The Response Type Constraints policy plugin allows administrators to control which flows are allowed for clients created through the OAuth 2.0 Dynamic Client Registration protocol.
Configure an instance of the Response Type Constraints policy to limit which of the following response_types parameter values are allowed:
- code id_token
- code id_token token
- code token
- id_token token
For more information about flows and response types, see the OpenID Connect specification.
- To configure a new instance, click Create New Instance.
- To modify an existing instance, select it under Instance Name.
On the Type tab, enter a name and an ID for a new instance,
and then select Response Type Constraints from the
When modifying an existing policy plugin instance, you can only change the Instance Name field.
On the Instance Configuration tab, clear the applicable
check boxes to remove the unwanted response types.
All response types are allowed by default.
- On the Summary tab, review the plugin configuration. Click Done.
- In the Client Registration Policy Instances window, click Save.
Like other Client Registration Policy plugins, an instance of the Response Type Constraints policy plugin is not enforced, or executed as part of the dynamic client registration process, until it is selected in . If it is selected in the Client Registration Policies window, PingFederate discards all restricted response types when processing client registrations. If no response type is allowed, PingFederate rejects the registration and returns an error message to the originator.