Configure an instance of the Response Type Constraints policy plugin to limit which of the following response_types parameter values are allowed:
- code id_token
- code id_token token
- code token
- id_token token
This capability allows administrators to control which flows are allowed for clients created through the OAuth 2.0 Dynamic Client Registration protocol.
For more information about flows and response types, see the OpenID Connect specification (openid.net/specs/openid-connect-core-1_0.html#Authentication).
Go to the
- To configure a new instance, click Create New Instance.
- To modify an existing instance, select it by its name under Instance Name.
On the Type screen, enter a name and an ID for a new
instance, and then select Response Type Constraints from
Note that only the name can be changed when modifying an existing policy plugin instance.
On the Instance Configuration screen, clear the
applicable check boxes to remove the unwanted response types.
(All response types are allowed by default.)
- On the Summary screen, review the plugin configuration, modify as needed, and click Done.
- On the Manage Client Registration Policy Instances screen, click Save.
Like other Client Registration Policy plugins, an instance of the Response Type Constraints policy plugin is not enforced (or executed as part of the dynamic client registration process) until it is selected on the . If it is selected on the screenClient Registration Policies screen, PingFederate discards all restricted response types when processing client registrations. If no response type is allowed, PingFederate rejects the registration and returns an error message to the originator.