Configure an instance of the Response Type Constraints policy plugin to limit which of the following response_types parameter values are allowed:

  • code
  • code id_token
  • code id_token token
  • code token
  • id_token
  • id_token token
  • token

This capability allows administrators to control which flows are allowed for clients created through the OAuth 2.0 Dynamic Client Registration protocol.

For more information about flows and response types, see the OpenID Connect specification (openid.net/specs/openid-connect-core-1_0.html#Authentication).

  1. Go to the OAuth Server > Client Registration Policies screen.
    • To configure a new instance, click Create New Instance.
    • To modify an existing instance, select it by its name under Instance Name.
  2. On the Type screen, enter a name and an ID for a new instance, and then select Response Type Constraints from the list.
    Note that only the name can be changed when modifying an existing policy plugin instance.
  3. On the Instance Configuration screen, clear the applicable check boxes to remove the unwanted response types.
    (All response types are allowed by default.)
  4. On the Summary screen, review the plugin configuration, modify as needed, and click Done.
  5. On the Manage Client Registration Policy Instances screen, click Save.
Important:

Like other Client Registration Policy plugins, an instance of the Response Type Constraints policy plugin is not enforced (or executed as part of the dynamic client registration process) until it is selected on the OAuth Server > Client Settings > Client Registration Policies screen. If it is selected on the Client Registration Policies screen, PingFederate discards all restricted response types when processing client registrations. If no response type is allowed, PingFederate rejects the registration and returns an error message to the originator.