)
    The amount of time in seconds that the device waits between polling requests to the PingFederate token endpoint.
    This field has no default value.
    Bypass Activation Code Confirmation
    When PingFederate receives a verification request that includes an activation code (the user_code parameter value), it prompts the user to confirm the activation code.
    This field controls whether PingFederate should skip this confirmation step.
    Select the Bypass Activation Code Confirmation check box if you want PingFederate to skip the confirmation step.
    This check box is not selected by default.
    Require Proof Key for Code Exchange (PKCE) Applicable only when the client is configured to support the authorization code grant type.

    This field determines whether the client must provide certain parameters to reduce the risk of authorization code interception attack. For more information, see the Proof Key for Code Exchange (PKCE) by OAuth Public Clients specification (tools.ietf.org/html/rfc7636).

    When enabled, this client must include a one-time string value through the use of the code_challenge parameter in its authorization request (see Authorization endpoint). It must also submit the corresponding code verifier via the code_verifier parameter in its token request when exchanging an authorization code for an access token (see OAuth grant type parameters).

    This check box is not selected by default.

    Polling Interval (seconds) The number of seconds that the client must wait between its attempts to check for the authorization results at the token endpoint. When PingFederate receives a token request within this time interval, it returns a slow_down error message to the client.

    A valid value ranges from 1 to 3600.

    The default value is 3.

    Policy The CIBA request policy associated with the client.

    PingFederate uses CIBA request policies to determine various aspects of CIBA authentication requests; for example, the maximum lifetime of authentication requests, the validity of unsigned login hint tokens, and the mapping configuration of identity hints.

    Select an existing CIBA policy. You may also leave the selection of Default to indicate that PingFederate should use the CIBA request policy that has been designated as the default CIBA request policy on the OAuth Server > Request Policies screen.

    Require CIBA Signed Requests Indicates whether the client must transmit request parameters in a single, self-contained parameter. The parameter name is request. The value of the request parameter is a signed JWT whose claims represent the request parameters of the authorization request. The OpenID Connect specification calls this JWT a request object.

    This check box is not selected by default.

    Note that if CIBA signed requests are required, the dynamic client registration must include either the JWKS URL or the actual JWKS.

    Token Exchange Select the Token Exchange Processor Policy that PingFederate uses when the OAuth server receives an OAuth token exchange request from the client. If you select Default, PingFederate uses the token exchange processor policy that was set as the default on the OAuth Server > Token Exchange Processor Policy Management screen.

    For more information, see OAuth token exchange.